File name:

Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6

Full analysis: https://app.any.run/tasks/767c6522-4ea6-400e-ad73-39a6127c8afe
Verdict: Malicious activity
Analysis date: May 15, 2025, 16:04:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

EA69C9DEE27BBA0462ED0C4390ADCF59

SHA1:

46785D4786CCD0AEE92A9447786EEB031B97E179

SHA256:

2730247A1802633EFF378BFEF73CF0975A1670B149BA0DFEFA8E4B0C96800CA6

SSDEEP:

3072:O6kpJLVBJTIYrGU2kQiD25B7KUunRCckSQLeGQYwxA263aHnLGb5t8gdxi:OJpvD/HQZ5B7KUuMcklLeREH0gdxi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

  • SUSPICIOUS

    • Start notepad (likely ransomware note)

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Executes application which crashes

      • notepad.exe (PID: 6644)
      • notepad.exe (PID: 6676)

  • INFO

    • Auto-launch of the file from Registry key

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3304)
      • WerFault.exe (PID: 5400)

    • Reads the computer name

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Checks supported languages

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 4408)
      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Manual execution by a user

      • Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe (PID: 5548)

    • Checks proxy server information

      • slui.exe (PID: 968)

    • Reads the software policy settings

      • slui.exe (PID: 968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:16 19:40:13+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 140800
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0xa45c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
8
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe notepad.exe werfault.exe no specs svchost.exe sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe notepad.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
968C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3304C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6644 -s 376C:\Windows\SysWOW64\WerFault.exenotepad.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4408"C:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe" C:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5400C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6676 -s 368C:\Windows\SysWOW64\WerFault.exenotepad.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5548C:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exeC:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
6644"C:\Windows\System32\notepad.exe"C:\Windows\SysWOW64\notepad.exe
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
6676"C:\Windows\System32\notepad.exe"C:\Windows\SysWOW64\notepad.exe
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
Total events
8 347
Read events
8 345
Write events
2
Delete events
0

Modification events

(PID) Process:(4408) Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:PCMonitor
Value:
C:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
(PID) Process:(5548) Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:PCMonitor
Value:
C:\Users\admin\Desktop\Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_notepad.exe_f021b6b2df45f20bcc7d64dbf7c8383609daf4a_28b0c9c3_abd29223-87b7-4c1d-8d0e-fc05111787a9\Report.wer
MD5:
SHA256:
5400WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_notepad.exe_673cf35dd28f6cb632be9e45219a2a58e48946_28b0c9c3_4408fec5-f5d0-4ab9-8ca0-8eb02b28e704\Report.wer
MD5:
SHA256:
5400WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2E60.tmp.dmpbinary
MD5:34C8B044D726D7936BDDC5BA49545B24
SHA256:01286DFDFD752424BB25A9441D0111D4CD92A0F567280C8982215D2BD5D3A52A
5400WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2E90.tmp.WERInternalMetadata.xmlbinary
MD5:ED77E9CAE9B670EDAEC5CA4FEE71F4E1
SHA256:A3DD761B24805DFA4372F3EDA14B5EED77D62EB56F39BDD13EE3DF1118E48817
3304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC1CB.tmp.dmpbinary
MD5:F852212CCFFBA57C5CE7B757FC7C3CA4
SHA256:EC436605C76A880D0EF517046A941AD0B54B2CDBAFE06E8C7CE27B22D7036A70
5400WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\notepad.exe.6676.dmpbinary
MD5:52BF691F224BBFBA97E08BC0AD5D3185
SHA256:93940A45C7554526D48F44F5B3805F65BAF88FD6E01AA89C9659FDC93CEEBDA7
3304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC249.tmp.WERInternalMetadata.xmlbinary
MD5:DA23A96809E1953BD3D7A3B4FC0D588F
SHA256:3364EC793FF35B549B4C660067E147AB76A2A41E1895F381A7E353997E3107A1
5400WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2EA0.tmp.xmlxml
MD5:67A18876CE37995DADB066A24E3659AB
SHA256:7CA18F62410409786F077C3A20FB814D7D071C890C6383A4D04F753E16D8F7CD
3304WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\notepad.exe.6644.dmpbinary
MD5:0D9F18AA3AF90014234CA461EBBA81AD
SHA256:749A2DABA5F2FC33E96D1297E474E3EFF0C0CAB7EC8FB18386CDBC5426D1E971
3304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC289.tmp.xmlxml
MD5:B9340A2BF8D921F3890970B060368BE4
SHA256:44F41843E34AB44B035B34A4B564068CE317C5613B89627A4844F4EA0A22B503
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
52
DNS requests
50
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4408
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
whitelisted
2104
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4408
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
2104
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2104
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
iamnotarobot.sbs
malicious
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.71
  • 20.190.159.128
  • 40.126.31.73
  • 40.126.31.128
  • 40.126.31.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4408
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5548
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_2730247a1802633eff378bfef73cf0975a1670b149ba0dfefa8e4b0c96800ca6