File name:

Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc

Full analysis: https://app.any.run/tasks/293dab6e-1af0-4825-8b52-fc00560e012d
Verdict: Malicious activity
Analysis date: May 15, 2025, 15:16:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

A0AC458279AD8ACD2E85CA8E6BCFBFC2

SHA1:

486E5FD36F91B0FAF5E3248AA72958ABB2B55F10

SHA256:

36142AC0131124372EF6FC0F64DF925623F43B687BF65D75E465140B770B61CC

SSDEEP:

3072:ad1zfbNcZ9G11tqUdza5L4X4rEOopFkJcDX9O5Qd999995SE7Y4J2n4GZyUXP9p6:yPiM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe (PID: 7652)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the machine GUID from the registry

      • Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe (PID: 7652)

    • Checks supported languages

      • Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe (PID: 7652)

    • Checks proxy server information

      • slui.exe (PID: 8136)

    • Reads the software policy settings

      • slui.exe (PID: 8136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:18 21:00:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.41
CodeSize: 49152
InitializedDataSize: 18944
UninitializedDataSize: -
EntryPoint: 0x1240
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7652"C:\Users\admin\Desktop\Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe" C:\Users\admin\Desktop\Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
54
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7652
Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
POST
409
172.67.178.5:80
http://badnesspandemic.shop/Up
unknown
malicious
7652
Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
GET
409
172.67.178.5:80
http://badnesspandemic.shop/ujs/1ebc820c-f85b-4421-8937-ddd717154b24
unknown
malicious
7948
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7948
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7948
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7948
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7948
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7948
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7652
Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
172.67.178.5:80
CLOUDFLARENET
US
malicious
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.131
  • 40.126.31.131
  • 40.126.31.130
  • 40.126.31.129
  • 20.190.159.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
7652
Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc.exe
A Network Trojan was detected
ET MALWARE ACR Stealer CnC Checkin Attempt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_36142ac0131124372ef6fc0f64df925623f43b687bf65d75e465140b770b61cc