beautybiz.no-ip.org(backdoored passwd stealer)

By Pig, December 7, 2010

DNS Lookup
Host Name IP Address
beautybiz.no-ip.org 84.19.169.234

Outgoing connection to remote server: beautybiz.no-ip.org TCP port 80DNS Lookup
Host Name IP Address
127.0.0.1 127.0.0.1

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “UserInit” = C:WINDOWSsystem32userinit.exe,C:Windupdtwinupdate.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “winupdater” = C:Windupdtwinupdate.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableRegistryTools” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DisableNotifications” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “EnableLUA” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center “AntiVirusDisableNotify” = 1
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswscsvc “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesCurrentVersionExplorern “NoControlPanel” = 1
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “ProcessorNameString”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem “SystemBiosDate”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem “Identifier”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “Identifier”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “VendorIdentifier”
HKEY_LOCAL_MACHINESOFTWAREClassesHTTPshellopencommand “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Userinit”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility “DisableAppCompat”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{56F9679E-7826-4C84-81F3-532071A8BCC5}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile “ProgID”
HKEY_LOCAL_MACHINESOFTWAREClassesfile “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesMapi “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesOutlookexpress “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesOTFS “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “ScriptOk”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCertificate{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCertificate{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustFinalPolicy{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustFinalPolicy{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustInitialization{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustInitialization{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustMessage{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustMessage{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustSignature{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustSignature{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCertCheck{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCertCheck{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCleanup{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$DLL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyProvidersTrustCleanup{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} “$Function”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing “State”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSecurity “Safety Warning Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “GCStressStart”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “GCStressStartAtJit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “DisableConfigCache”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “CacheLocation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “DownloadCacheQuotaInKB”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “EnableLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “ForceLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LogFailures”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LogResourceBinds”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “UseLegacyIdentityFormat”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “DisableMSIPeek”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32 “LatestIndex”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32index39 “NIUsageMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32index39 “ILUsageMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “Latest”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “index1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “LegacyPolicyTimeStamp”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Xml,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “DbgJITDebugLaunchSetting”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “DbgManagedDebugger”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc11 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3a6a696d3469b77313 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3a6a696d3469b77313 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3a6a696d3469b77313 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3a6a696d3469b77313 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3a6a696d3469b77313 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ForceQueueMode”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}Server “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “ProcessorNameString”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem “SystemBiosDate”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem “Identifier”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “Identifier”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “VendorIdentifier”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “winupdater”
HKEY_CURRENT_USERSoftwareDC3_FEXEC “8589039055303ec2719719d7d0ea4a5c”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultTTL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedType
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllIsMyFileType2
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOID
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSets
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSetsInternet
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSetsLocalIntranet
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a9
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db6748
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI432ba5983d75b7fc

