'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-09-30 17:00:01.176899 2018-09-30 17:01:54.179269 113 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2018-09-30 17:00:01 2018-09-30 17:01:53

File Details

File name db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
File size 301568 bytes
File type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
CRC32 A3983AD6
MD5 e3dc50848b452df59e74ef8968123afc
SHA1 aa01542365580fa7fe3129b848bdcc44b3ec96fa
SHA256 db09d959147a0f7ed8114201e65e9018d14b9c3584d6590996a01f29f0c6ae16
SHA512 fef87436916e17c8f0c3cec00b15b44825b315caa39c87979a8794cb0494b79f6d697ea57462ee1fd5f44ea5787eb8bbafb9403e98d3485d08941f3f50c13523
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1538341365]=0): Snort Events=4, AV Events=0
Total Score=125

SNORT EVENTS:
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
MALWARE-CNC Win.Trojan.Zeus variant outbound connection
ET TROJAN Fareit/Pony Downloader Checkin 3
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

MetaFlows Virus DB DETECTED Dropped File:
db09d959147a0f7e_db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe INFECTED - Antivirus report:Here

Dropped File/Buffer Yara Signatures:
987e2066cdc3b6224d56cc5c47a22784bfb00076 [BUFFER]: shellcode
9b84f2d991c6abae4afcde172172a6d21618d652 [BUFFER]: embedded_win_api
9b84f2d991c6abae4afcde172172a6d21618d652 [BUFFER]: pony
9b84f2d991c6abae4afcde172172a6d21618d652 [BUFFER]: with_sqlite

Signatures

antivm_queries_computername details
console_output details
locates_browser details
antivm_memory_available details
pe_features details
dumped_buffer details
create_process_suspended details
openprocess_nonchild details
allocates_rwx details
infostealer_browser details
dropper details
stealth_window details
packer_entropy details
privilege_luid_check details
memdump_urls details
uses_windows_utilities details
dumped_buffer2 details
injection_resumethread details
infostealer_ftp details
nolookup_communication details
deletes_executed_files details
infostealer_ftp details
recon_programs details
infostealer_mail details
removes_zoneid_ads details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

db09d959147a0f7e_db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe

936d9411d5226b7c_19344921.bat

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b75ba99f72f116d8951b0f2bba8c276a\System.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ce11900fa489575613dc777c7fbb0d7d\System.Drawing.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\e0fea191b75897ec38735bfc31b89fe0\System.Core.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\48d37adc5c0d8744e13603707480d090\Microsoft.VisualBasic.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\ac38cb30c15eb9e4a54459ee01e9f8e6\System.Windows.Forms.ni.dll.aux
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • \\?\PIPE\samr
  • C:\Windows\win.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Temp\19344921.bat
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\19344921.bat
  • \\?\PIPE\samr
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe:Zone.Identifier
  • C:\Users\Harry Dresden\AppData\Local\Temp\19344921.bat
  • C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
File-Opened
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll.aux
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\pubpol40.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b75ba99f72f116d8951b0f2bba8c276a\System.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ce11900fa489575613dc777c7fbb0d7d\System.Drawing.ni.dll.aux
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\e0fea191b75897ec38735bfc31b89fe0\System.Core.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\48d37adc5c0d8744e13603707480d090\Microsoft.VisualBasic.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\ac38cb30c15eb9e4a54459ee01e9f8e6\System.Windows.Forms.ni.dll.aux
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\win.ini
  • \\?\PIPE\samr
  • C:\Program Files (x86)\Mozilla Firefox
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Temp\19344921.bat
  • C:\
Network-Connects IP
  • 217.61.6.147
Directory-Created
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\History
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Cookies
  • C:\Users\Harry Dresden\AppData\Roaming
Directory-Enumerated
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
  • C:\Windows\System32\*.*
  • C:\Windows\System32\mscoree.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\GTDuw30yTpK9bb587bf#\*
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
  • C:\Windows
  • C:\Users
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
  • C:\Users\Harry Dresden\AppData
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Roaming\Frigate3\*.*
  • C:\ProgramData\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\CuteFTP\*.*
  • C:\ProgramData\MapleStudio\ChromePlus\*.*
  • C:\Users\Harry Dresden\Documents\My Music\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP\*.*
  • C:\ProgramData\Frigate3\*.*
  • C:\Users\Harry Dresden\AppData\Local\CuteFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Visicom Media\*.*
  • C:\ProgramData\FTP Explorer\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Local\Estsoft\ALFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Visicom Media\*.*
  • C:\Program Files (x86)\CuteFTP\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\ProgramData\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Crash Reports\*.*
  • C:\Users\Harry Dresden\AppData\Local\NetSarang\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\The Bat!\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTP Explorer\*.*
  • C:\Users\Harry Dresden\AppData\Local\Sites\*.*
  • C:\ProgramData\BatMail\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\minidumps\*.*
  • C:\ProgramData\Google\Chrome\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GPSoftware\Directory Opus\*.*
  • C:\ProgramData\SiteDesigner\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTP Explorer\*.*
  • C:\ProgramData\RhinoSoft.com\*.*
  • C:\Windows\winsxs
  • C:\Users\Harry Dresden\AppData\Roaming\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\RhinoSoft.com\*.*
  • C:\Users\Harry Dresden\AppData\Local\Yandex\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Local\Ipswitch\*.*
  • C:\ProgramData\AceBIT\*.*
  • C:\Users\Harry Dresden\AppData\Local\MapleStudio\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Local\Bromium\*.*
  • C:\ProgramData\*.*
  • C:\Users\Harry Dresden\AppData\Local\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPGetter\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Nichrome\*.*
  • C:\Users\Harry Dresden\AppData\Local\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Local\Nichrome\*.*
  • C:\ProgramData\CuteFTP\*.*
  • C:\Users\Harry Dresden\Documents\My Videos\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\RhinoSoft.com\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\*.*
  • C:\ProgramData\Yandex\*.*
  • C:\ProgramData\FTPGetter\*.*
  • C:\Users\Harry Dresden\AppData\Local\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Google\Chrome\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Pocomail\*.*
  • C:\ProgramData\Bromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\bookmarkbackups\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\AceBIT\*.*
  • C:\Users\Harry Dresden\AppData\Local\AceBIT\*.*
  • C:\Users\Harry Dresden\Desktop\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPInfo\*.*
  • C:\Users\Harry Dresden\Documents\*.*
  • C:\Windows
  • C:\ProgramData\Comodo\*.*
  • C:\ProgramData\VanDyke\Config\Sessions\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Bromium\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPInfo\*.*
  • C:\ProgramData\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\MapleStudio\ChromePlus\*.*
  • C:\ProgramData\The Bat!\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Global Downloader\*.*
  • C:\ProgramData\Visicom Media\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Local\Global Downloader\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BatMail\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\*.*
  • C:\ProgramData\BulletProof Software\*.*
  • C:\Users\Harry Dresden\AppData\Local\BulletProof Software\*.*
  • C:\ProgramData\NetSarang\*.*
  • C:\Users\Harry Dresden\AppData\Local\Pocomail\*.*
  • C:\Users\Harry Dresden\AppData\Local\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Yandex\*.*
  • C:\ProgramData\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BulletProof Software\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPGetter\*.*
  • C:\Users\Harry Dresden\AppData\Local\Comodo\*.*
  • C:\Users\Harry Dresden\AppData\Local\TurboFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\BatMail\*.*
  • C:\ProgramData\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Local\GPSoftware\Directory Opus\*.*
  • C:\ProgramData\Ipswitch\*.*
  • C:\ProgramData\TurboFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\VanDyke\Config\Sessions\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\ProgramData\3D-FTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\NetSarang\*.*
  • C:\ProgramData\INSoftware\NovaFTP\*.*
  • C:\ProgramData\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Local\Google\Chrome\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPRush\*.*
  • C:\Users\Harry Dresden\AppData\Local\The Bat!\*.*
  • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
  • C:\ProgramData\Pocomail\*.*
  • C:\Users\Harry Dresden\AppData\Local\BitKinex\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Estsoft\ALFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\VanDyke\Config\Sessions\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\ChromePlus\*.*
  • C:\ProgramData\Nichrome\*.*
  • C:\ProgramData\BitKinex\*.*
  • C:\Users\Harry Dresden\Documents\My Pictures\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Comodo\*.*
  • C:\Users\Harry Dresden\AppData\Local\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP\*.*
  • C:\ProgramData\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\TurboFTP\*.*
  • C:\ProgramData\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\ProgramData\GPSoftware\Directory Opus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPRush\*.*
  • C:\ProgramData\Global Downloader\*.*
  • C:\ProgramData\Sites\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Local\INSoftware\NovaFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BitKinex\*.*
  • C:\Users\Harry Dresden\AppData\Local\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Ipswitch\*.*
  • C:\ProgramData\FTPRush\*.*
  • C:\ProgramData\FTPInfo\*.*
  • C:\ProgramData\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Sites\*.*
  • C:\Users\Harry Dresden\AppData\Local\Frigate3\*.*
  • C:\ProgramData\Estsoft\ALFTP\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Local\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\INSoftware\NovaFTP\*.*
  • C:\Program Files (x86)\Common Files\Ipswitch\WS_FTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP\*.*
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\19344921.bat
  • C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users
  • C:\Users\Harry Dresden\AppData
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
  • \Policy\Standards
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
  • HKEY_CURRENT_USER\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
  • HKEY_CURRENT_USER\Software\Mozilla
  • HKEY_CURRENT_USER\Software\FTP Explorer\Profiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
  • \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\VanDyke\SecureFX
  • HKEY_LOCAL_MACHINE\Software\RIT\The Bat!
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
  • HKEY_LOCAL_MACHINE\Software\FlashFXP\3
  • HKEY_LOCAL_MACHINE\Software\FlashFXP\4
  • HKEY_LOCAL_MACHINE\Software\South River Technologies\WebDrive\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
  • HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options
  • HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
  • HKEY_CURRENT_USER\Software\IncrediMail
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
  • HKEY_LOCAL_MACHINE\Software\FlashFXP
  • HKEY_CURRENT_USER\Software\RIT\The Bat!
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
  • HKEY_CURRENT_USER\Software\FileZilla Client
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0371FF472F1B88D429B65186AF6ED17B\InstallProperties
  • HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites
  • HKEY_CURRENT_USER\SOFTWARE\Robo-FTP 3.7\FTPServers
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Robo-FTP 3.7\Scripts
  • HKEY_CURRENT_USER\Software\South River Technologies\WebDrive\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe
  • HKEY_CLASSES_ROOT\FTP++.Link\shell\open\command
  • HKEY_CURRENT_USER\Software\WinRAR
  • HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
  • HKEY_CURRENT_USER\Software\Sota\FFFTP\Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\ExpanDrive
  • HKEY_CLASSES_ROOT\Opera.HTML\shell\open\command
  • HKEY_CURRENT_USER\Software\LeechFTP
  • HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
  • HKEY_CURRENT_USER\Software\CoffeeCup Software
  • HKEY_CURRENT_USER\Software\FlashFXP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3416602863-1947377224-293699093-1003\Components\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
  • HKEY_CURRENT_USER\Software\BPFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Fling\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}
  • HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
  • HKEY_LOCAL_MACHINE\Software\Martin Prikryl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
  • HKEY_CURRENT_USER\SOFTWARE\NCH Software\Fling\Accounts
  • HKEY_CURRENT_USER\Software\Far Manager\SavedDialogHistory\FTPHost
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\mru\jobs
  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\FTP
  • HKEY_CURRENT_USER\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)
  • HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
  • HKEY_LOCAL_MACHINE\Software\RIT\The Bat!\Users depot
  • HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options
  • HKEY_CURRENT_USER\Software\Adobe\Common
  • HKEY_CURRENT_USER\Software\Far Manager\Plugins\FTP\Hosts
  • HKEY_LOCAL_MACHINE\Software\TurboFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PropertyBag
  • HKEY_CURRENT_USER\Software\FTPClient\Sites
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0\extensions
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
  • HKEY_CURRENT_USER\Software\FlashFXP\3
  • HKEY_CURRENT_USER\Identities
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_CURRENT_USER\Software\FlashFXP\4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1
  • HKEY_CLASSES_ROOT\CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
  • HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
  • HKEY_CURRENT_USER\Software\Opera Software
  • HKEY_LOCAL_MACHINE\Software\Nico Mak Computing\WinZip\FTP
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  • HKEY_CURRENT_USER\Software\FileZilla
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757
  • HKEY_LOCAL_MACHINE\Software\FTPClient\Sites
  • HKEY_LOCAL_MACHINE\Software\FileZilla
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824214663}
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
  • HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup
  • HKEY_LOCAL_MACHINE\Software\RimArts\B2\Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
  • HKEY_LOCAL_MACHINE\Software\Poco Systems Inc
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\RIT\The Bat!\Users depot
  • HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox
  • HKEY_CURRENT_USER\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\TurboFTP
  • HKEY_CURRENT_USER\SOFTWARE\LeapWare
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
  • HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\ExpanDrive\Sessions
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
  • HKEY_CURRENT_USER\Software\AceBIT
  • HKEY_CURRENT_USER\Software\Poco Systems Inc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Identities\{E5E75BBD-C0F6-409E-8A00-7A537CA1DB81}\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}
  • HKEY_LOCAL_MACHINE\Software\IncrediMail
  • HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
  • HKEY_LOCAL_MACHINE\Software\FileZilla Client
  • HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\SOFTWARE\LeapWare
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
  • HKEY_LOCAL_MACHINE\Software\Mozilla
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1
  • HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)\Uninstall
  • HKEY_CURRENT_USER\Software\RimArts\B2\Settings
  • HKEY_LOCAL_MACHINE\Software\Nico Mak Computing\WinZip\mru\jobs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Robo-FTP 3.7\FTPServers
  • HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
  • HKEY_CURRENT_USER\Software\Sota\FFFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0\bin
  • HKEY_USERS\.DEFAULT
  • HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)\Main
  • HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites
  • HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Profiles
  • HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
  • HKEY_CURRENT_USER\Software\ChromePlus
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\AceBIT
  • HKEY_CURRENT_USER\SOFTWARE\Robo-FTP 3.7\Scripts
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
  • HKEY_LOCAL_MACHINE\Software\CoffeeCup Software
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
Registry Key-Read
  • HKEY_CURRENT_USER\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\67966828
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\AlternateCodePage
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguageFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index40
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNEL32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\EMPTY
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_CURRENT_USER\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\MSCOREE.DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824214663}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParentFolder
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\extensions\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}\DisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\bin\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Uninstall\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
  • HKEY_CURRENT_USER\Software\WinRAR\HWID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PublishExpandedPath
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}\DisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Account Manager\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\UninstallString
  • \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\StreamResource
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824214663}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573\UninstallString
  • \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
Registry Key-Written
  • HKEY_CURRENT_USER\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
  • HKEY_CURRENT_USER\Software\WinRAR\HWID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 484, Parent PID: 388

"C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe" PID: 4784, Parent PID: 4728

"C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe" PID: 4956, Parent PID: 4784

C:\Windows\system32\cmd.exe /c ""C:\Users\HARRYD~1\AppData\Local\Temp\19344921.bat" "C:\Users\Harry Dresden\AppData\Local\Temp\db09d959147a0f7e_QIPP - MOM 01 AMAZONIA WOOD.exe" " PID: 4140, Parent PID: 4956

Volatility

Nothing to display.