Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.17 ports 0,1,2,3,9,21093

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 147.185.221.17:21093

Source: Joe Sandbox View

IP Address: 147.185.221.17 147.185.221.17

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: everyone-subjective.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2164157987.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3377191713.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2169022479.00000000032B6000.00000004.00000800.00020000.00000000.sdmp, xdwdChrome.exe, 0000000D.00000002.2185771912.00000000027A6000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	.Net Code: @
Source: svchost.exe.0.dr, -.cs	.Net Code: @
Source: xdwdChrome.exe.0.dr, -.cs	.Net Code: @

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B289D NtProtectVirtualMemory,		0_2_00007FFD347B289D
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3478289D NtProtectVirtualMemory,		12_2_00007FFD3478289D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\svchost.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\xdwd.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347AE542	0_2_00007FFD347AE542
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347AFF30	0_2_00007FFD347AFF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B16AD	0_2_00007FFD347B16AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A7848	0_2_00007FFD347A7848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347AD796	0_2_00007FFD347AD796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B1BC0	0_2_00007FFD347B1BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A90FA	0_2_00007FFD347A90FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B0D00	0_2_00007FFD347B0D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A046D	0_2_00007FFD347A046D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B0C8D	0_2_00007FFD347B0C8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B0C3E	0_2_00007FFD347B0C3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347ACF95	0_2_00007FFD347ACF95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347B1BAD	0_2_00007FFD347B1BAD
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD3478E542	8_2_00007FFD3478E542
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD3478FEFA	8_2_00007FFD3478FEFA
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD3478D796	8_2_00007FFD3478D796
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD34791BC0	8_2_00007FFD34791BC0
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD347890FA	8_2_00007FFD347890FA
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD3478046D	8_2_00007FFD3478046D
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD34789EF9	8_2_00007FFD34789EF9
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD3478941D	8_2_00007FFD3478941D
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD347893FD	8_2_00007FFD347893FD
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3477E542	12_2_00007FFD3477E542
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3477FF30	12_2_00007FFD3477FF30
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD347816AD	12_2_00007FFD347816AD
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34777848	12_2_00007FFD34777848
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3477D796	12_2_00007FFD3477D796
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34781BC0	12_2_00007FFD34781BC0
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD347790FA	12_2_00007FFD347790FA
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34780D00	12_2_00007FFD34780D00
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3477046D	12_2_00007FFD3477046D
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34780C8D	12_2_00007FFD34780C8D
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD3477941D	12_2_00007FFD3477941D
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34780C3E	12_2_00007FFD34780C3E
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34781BAD	12_2_00007FFD34781BAD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Code function: 13_2_00007FFD3479046D	13_2_00007FFD3479046D

Source: Joe Sandbox View

Dropped File: C:\Windows\xdwd.dll 35C8D022E1D917F1AABDCEAE98097CCC072161B302F84C768CA63E4B32AC2B66

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Static PE information: No import functions for PE file found
Source: xdwdChrome.exe.0.dr	Static PE information: No import functions for PE file found
Source: svchost.exe.0.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2164157987.00000000033B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exelJ vs SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2164157987.0000000003388000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exelJ vs SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000000.2136415737.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesvchost.exelJ vs SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2170293081.000000001BF4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Binary or memory string: OriginalFilenamesvchost.exelJ vs SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Source: xdwdChrome.exe.0.dr, -.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: File.GetAccessControl
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: File.SetAccessControl
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: File.GetAccessControl
Source: xdwdChrome.exe.0.dr, -.cs	Security API names: File.SetAccessControl
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: File.GetAccessControl
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: File.SetAccessControl
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: File.GetAccessControl
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	Security API names: File.SetAccessControl
Source: svchost.exe.0.dr, -.cs	Security API names: File.GetAccessControl
Source: svchost.exe.0.dr, -.cs	Security API names: File.SetAccessControl
Source: svchost.exe.0.dr, -.cs	Security API names: File.GetAccessControl
Source: svchost.exe.0.dr, -.cs	Security API names: File.SetAccessControl
Source: svchost.exe.0.dr, -.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: svchost.exe.0.dr, -.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, -.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/6@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Mutant created: NULL
Source: C:\Windows\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\y7pz%svk76dr209la0s5pwbm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Virustotal: Detection: 58%
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=")e7`;$<w;7R";h" dir=in action=allow program="C:\Windows\svchost.exe" enable=yes & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST
Source: unknown	Process created: C:\Windows\svchost.exe C:\Windows\svchost.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\svchost.exe "C:\Windows\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=")e7`;$<w;7R";h" dir=in action=allow program="C:\Windows\svchost.exe" enable=yes & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\svchost.exe "C:\Windows\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	.Net Code: @ System.AppDomain.Load(byte[])
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	.Net Code: @
Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, -.cs	.Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.0.dr, -.cs	.Net Code: @ System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, -.cs	.Net Code: @
Source: svchost.exe.0.dr, -.cs	.Net Code: @ System.Reflection.Assembly.Load(byte[])
Source: xdwdChrome.exe.0.dr, -.cs	.Net Code: @ System.AppDomain.Load(byte[])
Source: xdwdChrome.exe.0.dr, -.cs	.Net Code: @
Source: xdwdChrome.exe.0.dr, -.cs	.Net Code: @ System.Reflection.Assembly.Load(byte[])

Source: xdwd.dll.0.dr	Static PE information: section name: _RDATA
Source: xdwd.dll.0.dr	Static PE information: section name: .0Dev

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A00BD pushad ; iretd	0_2_00007FFD347A00C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A7969 push ebx; retf	0_2_00007FFD347A796A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Code function: 0_2_00007FFD347A1EEA push FFFFFFE8h; ret	0_2_00007FFD347A1EF9
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD347800BD pushad ; iretd	8_2_00007FFD347800C1
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD34787969 push ebx; retf	8_2_00007FFD3478796A
Source: C:\Windows\svchost.exe	Code function: 8_2_00007FFD34781EEA push FFFFFFE8h; ret	8_2_00007FFD34781EF9
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD347700BD pushad ; iretd	12_2_00007FFD347700C1
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34777969 push ebx; retf	12_2_00007FFD3477796A
Source: C:\Windows\svchost.exe	Code function: 12_2_00007FFD34771EEA push FFFFFFE8h; ret	12_2_00007FFD34771EF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Code function: 13_2_00007FFD34791EEA push FFFFFFE8h; ret	13_2_00007FFD34791EF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Code function: 13_2_00007FFD347900BD pushad ; iretd	13_2_00007FFD347900C1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Code function: 13_2_00007FFD34797969 push ebx; retf	13_2_00007FFD3479796A

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

File created: C:\Windows\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Executable created and started: C:\Windows\svchost.exe

Allows loading of unsigned dll using appinit_dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\xdwd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\svchost.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\xdwd.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File created: C:\Windows\svchost.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Registry value created: RequireSignedAppInit_DLLs 0

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\svchost.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\svchost.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\svchost.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\svchost.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Memory allocated: 1A790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Dropped PE file which has not been started: C:\Windows\xdwd.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\svchost.exe TID: 3560	Thread sleep count: 183 > 30	Jump to behavior
Source: C:\Windows\svchost.exe TID: 3560	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Windows\svchost.exe TID: 1592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe TID: 1396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\svchost.exe	Last function: Thread delayed
Source: C:\Windows\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: svchost.exe, 00000008.00000002.3383467270.000000001C096000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\svchost.exe

Network Connect: 147.185.221.17 21093

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=")e7`;$<w;7R";h" dir=in action=allow program="C:\Windows\svchost.exe" enable=yes & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST & exit	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Process created: C:\Windows\svchost.exe "C:\Windows\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe VolumeInformation	Jump to behavior
Source: C:\Windows\svchost.exe	Queries volume information: C:\Windows\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\svchost.exe	Queries volume information: C:\Windows\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies the windows firewall

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe

Process created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=")e7`;$<w;7R";h" dir=in action=allow program="C:\Windows\svchost.exe" enable=yes & exit

Source: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2163874707.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3383123525.000000001C043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3376690018.000000000088B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2168689144.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2168404377.0000000001476000.00000004.00000020.00020000.00000000.sdmp, xdwdChrome.exe, 0000000D.00000002.2185069269.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected SheetRat

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe.13113b30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe.13113b30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2168941941.00000000130F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\xdwd.dll, type: DROPPED

Remote Access Functionality

Yara detected SheetRat

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe.13113b30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe.13113b30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2168941941.00000000130F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\xdwd.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	221 Masquerading	OS Credential Dumping	431 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	341 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	341 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	223 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	58%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Variadic
SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	100%	Avira	TR/Agent_AGen.cpenj
SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\svchost.exe	100%	Avira	TR/Agent_AGen.cpenj
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	100%	Avira	TR/Agent_AGen.cpenj
C:\Windows\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Variadic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe	58%	Virustotal		Browse
C:\Windows\svchost.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Variadic
C:\Windows\svchost.exe	58%	Virustotal		Browse
C:\Windows\xdwd.dll	62%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\xdwd.dll	66%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
everyone-subjective.gl.at.ply.gg	6%	Virustotal		Browse
171.39.242.20.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
everyone-subjective.gl.at.ply.gg	147.185.221.17	true	true	6%, Virustotal, Browse	unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe, 00000000.00000002.2164157987.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3377191713.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2169022479.00000000032B6000.00000004.00000800.00020000.00000000.sdmp, xdwdChrome.exe, 0000000D.00000002.2185771912.00000000027A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.17	everyone-subjective.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515709
Start date and time:	2024-09-23 11:20:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/6@3/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 69% Number of executed functions: 57 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.85.23.86, 20.3.187.198, 20.242.39.171, 52.165.165.26
Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target svchost.exe, PID 368 because it is empty
Execution Graph export aborted for target xdwdChrome.exe, PID 7156 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:21:03	Task Scheduler	Run new task: NvDriverUpdateCheckDaily path: C:\Windows\svchost.exe
11:21:05	Task Scheduler	Run new task: NvNodeLauncher path: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.17	80c619d931fa4e5c89fe87aac0b6b143.exe	Get hash	malicious	XWorm	Browse
	6ab092aeab924edb854b3ff21ea579df.exe	Get hash	malicious	XWorm	Browse
	Hoodbyunlock.exe	Get hash	malicious	XWorm	Browse
	x.exe	Get hash	malicious	XWorm	Browse
	cougif6lqM.exe	Get hash	malicious	DCRat, XWorm	Browse
	FUDE.bin.exe	Get hash	malicious	XWorm	Browse
	system47.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	XWorm	Browse
	APPoKkkk8h.exe	Get hash	malicious	Unknown	Browse
	hatabat.exe	Get hash	malicious	Blank Grabber, DCRat, XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	jQ2ryeS5ZP.exe	Get hash	malicious	PureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog Stealer	Browse	147.185.221.22
	AutoWizard.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	dsadsadsadsadsadsaw.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	killerdude.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	SecuriteInfo.com.Trojan.TR.Dropper.Gen.22332.4876.exe	Get hash	malicious	Unknown	Browse	147.185.221.19
	XyjvIO6D4m.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	vtCneOrnat.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	jbG3cpmy.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	client.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	NzEsfIiAc0.exe	Get hash	malicious	XWorm	Browse	147.185.221.21

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\xdwd.dll	Server.exe	Get hash	malicious	Unknown	Browse
	beK7HmoXro.exe	Get hash	malicious	Unknown	Browse
	bJLd0SUHfj.exe	Get hash	malicious	Unknown	Browse
	TYLtsVPB7g.exe	Get hash	malicious	Unknown	Browse
	FWH67NqQmR.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe.log

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.349816875832946
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaOKbbDLI4MWuPOKfSSI6Khav:ML9E4KQMsXE4NpOKDE4KGKZI6Khk
MD5:	CE2C9B879749D2DDE6CEE82813F4ED9D
SHA1:	45614E9485EF4EEAD572387D9DD69480D1C79888
SHA-256:	8F7CD246CA33FC6FF7ED3C425842EEC6433FCDA26F4603C26C3A498273AE83CB
SHA-512:	5AB487F6AE9F2E749114FE50DB1EF9FB181B3B0968C92AA787362C59788376FF50F6411ECFAE835CD1001B68E9B1961398A695AB16D5412F09E49A44A769F5EE
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Process:	C:\Windows\svchost.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.349816875832946
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaOKbbDLI4MWuPOKfSSI6Khav:ML9E4KQMsXE4NpOKDE4KGKZI6Khk
MD5:	CE2C9B879749D2DDE6CEE82813F4ED9D
SHA1:	45614E9485EF4EEAD572387D9DD69480D1C79888
SHA-256:	8F7CD246CA33FC6FF7ED3C425842EEC6433FCDA26F4603C26C3A498273AE83CB
SHA-512:	5AB487F6AE9F2E749114FE50DB1EF9FB181B3B0968C92AA787362C59788376FF50F6411ECFAE835CD1001B68E9B1961398A695AB16D5412F09E49A44A769F5EE
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdChrome.exe.log

