Trojan.Siggen32.5765

Technical Information

Modifies file system

Creates the following files

%TEMP%\nsm5a61.tmp
%TEMP%\outlook2024-32\setup.exe
%TEMP%\outlook2024-32\configuration-outlook2024-64bit.xml
%TEMP%\nst5ddd.tmp\nsexec.dll
%LOCALAPPDATA%\microsoft\office\16.0\webservicecache\allusers\officeclient.microsoft.com\db8a5f18-5d86-438c-b420-0dc7dc2906d0
%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db-journal
%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db
%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db-shm
%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db-wal
%TEMP%\awkikyblo-20251104-0642.log
%TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0aofficec2r387d3ceb-09d3-43ce-9d42-0799565021de\v64.hash
%TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0aofficec2r387d3ceb-09d3-43ce-9d42-0799565021de\versiondescriptor.xml
%TEMP%\office16.proplus_config.xml
%TEMP%\setup00000dac\osetup.dll
%TEMP%\setupexe(20251104064257dac).log
%TEMP%\setup00000dac\osetupui.dll
%TEMP%\setup00000dac\branding.xml
%TEMP%\setup00000dac\setup.chm
%TEMP%\setup00000dac\ose00000.exe
%WINDIR%\installer\eef8c.mst
%WINDIR%\temp\~df9892ff8b1e396ef4.tmp
%WINDIR%\temp\~dffe01a43c12727223.tmp
%WINDIR%\temp\~df348d6fea69736605.tmp
%ALLUSERSPROFILE%\microsoft\windows\caches\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000004.db
%ALLUSERSPROFILE%\microsoft\windows\caches\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db
%WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\cachesize.txt
%WINDIR%\temp\~df9caf5316b8d1bfaf.tmp
%WINDIR%\temp\~df77bf8ee0f6c5a144.tmp
%WINDIR%\temp\~dfe5af349d1c33503d.tmp
%WINDIR%\temp\~df2311be0dcd466766.tmp
%WINDIR%\temp\~df6dd1e0b020ed1027.tmp
%WINDIR%\temp\~df1b1d3a3d49a89ad6.tmp
%WINDIR%\temp\~df610de40cd5758964.tmp
%WINDIR%\temp\~df11c5f51c8ef72832.tmp
%WINDIR%\temp\~df36b844333fb522c4.tmp
%WINDIR%\temp\~df1cf5fc5f5cbaa2ed.tmp
%WINDIR%\temp\~df79f9afe2943b84cc.tmp
%TEMP%\hxc7fa.tmp
%WINDIR%\temp\~df54cb7ccd96aa0053.tmp
%WINDIR%\temp\~df553fbba063716e33.tmp
%ALLUSERSPROFILE%\microsoft help\{90160000-006e-0409-0000-0000000ff1ce}\nslist.hxl
%WINDIR%\temp\~df449941bd3c8532e9.tmp
%WINDIR%\temp\~df57f9623c9ea8b0fa.tmp
%WINDIR%\temp\~dfc635ab4ccca78d1f.tmp
%WINDIR%\temp\~dfb49d46bbeb7f10a0.tmp
%WINDIR%\temp\~df3388bf2a40b7db44.tmp
%WINDIR%\temp\~df277ea64265e9bc6e.tmp
%WINDIR%\temp\~dfacc17b15e4ef5ca6.tmp
%WINDIR%\temp\~df35fb9c824551bb99.tmp
%WINDIR%\temp\~df750d10e9b9bd0a39.tmp
%WINDIR%\temp\~df6d1df48f1c863e37.tmp
%WINDIR%\temp\~df152a728c98e27302.tmp
%WINDIR%\temp\~df71175a391844e542.tmp
%WINDIR%\temp\~dfeece77a199d53e56.tmp
%WINDIR%\temp\~df41dbdf769dcd3c23.tmp
%WINDIR%\temp\~df334bfb4cf417bf71.tmp
%WINDIR%\temp\~df3d4e1c78944c5d3c.tmp
%WINDIR%\temp\~dfc0aa6cd981786a31.tmp
%WINDIR%\temp\~df2808927e8e432dc1.tmp
%WINDIR%\temp\~dfea32ca1f3885b727.tmp
%WINDIR%\temp\~dfc33ad1b78a21a7a5.tmp
%WINDIR%\temp\~df6899f5bc844d9d02.tmp
%WINDIR%\temp\~df9888d48967f3b62e.tmp
%WINDIR%\temp\~df2355318c6bc5fefe.tmp
%WINDIR%\temp\~df814a019d725c5602.tmp
%WINDIR%\temp\~df3c5372e505ecf274.tmp
%WINDIR%\temp\~dfb3839186c2521580.tmp
%WINDIR%\temp\~df692f87b294f44362.tmp
%WINDIR%\temp\~df68f0a0f85c56ceca.tmp
%WINDIR%\temp\~df11a5a53de174b73c.tmp
%WINDIR%\temp\~df1ac7077d11f52e1e.tmp
%WINDIR%\temp\~dfffc8ea1f194d69a3.tmp
%WINDIR%\temp\~df6f1a7dc316c977b9.tmp
%WINDIR%\temp\~df05f01e15dcc03543.tmp
%WINDIR%\temp\~df72c35771aa39ffc6.tmp
%WINDIR%\temp\~dfde1df12e61a2d5ee.tmp
%WINDIR%\temp\~df1e8e89edd619f8fc.tmp
%WINDIR%\temp\~dfb03fee69911b075e.tmp
%WINDIR%\temp\~df68ea6a952514af03.tmp
%WINDIR%\temp\~dfdcac274324c4fc6f.tmp
%WINDIR%\temp\~df22aee9bb4eb3f3f1.tmp
%WINDIR%\temp\~dff8b0676d1d80161a.tmp
%WINDIR%\temp\~df425a1ba505f64323.tmp
%WINDIR%\temp\~dfade213183577e0a1.tmp
%WINDIR%\temp\~df5ab45db88a1b9a88.tmp
%WINDIR%\temp\~df7be4919b33a1b82f.tmp
%WINDIR%\temp\~df71e5100826365bd2.tmp
%WINDIR%\temp\~df047ba7e4b4881b3c.tmp
%WINDIR%\temp\~dff7177354982aa469.tmp
%WINDIR%\temp\~dfbf7c0fca033a790a.tmp
%WINDIR%\temp\~df51cfcf0f8095407f.tmp
%WINDIR%\temp\~dfe1d8f40569e7755e.tmp
%WINDIR%\temp\~df458df21bd66c0387.tmp

Deletes the following system files

%WINDIR%\installer\sourcehash{90160000-002a-0000-1000-0000000ff1ce}
%WINDIR%\installer\sourcehash{90160000-006e-0409-0000-0000000ff1ce}
%WINDIR%\installer\sourcehash{90160000-0117-0409-0000-0000000ff1ce}
%WINDIR%\installer\sourcehash{90160000-0015-0409-0000-0000000ff1ce}
%WINDIR%\installer\sourcehash{90160000-002c-0409-0000-0000000ff1ce}

Deletes following files that it created itself

%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db-journal
%TEMP%\v64_16.0.17932.20574checkreachable0688c020-39ea-4b64-9e0c-057dd52bb733
%TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0a\v64.hash
%TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0a\v64_16.0.17932.20574.cab
%TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0a\versiondescriptor.xml
%ALLUSERSPROFILE%\microsoft\windows\caches\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000004.db
%WINDIR%\installer\eef8c.mst

Moves the following system files

from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\concrt140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefcd.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefce.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140chs.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefcf.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140cht.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd0.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140deu.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd1.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140enu.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd2.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140esn.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd3.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140fra.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd4.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140ita.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd5.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140jpn.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd6.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140kor.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd7.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140rus.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd8.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfc140u.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefd9.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfcm140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefda.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\mfcm140u.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefdb.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\msvcp140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefdc.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\vccorlib140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefdd.rbf
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\16.0.4266\vcruntime140.dll.a38ebf59_3a35_3759_b824_c9816882fa56 to C:\config.msi\eefde.rbf

Moves the following files

from %TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0aofficec2r387d3ceb-09d3-43ce-9d42-0799565021de\v64.hash to %TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0a\v64.hash
from %TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0aofficec2r387d3ceb-09d3-43ce-9d42-0799565021de\versiondescriptor.xml to %TEMP%\officec2r00b50dca-2ca0-479f-87c6-c49f41fa5e0a\versiondescriptor.xml
from %WINDIR%\installer\$patchcache$\managed\00006109a20000000100000000f01fec\cachesize.txt to C:\config.msi\eefdf.rbf

Modifies the following files

Substitutes the following files

%LOCALAPPDATA%\microsoft\office\otele\setup.exe.db-journal

Network activity

Connects to

'ec#.#ffice.com':443
'officeclient.microsoft.com':443
'mr########gr.officeapps.live.com':443
'f.###.#s.cdn.office.net':80
'mobile.events.data.microsoft.com':443

TCP

HTTP GET requests

Other

'ec#.#ffice.com':443
'officeclient.microsoft.com':443
'mr########gr.officeapps.live.com':443
'mobile.events.data.microsoft.com':443

UDP

DNS ASK ec#.#ffice.com
DNS ASK mo#####.map.fastly.net
DNS ASK co##############e-chains.prod.autograph.services.mozaws.net
DNS ASK officeclient.microsoft.com
DNS ASK mr########gr.officeapps.live.com
DNS ASK f.###.#s.cdn.office.net
DNS ASK mobile.events.data.microsoft.com

Miscellaneous

Creates and executes the following

'%TEMP%\outlook2024-32\setup.exe' /configure "%TEMP%\Outlook2024-32\configuration-Outlook2024-64bit.xml"

Executes the following

'%CommonProgramFiles(x86)%\microsoft shared\office16\office setup controller\setup.exe' /uninstall PROPLUS /dll OSETUP.DLL /config "%TEMP%\Office16.PROPLUS_config.xml"
'%ProgramFiles%\microsoft office\office16\msohtmed.exe' /unregserver
'%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.exe' -standalone:temp
'%TEMP%\outlook2024-32\setup.exe' /configure "%TEMP%\Outlook2024-32\configuration-Outlook2024-64bit.xml"' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней