Sigma detected: MSHTA Spawning Windows ShellĪuthor: Michael Haag: Data: Comm and: 'C:\W indows\Sys tem32\cmd. exe' /c bc dedit /set recoverye nabled No, ProcessId : 1984
(collection): Data: Comm and: 'C:\W indows\Sys tem32\cmd.
OSK EXE SOURCE CODE PRO
Shell').Re gRead('HKC U\\Softwar e\\AMMOA\\ DZNUG')) c lose() ', ParentImag e: C:\Wind ows\SysWOW 64\mshta.e xe, Parent ProcessId: 4524, Pro cessComman dLine: 'C: \Windows\S ystem32\cm d.exe' /c wmic SHADO WCOPY DELE TE, Proces sId: 4972Īuthor: Florian Roth (rule), Tom U. exe, NewPr ocessName: C:\Window s\SysWOW64 \cmd.exe, OriginalFi leName: C: \Windows\S ysWOW64\cm d.exe, Par entCommand Line: msht a.exe 'jav ascript:ev al(new Act iveXObject ('WScript. exe' /c wm ic SHADOWC OPY DELETE, CommandL ine|base64 offset|con tains:, I mage: C:\W indows\Sys WOW64\cmd.
exe' /c wm ic SHADOWC OPY DELETE, CommandL ine: 'C:\W indows\Sys tem32\cmd. Sigma detected: Delete shadow copy via WMICĪuthor: Joe Security: Data: Comm and: 'C:\W indows\Sys tem32\cmd. ( ЭТО НЕ РАБОТАЕТ ) Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" _ (ByVal lpClassName As String, ByVal lpWindowName As String) As Long Public Declare Function SetWindowPos Lib "user32" _ (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, _ ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long Public Const SWP_NOSIZE = &H1 Public Const HWND_TOPMOST = -1 Sub Sample() Dim Ret As Long, retval As Long Dim Shex As Object Set Shex = CreateObject("Shell.Application") Shex.Open ("C:\Windows\System32\osk.exe") Wait 1 Ret = FindWindow("OSKMainClass", "On-Screen Keyboard") If Ret 0 Then 'Msgbox "On-Screen Keyboard Window Found" retval = SetWindowPos(Ret, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE) DoEvents If retval = False Then MsgBox "Unable to move Window" End If End Sub Private Sub Wait(ByVal nSec As Long) nSec = nSec + Timer While nSec > Timer DoEvents Wend End Sub
0 kommentar(er)