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.349816875832946
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaOKbbDLI4MWuPOKfSSI6Khav:ML9E4KQMsXE4NpOKDE4KGKZI6Khk
MD5:	CE2C9B879749D2DDE6CEE82813F4ED9D
SHA1:	45614E9485EF4EEAD572387D9DD69480D1C79888
SHA-256:	8F7CD246CA33FC6FF7ED3C425842EEC6433FCDA26F4603C26C3A498273AE83CB
SHA-512:	5AB487F6AE9F2E749114FE50DB1EF9FB181B3B0968C92AA787362C59788376FF50F6411ECFAE835CD1001B68E9B1961398A695AB16D5412F09E49A44A769F5EE
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	390144
Entropy (8bit):	6.403960503954171
Encrypted:	false
SSDEEP:	6144:sf6cYir38TnRwWT6Kydo0O/fKIe8r+HJOnHHCShDETb7:cnYiIlwBKD/fE8r+HJOnCSm
MD5:	3D6E1D057586142252BFDA5C5F551F55
SHA1:	315FF32C3874CE106F451024492CA92AB5067314
SHA-256:	D70343CA7AB0028FB1218096640E1327F7BD204F1EB924C3AF6F30C63F39859A
SHA-512:	81763C824DB95773EF0F945E0A93E9025F86C3CF50EB471F42D14F317685A626F99D91C20A3F1FD51316F35D6A6AC48ED80956DD467D5E89EAB7585C65FE8EEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0.................. ....@...... .......................@............@.......................................................... ..=............................................................................................ ..H............text........ ...................... ..`.rsrc...=.... ......................@..@........................................H........P..(.......{....+...$..........................................".(V....".(W....".(X....".(Y....".(Z....".([....".(\....".(^....".(`....".(a....".(b....".(c....".(d....".(e....".(f....".(g....".(h....".(i....".(j....".(k....".(l....".(m....".(n....".(o....".(p....".(q....".(r....".(s....".(t....".(u....".(v....".(~....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".

C:\Windows\svchost.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	390144
Entropy (8bit):	6.403960503954171
Encrypted:	false
SSDEEP:	6144:sf6cYir38TnRwWT6Kydo0O/fKIe8r+HJOnHHCShDETb7:cnYiIlwBKD/fE8r+HJOnCSm
MD5:	3D6E1D057586142252BFDA5C5F551F55
SHA1:	315FF32C3874CE106F451024492CA92AB5067314
SHA-256:	D70343CA7AB0028FB1218096640E1327F7BD204F1EB924C3AF6F30C63F39859A
SHA-512:	81763C824DB95773EF0F945E0A93E9025F86C3CF50EB471F42D14F317685A626F99D91C20A3F1FD51316F35D6A6AC48ED80956DD467D5E89EAB7585C65FE8EEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0.................. ....@...... .......................@............@.......................................................... ..=............................................................................................ ..H............text........ ...................... ..`.rsrc...=.... ......................@..@........................................H........P..(.......{....+...$..........................................".(V....".(W....".(X....".(Y....".(Z....".([....".(\....".(^....".(`....".(a....".(b....".(c....".(d....".(e....".(f....".(g....".(h....".(i....".(j....".(k....".(l....".(m....".(n....".(o....".(p....".(q....".(r....".(s....".(t....".(u....".(v....".(~....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".(.....".

C:\Windows\xdwd.dll

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	5.068434958112967
Encrypted:	false
SSDEEP:	3072:t0iX+jLyDcqaH9a6DFHo6MjD7VbZaZaZ8Xwlk4MHWZpt:t07yDSvdoRj2up
MD5:	16E5A492C9C6AE34C59683BE9C51FA31
SHA1:	97031B41F5C56F371C28AE0D62A2DF7D585ADABA
SHA-256:	35C8D022E1D917F1AABDCEAE98097CCC072161B302F84C768CA63E4B32AC2B66
SHA-512:	20FD369172EF5E3E2FDE388666B42E8FE5F0C2BFA338C0345F45E98AF6561A249BA3ECC48C3F16EFCC73F02ECB67B3DDB1E2E8F0E77D18FA00AC34E6379E50B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: C:\Windows\xdwd.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 66%, Browse
Joe Sandbox View:	Filename: Server.exe, Detection: malicious, Browse Filename: beK7HmoXro.exe, Detection: malicious, Browse Filename: bJLd0SUHfj.exe, Detection: malicious, Browse Filename: TYLtsVPB7g.exe, Detection: malicious, Browse Filename: FWH67NqQmR.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y..8...8...8...S...8...S...8...S..\|8...M...8...M...8...M...8...S...8...8...8..;M...8..;MT..8..;M...8..Rich.8..................PE..d......d.........." .................6....................................... ............`.................................................$...(...............................h....i..p............................j..8............................................text............................... ..`.rdata..6...........................@..@.data...(!..........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B.0Dev.... ....... .................. ..`................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.403960503954171
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
File size:	390'144 bytes
MD5:	3d6e1d057586142252bfda5c5f551f55
SHA1:	315ff32c3874ce106f451024492ca92ab5067314
SHA256:	d70343ca7ab0028fb1218096640e1327f7bd204f1eb924c3af6f30c63f39859a
SHA512:	81763c824db95773ef0f945e0a93e9025f86c3cf50eb471f42d14f317685a626f99d91c20a3f1fd51316f35d6a6ac48ed80956dd467d5e89eab7585c65fe8eee
SSDEEP:	6144:sf6cYir38TnRwWT6Kydo0O/fKIe8r+HJOnHHCShDETb7:cnYiIlwBKD/fE8r+HJOnCSm
TLSH:	228481686FA58A42E6842A3E85D70D01C72250F233237343371BFB725E45ADEDEAD1D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0.................. ....@...... .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CCF161 [Mon Aug 26 21:19:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x63d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5e9e8	0x5ea00	75785557d49bb97adf7b688ba8a9fd73	False	0.5646672721268163	data	6.415828295538628	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x63d	0x800	ba4da90537330157db48292b2f05374e	False	0.35986328125	data	3.5971536636367016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x620a0	0x3ac	data	English	United States	0.45
RT_MANIFEST	0x6244c	0x1f1	XML 1.0 document, ASCII text, with CRLF line terminators			0.5472837022132797

