File name:

Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c

Full analysis: https://app.any.run/tasks/62dcde45-e859-4482-a481-fbe37fbf6e77
Verdict: Malicious activity
Analysis date: March 26, 2025, 15:53:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive, 4 sections
MD5:

36B88174F8B8D26D3E7935EEDDD660BE

SHA1:

64323A23F6A3D82683FB7C89E7D79EA73BA4FF7C

SHA256:

3F915535179D76AE618A91A0D1CBB9CCB7E46EF3E1851BC2268FF6C3D94A562C

SSDEEP:

196608:LhWd2gxP/TNcI8gvMRKfySexNjvEF2KlbIVvooWIucM:LhA7xP/NDDfyS8NwF2KhIVvJub

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7404)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Executes application which crashes

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)

    • Searches for installed software

      • dxlsetup-ma.exe (PID: 7832)

  • INFO

    • Checks supported languages

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Reads the computer name

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7592)

    • Manual execution by a user

      • dxlsetup-ma.exe (PID: 7832)
      • OpenWith.exe (PID: 7888)
      • OpenWith.exe (PID: 7968)

    • Create files in a temporary directory

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • The sample compiled with english language support

      • dxlsetup-ma.exe (PID: 7832)
      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7888)
      • OpenWith.exe (PID: 7968)

    • Checks proxy server information

      • slui.exe (PID: 8040)

    • Reads the software policy settings

      • slui.exe (PID: 8040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:05 10:27:21+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 172032
InitializedDataSize: 81408
UninitializedDataSize: -
EntryPoint: 0x752c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.7.7.378
ProductVersionNumber: 5.7.7.378
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Musarubra US LLC.
FileDescription: Framework Package Stub
FileVersion: 5.7.7.378
InternalName: wstub32.exe
LegalCopyright: Copyright (C) 2022 Musarubra US LLC. All rights reserved
OriginalFileName: wstub32.exe
ProductName: Trellix Agent
ProductVersion: 5.7.7.378
No data.
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe werfault.exe no specs dxlsetup-ma.exe openwith.exe no specs openwith.exe no specs slui.exe sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7404"C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe" C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeexplorer.exe
User:
admin
Company:
Musarubra US LLC.
Integrity Level:
MEDIUM
Description:
Framework Package Stub
Exit code:
3221226540
Version:
5.7.7.378
Modules
Images
c:\users\admin\desktop\sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7452"C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe" C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
explorer.exe
User:
admin
Company:
Musarubra US LLC.
Integrity Level:
HIGH
Description:
Framework Package Stub
Exit code:
3221225477
Version:
5.7.7.378
Modules
Images
c:\users\admin\desktop\sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7592C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7452 -s 360C:\Windows\SysWOW64\WerFault.exeSigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7832"C:\Users\admin\Desktop\dxlsetup-ma.exe" C:\Users\admin\Desktop\dxlsetup-ma.exe
explorer.exe
User:
admin
Company:
Trellix
Integrity Level:
MEDIUM
Description:
Trellix Data Exchange Layer for MA
Version:
6.0.3.847
Modules
Images
c:\users\admin\desktop\dxlsetup-ma.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7888"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\dxdet.mcsC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7968"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\dxinst.mcsC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 243
Read events
6 237
Write events
3
Delete events
3

Modification events

(PID) Process:(7592) WerFault.exeKey:\REGISTRY\A\{dfacd4c3-df55-cd1d-d1de-7c321398f8a9}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7592) WerFault.exeKey:\REGISTRY\A\{dfacd4c3-df55-cd1d-d1de-7c321398f8a9}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
8
Suspicious files
13
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\__temp.zip
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\Shared.cab
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\BootstrapInfo.xmlxml
MD5:4491B8E18CEF975FDA9290FE816D6765
SHA256:0DD5800FE2DC803C1601E0C4921EBEC837AFCD95732BCA155C3A3F49EE2EE69E
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\FrmInst.exeexecutable
MD5:C7718F71EAE8DF5475844ED9488F42FD
SHA256:3F789E38CB7D54A08DDDCCBBF8B60A55718BE915226626EA11CE3262FB2E3B2E
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\reqseckey.binbinary
MD5:FF4925240A17E49B567C3589BC35D59E
SHA256:32C90B32DFCBA3748B8AE0CC63A042AFB863FB3BA5402D399BA8C7C4DB5B2930
7592WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigmanly_3f91553_6d36d36d3c536f1e5fdbcad541135c314ab7c250_576b931e_d4bc239f-1218-47e1-a7b4-dddcc521bab2\Report.wer
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\SiteList.xmltext
MD5:7124B364EA9EE88565389686C04BC4ED
SHA256:2A8FAE15CDF7871098482DF80501FBD2D35CA2AFA725FFC178B4B647A3342E53
7592WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:1156BCA24F3241456B8F5070C0DC1F6B
SHA256:B142A6CB409B7556140EAFB9C77A0833B0A876429378A05EC4488EAA29B178CF
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\agentfipsmodebinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\srpubkey.binbinary
MD5:C2906AA3D3862E1A258A356ABE3F831B
SHA256:CC17B19171ABE7D69BDAB39A347AF4FEF1492173D547FDF7E86E1BCC14FD985F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8040
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c