File Changes by all processes
New Files C:Windupdtwinupdate.exe
C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE
C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat
C:Windupdtwinupdate.exe
C:Windupdtwinupdate.exe
DeviceRasAcd
NUL
C:Windupdtwinupdate.exe
DeviceIp
Opened Files .PIPElsarpc
.PIPEwkssvc
C:ProgrammeWindows Desktop SearchMSNLNamespaceMgr.dll
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:Windupdt
C:WINDOWSsystem32de-DEwshext.dll.mui
C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE.config
C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch
C:WINDOWSassemblyNativeImages_v2.0.50727_32index39.dat
C:WINDOWSassemblypubpol1.dat
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config
C:WINDOWSsystem32l_intl.nls
C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sorttbls.nlp
C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sortkey.nlp
C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.dll
C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.dll
C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE
C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.dll
C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.pdb
C:WINDOWSsymbolsdllMicrosoft.VisualBasic.pdb
C:WINDOWSdllMicrosoft.VisualBasic.pdb
C:WINDOWSMicrosoft.VisualBasic.pdb
.PIPElsarpc
C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
Deleted Files C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch.1120.2479312
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch.1120.2479328
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch.1120.2479406
c:Grow_Stealer_v1_Cracked.exe
c:GROW_S~1.EXE
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:Windupdt Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Windupdt Flags: (SECURITY_ANONYMOUS)
Copy File: c:Grow_Stealer_v1_Cracked.exe to C:Windupdtwinupdate.exe
Set File Attributes: C:Windupdtwinupdate.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_SYSTEM FILE_ATTRIBUTE_TEMPORARY SECURITY_ANONYMOUS)
Set File Attributes: C:Windupdt Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_SYSTEM FILE_ATTRIBUTE_TEMPORARY SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE
Open File: .PIPEwkssvc (OPEN_EXISTING)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorEigene Dateiendesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersDokumentedesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:ProgrammeWindows Desktop SearchMSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE
Get File Attributes: C:Windupdtwinupdate.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Windupdtwinupdate.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:Windupdt ()
Find File: C:Windupdtwinupdate.exe
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32de-DEwshext.dll.mui (OPEN_EXISTING)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE.config (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE (OPEN_EXISTING)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727fusion.localgac Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch (OPEN_EXISTING)
Open File: C:WINDOWSassemblyNativeImages_v2.0.50727_32index39.dat (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089mscorlib.INI
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.config Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE Flags: (SECURITY_ANONYMOUS)
Find File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.INI
Open File: C:WINDOWSassemblypubpol1.dat (OPEN_EXISTING)
Get File Attributes: C:WINDOWSassemblyGACPublisherPolicy.tme Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem2.0.0.0__b77a5c561934e089System.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem.Windows.Forms2.0.0.0__b77a5c561934e089System.Windows.Forms.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem.Drawing2.0.0.0__b03f5f7f11d50a3aSystem.Drawing.INI
Get File Attributes: C:WINDOWSGlobalizationde-de.nlp Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32l_intl.nls (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_MSILSystem.Runtime.Remoting2.0.0.0__b77a5c561934e089System.Runtime.Remoting.INI
Get File Attributes: C:WINDOWSassemblyGAC_32DevComponents.DotNetBar28.2.0.2__5fd520d36328f741 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_MSILDevComponents.DotNetBar28.2.0.2__5fd520d36328f741 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGACDevComponents.DotNetBar28.2.0.2__5fd520d36328f741 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempDevComponents.DotNetBar2.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempDevComponents.DotNetBar2DevComponents.DotNetBar2.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempDevComponents.DotNetBar2.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempDevComponents.DotNetBar2DevComponents.DotNetBar2.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sorttbls.nlp (OPEN_EXISTING)
Open File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sortkey.nlp (OPEN_EXISTING)
Get File Attributes: C:WINDOWSGlobalizationen-us.nlp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTempGROW_STEALER_V1_CRACKED.config Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_32mscorlib.resources2.0.0.0_de-DE_b77a5c561934e089 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de-DE_b77a5c561934e089 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGACmscorlib.resources2.0.0.0_de-DE_b77a5c561934e089 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempde-DEmscorlib.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempde-DEmscorlib.resourcesmscorlib.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempde-DEmscorlib.resources.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempde-DEmscorlib.resourcesmscorlib.resources.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSGlobalizationde.nlp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_32mscorlib.resources2.0.0.0_de_b77a5c561934e089 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.dll Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.dll (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.INI
Open File: C:WINDOWSassemblyGAC_MSILmscorlib.resources2.0.0.0_de_b77a5c561934e089mscorlib.resources.dll (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.PDB Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1TempGROW_STEALER_V1_CRACKED.EXE (OPEN_EXISTING)
Open File: C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.dll (OPEN_EXISTING)
Open File: C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.pdb (OPEN_EXISTING)
Open File: C:WINDOWSsymbolsdllMicrosoft.VisualBasic.pdb (OPEN_EXISTING)
Open File: C:WINDOWSdllMicrosoft.VisualBasic.pdb (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.VisualBasic.pdb (OPEN_EXISTING)
Delete File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch.1120.2479312
Delete File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch.1120.2479328
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch.1120.2479406
Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: C:Windupdtwinupdate.exe (OPEN_ALWAYS)
Create/Open File: C:Windupdtwinupdate.exe (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: “C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat” Flags: (SECURITY_ANONYMOUS)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp_dcsc_.bat (OPEN_EXISTING)
Find File: c:ping.*
Find File: c:ping
Find File: C:WINDOWSsystem32ping.*
Find File: C:WINDOWSsystem32ping.COM
Find File: C:WINDOWSsystem32ping.EXE
Create File: NUL
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32ping.exe
Get File Attributes: c:Grow_Stealer_v1_Cracked.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:Grow_Stealer_v1_Cracked.exe
Delete File: c:Grow_Stealer_v1_Cracked.exe
Delete File: c:GROW_S~1.EXE
Create File: C:Windupdtwinupdate.exe
Create/Open File: DeviceIp (OPEN_ALWAYS)

infos about the hecker:
http://whois.domaintools.com/84.19.169.234

exe file here:
http://hotfile.com/dl/87378500/c698434/Grow_Stealer_v1_Cracked.exe.html

Categories: Uncategorized