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2024 11:21:05.325195074 CEST	49711	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:05.332098961 CEST	21093	49711	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:05.332191944 CEST	49711	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:05.351538897 CEST	49711	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:05.356940985 CEST	21093	49711	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:26.705773115 CEST	21093	49711	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:26.705873013 CEST	49711	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:26.921915054 CEST	49711	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:26.923041105 CEST	49717	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:26.927098989 CEST	21093	49711	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:26.928169966 CEST	21093	49717	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:26.928288937 CEST	49717	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:26.928586960 CEST	49717	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:26.933659077 CEST	21093	49717	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:48.348813057 CEST	21093	49717	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:48.349052906 CEST	49717	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:48.601540089 CEST	49717	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:48.607021093 CEST	21093	49717	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:48.735968113 CEST	56213	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:48.741230965 CEST	21093	56213	147.185.221.17	192.168.2.6
Sep 23, 2024 11:21:48.741425037 CEST	56213	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:48.746134996 CEST	56213	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:21:48.751338005 CEST	21093	56213	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:10.110976934 CEST	21093	56213	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:10.111181021 CEST	56213	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:10.312827110 CEST	56213	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:10.314263105 CEST	56215	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:10.319683075 CEST	21093	56213	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:10.321891069 CEST	21093	56215	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:10.321971893 CEST	56215	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:10.322354078 CEST	56215	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:10.327146053 CEST	21093	56215	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:31.703845978 CEST	21093	56215	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:31.703950882 CEST	56215	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:31.906542063 CEST	56215	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:31.907769918 CEST	56216	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:31.912550926 CEST	21093	56215	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:31.913395882 CEST	21093	56216	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:31.913481951 CEST	56216	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:31.913862944 CEST	56216	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:31.918994904 CEST	21093	56216	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:53.313009977 CEST	21093	56216	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:53.313105106 CEST	56216	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:53.515660048 CEST	56216	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:53.517911911 CEST	56218	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:53.520559072 CEST	21093	56216	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:53.522898912 CEST	21093	56218	147.185.221.17	192.168.2.6
Sep 23, 2024 11:22:53.522996902 CEST	56218	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:53.524066925 CEST	56218	21093	192.168.2.6	147.185.221.17
Sep 23, 2024 11:22:53.529042006 CEST	21093	56218	147.185.221.17	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2024 11:21:05.279608965 CEST	61653	53	192.168.2.6	1.1.1.1
Sep 23, 2024 11:21:05.315421104 CEST	53	61653	1.1.1.1	192.168.2.6
Sep 23, 2024 11:21:33.429485083 CEST	53	54846	162.159.36.2	192.168.2.6
Sep 23, 2024 11:21:33.911623001 CEST	56861	53	192.168.2.6	1.1.1.1
Sep 23, 2024 11:21:33.918771982 CEST	53	56861	1.1.1.1	192.168.2.6
Sep 23, 2024 11:21:48.622703075 CEST	65342	53	192.168.2.6	1.1.1.1
Sep 23, 2024 11:21:48.656691074 CEST	53	65342	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2024 11:21:05.279608965 CEST	192.168.2.6	1.1.1.1	0x97a0	Standard query (0)	everyone-subjective.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Sep 23, 2024 11:21:33.911623001 CEST	192.168.2.6	1.1.1.1	0x1028	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 23, 2024 11:21:48.622703075 CEST	192.168.2.6	1.1.1.1	0x7c1f	Standard query (0)	everyone-subjective.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 23, 2024 11:21:05.315421104 CEST	1.1.1.1	192.168.2.6	0x97a0	No error (0)	everyone-subjective.gl.at.ply.gg		147.185.221.17	A (IP address)	IN (0x0001)	false
Sep 23, 2024 11:21:33.918771982 CEST	1.1.1.1	192.168.2.6	0x1028	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Sep 23, 2024 11:21:48.656691074 CEST	1.1.1.1	192.168.2.6	0x7c1f	No error (0)	everyone-subjective.gl.at.ply.gg		147.185.221.17	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:21:01
Start date:	23/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe"
Imagebase:	0xea0000
File size:	390'144 bytes
MD5 hash:	3D6E1D057586142252BFDA5C5F551F55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.2168941941.00000000130F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" netsh advfirewall firewall add rule name=")e7`;$<w;7R";h" dir=in action=allow program="C:\Windows\svchost.exe" enable=yes & exit
Imagebase:	0x7ff711cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST & exit
Imagebase:	0x7ff711cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	05:21:02
Start date:	23/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc minute /mo 1 /tn "NvDriverUpdateCheckDaily" /tr "C:\Windows\svchost.exe" /RL HIGHEST
Imagebase:	0x7ff6ea6c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	05:21:03
Start date:	23/09/2024
Path:	C:\Windows\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\svchost.exe
Imagebase:	0x2b0000
File size:	390'144 bytes
MD5 hash:	3D6E1D057586142252BFDA5C5F551F55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	05:21:03
Start date:	23/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST & exit
Imagebase:	0x7ff711cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	05:21:03
Start date:	23/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	05:21:03
Start date:	23/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc minute /mo 30 /tn "NvNodeLauncher" /tr "C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe" /RL HIGHEST
Imagebase:	0x7ff6ea6c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	05:21:04
Start date:	23/09/2024
Path:	C:\Windows\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\svchost.exe"
Imagebase:	0xe20000
File size:	390'144 bytes
MD5 hash:	3D6E1D057586142252BFDA5C5F551F55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	05:21:05
Start date:	23/09/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\xdwdChrome.exe
Imagebase:	0x4c0000
File size:	390'144 bytes
MD5 hash:	3D6E1D057586142252BFDA5C5F551F55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true