Trojan.Siggen18.30103

Technical Information

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /t /f /IM osppsvc.exe

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system

Creates the following files

%TEMP%\nasiboot_active\convert.cmd
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dismprov.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dismcore.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\compatprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\cbsprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dmiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismprov.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismhost.exe
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismcoreps.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismcore.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\compatprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\cbsprovider.dll
%TEMP%\zffavjf
%TEMP%\auta266.tmp
%TEMP%\gpwjzri
%TEMP%\aut9e70.tmp
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dmiprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\intlprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\wdscore.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\logprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\wimprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\unattendprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\transmogprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\smiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\osprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\msiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\logprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\intlprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\folderprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\wimprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\unattendprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\transmogprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\smiprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\osprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\msiprovider.dll.mui
%TEMP%\aarmgkh
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\folderprovider.dll.mui
%TEMP%\aut9a6a.tmp
%WINDIR%\setup\scripts\winact\runasti_x86.exe
%WINDIR%\setup\scripts\winact\enterprise.exe
%WINDIR%\setup\scripts\winact\dinjector.exe
%WINDIR%\setup\scripts\winact\consoleact.exe
%WINDIR%\setup\scripts\winact\aact.exe
%WINDIR%\setup\scripts\winact\kms_vl_all.cmd
%WINDIR%\setup\scripts\winact\keys.ini
%WINDIR%\setup\scripts\winact\consoleact.txt
%WINDIR%\setup\scripts\winact\add_defender_exclusion.cmd
%WINDIR%\setup\scripts\winact\activation.cmd
%WINDIR%\setup\scripts\winact\aact.txt
%TEMP%\nasiboot_active\run.exe
%TEMP%\nasiboot_active\run.dll
%TEMP%\nasiboot_active\config.sys
%TEMP%\nasiboot_active\7z.exe
%TEMP%\nasiboot_active\7z.dll
%WINDIR%\setup\scripts\winact\runasti_x64.exe
%WINDIR%\setup\scripts\winact\tweak10.exe
%TEMP%\aut9684.tmp
%WINDIR%\setup\scripts\winact\tweak7.exe
%TEMP%\rgxmkov
%TEMP%\aut928e.tmp
%TEMP%\kdcvhzm
%TEMP%\aut8ed6.tmp
%TEMP%\pqfvbia
%TEMP%\aut8af0.tmp
%TEMP%\lugzqem
%TEMP%\aut86fa.tmp
%TEMP%\czqksdd
%TEMP%\aut8258.tmp
nul
%WINDIR%\setup\scripts\winact\windows_loader.exe
%WINDIR%\setup\scripts\winact\w10digitalactivation.exe
%WINDIR%\setup\scripts\winact\ultimate.exe
%WINDIR%\setup\scripts\winact\tweak8.exe
%TEMP%\anxzppe
%WINDIR%\logs\dism\dism.log

Deletes the following files

%TEMP%\aut8258.tmp
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\compatprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dismcore.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dismprov.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\dmiprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\folderprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\intlprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\logprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\msiprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\osprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\smiprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\transmogprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\unattendprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\wimprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\folderprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\intlprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\logprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\msiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\osprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\smiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\transmogprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\unattendprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\en-us\cbsprovider.dll.mui
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\wdscore.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dmiprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismhost.exe
%TEMP%\czqksdd
%TEMP%\aut86fa.tmp
%TEMP%\lugzqem
%TEMP%\aut8af0.tmp
%TEMP%\pqfvbia
%TEMP%\aut8ed6.tmp
%TEMP%\kdcvhzm
%TEMP%\aut928e.tmp
%TEMP%\rgxmkov
%TEMP%\aut9684.tmp
%TEMP%\anxzppe
%TEMP%\aut9a6a.tmp
%TEMP%\aarmgkh
%TEMP%\aut9e70.tmp
%TEMP%\gpwjzri
%TEMP%\auta266.tmp
%TEMP%\zffavjf
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\cbsprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\compatprovider.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismcore.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismcoreps.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismprov.dll
%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\wimprovider.dll

Miscellaneous

Creates and executes the following

'%TEMP%\nasiboot_active\run.exe'
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\Windows_Loader.exe"
'%WINDIR%\setup\scripts\winact\aact.exe' /ofsgvlk /ofs=act /taskofs /auto
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\Enterprise.exe"
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\Ultimate.exe"
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\AAct.exe"
'%TEMP%\364fb09b-4637-4898-bb52-48a23ae4fa69\dismhost.exe' {186C7588-D7FE-4AB4-946A-3B1C9DC689BB}
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\AAct.exe"
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\ConsoleAct.exe"
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\ConsoleAct.exe"
'%TEMP%\nasiboot_active\7z.exe' x -o"%WINDIR%\Setup\Scripts\Winact" -y Config.sys -pCubin@181281
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts\Winact\W10DigitalActivation.exe"
'%WINDIR%\setup\scripts\winact\dinjector.exe' /A "%WINDIR%\Setup\Scripts"
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /dstatusall' (with hidden window)
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB' (with hidden window)
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM osppsvc.exe' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\Setup\Scripts\Winact\Add_Defender_Exclusion.cmd' (with hidden window)
'<SYSTEM32>\cmd.exe' /C @7z.exe x -o"%WINDIR%\Setup\Scripts\Winact" -y Config.sys -pCubin@181281' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64' (with hidden window)
'<SYSTEM32>\cmd.exe' /c net.exe start osppsvc' (with hidden window)
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /C @7z.exe x -o"%WINDIR%\Setup\Scripts\Winact" -y Config.sys -pCubin@181281
'<SYSTEM32>\cmd.exe' /c taskkill.exe /t /f /IM osppsvc.exe
'<SYSTEM32>\cscript.exe' "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
'<SYSTEM32>\cscript.exe' "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /dstatusall
'<SYSTEM32>\cmd.exe' /c cscript.exe "%ProgramFiles%\Microsoft Office\Office14\ospp.vbs" //NoLogo /dstatusall
'<SYSTEM32>\net1.exe' start osppsvc
'<SYSTEM32>\net.exe' start osppsvc
'<SYSTEM32>\cmd.exe' /c net.exe start osppsvc
'<SYSTEM32>\reg.exe' QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
'<SYSTEM32>\cmd.exe' /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
'<SYSTEM32>\dism.exe' /Online /Get-CurrentEdition
'<SYSTEM32>\findstr.exe' "Enterprise"
'<SYSTEM32>\cmd.exe' /S /D /c" start "" /b /w dism /Online /Get-CurrentEdition "
'<SYSTEM32>\cmd.exe' /c ver
'<SYSTEM32>\attrib.exe' -R -A -S -H *.*
'<SYSTEM32>\cmd.exe' /c %WINDIR%\Setup\Scripts\Winact\activation.cmd
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nologo -noninteractive -windowStyle hidden -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDef...
'<SYSTEM32>\reg.exe' query "HKU\S-1-5-19\Environment"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\Setup\Scripts\Winact\Add_Defender_Exclusion.cmd
'<SYSTEM32>\cmd.exe' /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
'<SYSTEM32>\netsh.exe' Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial