File name:

Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c

Full analysis: https://app.any.run/tasks/62dcde45-e859-4482-a481-fbe37fbf6e77
Verdict: Malicious activity
Analysis date: March 26, 2025, 15:53:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive, 4 sections
MD5:

36B88174F8B8D26D3E7935EEDDD660BE

SHA1:

64323A23F6A3D82683FB7C89E7D79EA73BA4FF7C

SHA256:

3F915535179D76AE618A91A0D1CBB9CCB7E46EF3E1851BC2268FF6C3D94A562C

SSDEEP:

196608:LhWd2gxP/TNcI8gvMRKfySexNjvEF2KlbIVvooWIucM:LhA7xP/NDDfyS8NwF2KhIVvJub

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7404)
      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)

  • SUSPICIOUS

    • Executes application which crashes

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)

    • Executable content was dropped or overwritten

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Searches for installed software

      • dxlsetup-ma.exe (PID: 7832)

  • INFO

    • The sample compiled with english language support

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Create files in a temporary directory

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Reads the computer name

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Checks supported languages

      • Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe (PID: 7452)
      • dxlsetup-ma.exe (PID: 7832)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7592)

    • Manual execution by a user

      • dxlsetup-ma.exe (PID: 7832)
      • OpenWith.exe (PID: 7888)
      • OpenWith.exe (PID: 7968)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7888)
      • OpenWith.exe (PID: 7968)

    • Checks proxy server information

      • slui.exe (PID: 8040)

    • Reads the software policy settings

      • slui.exe (PID: 8040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:05 10:27:21+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 172032
InitializedDataSize: 81408
UninitializedDataSize: -
EntryPoint: 0x752c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.7.7.378
ProductVersionNumber: 5.7.7.378
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Musarubra US LLC.
FileDescription: Framework Package Stub
FileVersion: 5.7.7.378
InternalName: wstub32.exe
LegalCopyright: Copyright (C) 2022 Musarubra US LLC. All rights reserved
OriginalFileName: wstub32.exe
ProductName: Trellix Agent
ProductVersion: 5.7.7.378
No data.
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe werfault.exe no specs dxlsetup-ma.exe openwith.exe no specs openwith.exe no specs slui.exe sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7404"C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe" C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeexplorer.exe
User:
admin
Company:
Musarubra US LLC.
Integrity Level:
MEDIUM
Description:
Framework Package Stub
Exit code:
3221226540
Version:
5.7.7.378
Modules
Images
c:\users\admin\desktop\sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7452"C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe" C:\Users\admin\Desktop\Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
explorer.exe
User:
admin
Company:
Musarubra US LLC.
Integrity Level:
HIGH
Description:
Framework Package Stub
Exit code:
3221225477
Version:
5.7.7.378
Modules
Images
c:\users\admin\desktop\sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7592C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7452 -s 360C:\Windows\SysWOW64\WerFault.exeSigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7832"C:\Users\admin\Desktop\dxlsetup-ma.exe" C:\Users\admin\Desktop\dxlsetup-ma.exe
explorer.exe
User:
admin
Company:
Trellix
Integrity Level:
MEDIUM
Description:
Trellix Data Exchange Layer for MA
Version:
6.0.3.847
Modules
Images
c:\users\admin\desktop\dxlsetup-ma.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7888"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\dxdet.mcsC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7968"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\dxinst.mcsC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 243
Read events
6 237
Write events
3
Delete events
3

Modification events

(PID) Process:(7592) WerFault.exeKey:\REGISTRY\A\{dfacd4c3-df55-cd1d-d1de-7c321398f8a9}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7592) WerFault.exeKey:\REGISTRY\A\{dfacd4c3-df55-cd1d-d1de-7c321398f8a9}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
8
Suspicious files
13
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\__temp.zip
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\Shared.cab
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\SiteList.xmltext
MD5:7124B364EA9EE88565389686C04BC4ED
SHA256:2A8FAE15CDF7871098482DF80501FBD2D35CA2AFA725FFC178B4B647A3342E53
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\cleanup.exeexecutable
MD5:ABDF4651DA251BEB0E2FC1C8EB2AE1C3
SHA256:6E22701183735370A4FC5D7937B0D36A18DE420EFA51D8084DE0EB2BB1991AE7
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\MFEagent_x64.msiexecutable
MD5:632EFAE7CD12F69213D6D4C9F44A06B9
SHA256:0191D28D9BD8ECEC35E2FDB47100C7CE47FD954373F559B9128164581D6A9302
7592WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigmanly_3f91553_6d36d36d3c536f1e5fdbcad541135c314ab7c250_576b931e_d4bc239f-1218-47e1-a7b4-dddcc521bab2\Report.wer
MD5:
SHA256:
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\Shared64.cabcompressed
MD5:18DBCA488A4635960ECE541E1EA6E496
SHA256:72481BF953A233257DD9F6D3BFD2CF645B11A5B52DD9432B94ADCF2130273DA9
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\MFEagent.msiexecutable
MD5:0FD5029A751060AA5321ED59EC6BB1E0
SHA256:20C0AA4C3B9D761D069BFB8C9A814C29137B2E05B87F795DBD933FF82AAE3FEB
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\Svc_x86.cabcompressed
MD5:9FD6DE169DFCD81A342BF961D1121A38
SHA256:D3CB735DD4F28CB5F1112844F6D9B3A08583DE521CF987C3C10196BB9D9509F7
7452Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c.exeC:\Users\admin\AppData\Local\Temp\mfe97DC2CBD-B82E-4BE6-97EA-B10508D62C76.tmp\BootstrapInfo.xmlxml
MD5:4491B8E18CEF975FDA9290FE816D6765
SHA256:0DD5800FE2DC803C1601E0C4921EBEC837AFCD95732BCA155C3A3F49EE2EE69E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8040
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_3f915535179d76ae618a91a0d1cbb9ccb7e46ef3e1851bc2268ff6c3d94a562c