File name:

Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88

Full analysis: https://app.any.run/tasks/a11904c7-4d1f-4163-8482-156f9962e189
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 16:29:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

F50A72F56F2420BD7E103C0B8DA50A00

SHA1:

E4E1F84624D5E5A062C7DABFBDC1F43582BE953A

SHA256:

3AA478D9DD262A90FBA84AFC1CD7203136222852D7DD6B3EC0E78974F0C4BB88

SSDEEP:

196608:ecd4DlSVb7QR/efZy+UOaxB3MEITSzHJN:ecGG0oRyPR//ITSzp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • Executable content was dropped or overwritten

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • The process drops C-runtime libraries

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • Process drops legitimate windows executable

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • Loads Python modules

      • Update.exe (PID: 2088)

    • Reads security settings of Internet Explorer

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

  • INFO

    • Checks supported languages

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)
      • Update.exe (PID: 2088)

    • Create files in a temporary directory

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • The sample compiled with english language support

      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • Reads the computer name

      • Update.exe (PID: 2088)
      • Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe (PID: 2108)

    • Checks proxy server information

      • slui.exe (PID: 5244)

    • Reads the software policy settings

      • slui.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:02 21:29:09+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 113664
InitializedDataSize: 20303872
UninitializedDataSize: 155136
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Discord, Inc
ProductName: Update
ProductVersion: 1.0.0.0
FileVersion: 1.0.0.0
OriginalFileName: Update.exe
InternalName: Update
FileDescription: Update.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe update.exe no specs slui.exe sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\Users\admin\Desktop\Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe" C:\Users\admin\Desktop\Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeexplorer.exe
User:
admin
Company:
Discord, Inc
Integrity Level:
MEDIUM
Description:
Update.exe
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe
c:\windows\system32\ntdll.dll
2088C:\Users\admin\Desktop\Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\Update.exeSigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\onefile_2108_133918001569559606\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2108"C:\Users\admin\Desktop\Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe" C:\Users\admin\Desktop\Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe
explorer.exe
User:
admin
Company:
Discord, Inc
Integrity Level:
HIGH
Description:
Update.exe
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 033
Read events
4 033
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\Update.exe
MD5:
SHA256:
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_hashlib.pydexecutable
MD5:D0A2127B7AA88B6A47C170C933402438
SHA256:2598B1D5AF9606A85CF8BA00EB5E0EFB5C405BE3AD852D1B070D08E0EE34C526
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_decimal.pydexecutable
MD5:5D54C76A09515D513AAB1DD43C401418
SHA256:E8861C23B443F846CF25F06B6F49BA20CFDD0C383C890F9F60C7A0AC376AC22E
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_overlapped.pydexecutable
MD5:E9436905D28DEAEF3B04E1FE2F05D7C3
SHA256:B341E788F0E90149B24B3176A6EFB2FE1A3677BCA5E2A24EF314D24BE32EE983
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_bz2.pydexecutable
MD5:8BD61EA798D1E3EF58548480ED8EE956
SHA256:D3214E53519B65A07211F44C2BF8C6464B6CD11308561FA48967C8D2E97C1CAC
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_elementtree.pydexecutable
MD5:31DB8F46221E06E997C0FA3ECC07D206
SHA256:FE2BCFFA16218207B12353805A3A0FA2CDF1C3759D23D032F947A68496782091
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_lzma.pydexecutable
MD5:9EC7F84B1976B469C4FA4001D5FF4412
SHA256:14762C570A210D196F5FC8F89C792E093B0875695251D490CBD4BA79C8F64999
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_cffi_backend.pydexecutable
MD5:FCB71CE882F99EC085D5875E1228BDC1
SHA256:86F136553BA301C70E7BADA8416B77EB4A07F76CCB02F7D73C2999A38FA5FA5B
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_multiprocessing.pydexecutable
MD5:32150BED522E6C151FEF8027AD4691E0
SHA256:75CB11E3884F408016177B17D1717B066DDF71A59FD07836808703EDF5683B62
2108Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88.exeC:\Users\admin\AppData\Local\Temp\onefile_2108_133918001569559606\_wmi.pydexecutable
MD5:39FCA3CD9A98B14C4E47225EE28063D3
SHA256:9E65EE7978BFE5B5A392B6DF8279D2F97ED8B0F36F8F89DA4AD28C7866B92432
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.191:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.191:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5328
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5244
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.191
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.174
  • 23.48.23.193
  • 23.48.23.166
  • 23.48.23.177
  • 23.48.23.192
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_3aa478d9dd262a90fba84afc1cd7203136222852d7dd6b3ec0e78974f0c4bb88