File name:	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355
Full analysis:	https://app.any.run/tasks/4044fccc-904e-43cb-bb68-1f46b9a885ca
Verdict:	Malicious activity
Threats:	PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 15:48:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	privateloader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:	FDE4EC171A6E988C9640D8F8DCF35AEA
SHA1:	47D357A4E617B46E47DDC8AA9869F33A3C9FFFB8
SHA256:	57962D6E4DEA092778CA4B98D68EE62D11A8CFA88FD7FD7B89CB97FBA2193355
SSDEEP:	98304:9bRwXuv0bjY0mqBvzKczYA3IycQ6XpyWzI/vjhugtsoQYWb7lFGo3:MeMVvaAPHzhug4pUy

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:05:25 12:13:29+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	3105280
InitializedDataSize:	709120
UninitializedDataSize:	-
EntryPoint:	0x8844a9
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	7.0.45.1145
ProductVersionNumber:	7.0.45.1145
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	N-able Take Control
FileDescription:	TCDirectChat
FileVersion:	7.0.45.1145
InternalName:	N-able Take Control
ProgramID:	com.embarcadero.TCDirectChat
ProductName:	TCDirectChat
ProductVersion:	7.0.45.1145


(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\AppHVSI
Operation:	write	Name:	AllowAppHVSI_ProviderSet
Value: 0
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:	write	Name:	UpdateDefault
Value: 0
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:	write	Name:	NC_DoNotShowLocalOnlyIcon
Value: 1
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:	write	Name:	EnableFeeds
Value: 0
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUServer
Value: http://neverupdatewindows10.com
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUStatusServer
Value: http://neverupdatewindows10.com
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	UpdateServiceUrlAlternate
Value: http://neverupdatewindows10.com
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	**del.FillEmptyContentUrls
Value:
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	UseWUServer
Value: 1
(PID) Process:	(4988) Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B3F424BF-9B07-435C-8FC3-DADF77FE80AE}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	NoAutoUpdate
Value: 0

PID	Process	Filename		Type
668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigmanly_57962d6_b99b77e7eeae74b2dbc33edc6ced735312a72c7_2f918441_eaa4ddb9-6fb1-4c5c-840b-241513dba1e6\Report.wer		—
		MD5:—	SHA256:—
668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER741.tmp.WERInternalMetadata.xml		binary
		MD5:21C5D91B937A4ED6C0D2CBEDDB971492	SHA256:1B09999F0C271279B5E00177539D9F09729EFCB55ADE570229ABB3E93EE9F8DD
668	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe.4988.dmp		binary
		MD5:261ADA14670E497B53409F1EB9DBE95A	SHA256:FDD0BC70EAD3D6C324F8ED074FAE237807E507FB335CB783557163618AFEE5B7
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	C:\Windows\System32\GroupPolicy\gpt.ini		text
		MD5:3D89F23265C9E30A0CF055C3EB4D637C	SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
668	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		binary
		MD5:FB06555C18861E0795ADA26EB60725D8	SHA256:4EA16FD7BC45F889CDCF3617FE813BB3A364D09A02A8795132B492B70AE096C5
668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER752.tmp.xml		xml
		MD5:56543B95051BC2165A65BE53519CD7CE	SHA256:11E2A6BB74F93E143DB4DB4B25AFC30637351B561EB40FE547BEB138243D88E7
668	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER694.tmp.dmp		binary
		MD5:736A0C2B49963BD25ED77F587099ACBB	SHA256:4A91BDCD3F903C5D11087E71350735CF8C263C94C9E4ABDC80254B26636B9C4C
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:551F2716A3AF0148E9A55792A5708892	SHA256:B4E6B3EB7656C4D44F67FBCC6803525C17DCA34BD65AF9F146D8FCA3441AB565

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	GET	—	94.142.138.131:80	http://94.142.138.131/api/tracemap.php	unknown	—	—	malicious
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	GET	—	94.142.138.113:80	http://94.142.138.113/api/tracemap.php	unknown	—	—	malicious
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	GET	—	208.67.104.60:80	http://208.67.104.60/api/tracemap.php	unknown	—	—	malicious
2104	svchost.exe	GET	200	23.216.77.31:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	GET	—	85.208.136.10:80	http://85.208.136.10/api/tracemap.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	94.142.138.131:80	—	Network Management Ltd	RU	malicious
2196	svchost.exe	224.0.0.251:5353	—	—	—	unknown
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted
2104	svchost.exe	23.216.77.31:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	94.142.138.113:80	—	Network Management Ltd	RU	malicious

Domain	IP	Reputation
google.com	172.217.23.110	whitelisted
crl.microsoft.com	23.216.77.31 23.216.77.22 23.216.77.39 23.216.77.41 23.216.77.37 23.216.77.27 23.216.77.32 23.216.77.35 23.216.77.29	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
4988	Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)

General Info

Sigmanly_57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355

FDE4EC171A6E988C9640D8F8DCF35AEA

47D357A4E617B46E47DDC8AA9869F33A3C9FFFB8

57962D6E4DEA092778CA4B98D68EE62D11A8CFA88FD7FD7B89CB97FBA2193355

98304:9bRwXuv0bjY0mqBvzKczYA3IycQ6XpyWzI/vjhugtsoQYWb7lFGo3:MeMVvaAPHzhug4pUy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the Windows auto-update feature

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

PRIVATELOADER has been detected (YARA)

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Executes application which crashes

INFO

Reads the computer name

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings