Figure 6: Verify whether malware is running as a system profile If the malware is running as a system profile, the string d0c from the decrypted config file is used to create the mutex. Figure 8: Network request The network request is formed with four parameters in the format shown in Figure 9. Table 1: GET request parameters If the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11). Figure 11: Second GET request parameters formation Table 2 shows information about the parameters. Figure 17: Get directory information Get Disk Information This command retrieves the drive information for drives C through Z along with available disk space for each drive. Figure 18: Retrieve drive information The information is stored in the following format for each drive: Format = "%d+%d+%d+%d;" Example: "8+512+6460870+16751103;" The information for all the available drives is combined and sent to the server using an operation similar to Figure 14.