File name:

Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004

Full analysis: https://app.any.run/tasks/7c7de332-fadc-44e4-996b-7c203cfc9a21
Verdict: Malicious activity
Analysis date: May 16, 2025, 23:46:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

4E412CD167BD1F2900F9DA0859DEBE51

SHA1:

0F2E6D100AD8FD45982446B3A26A6F14A6D9C9F5

SHA256:

B1DCB6F705467AABE6E6306B0CE17AEDFE286FF2C9C35E769BBD3CE530DB1004

SSDEEP:

6144:uLXpEeveHtjBHwobViSvneYbU5eV/FGtTv:u7pO1BQob0OFOv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Executable content was dropped or overwritten

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Executes application which crashes

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 8036)
      • svchost.exe (PID: 8080)

  • INFO

    • Checks supported languages

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)
      • wuefhdgm.exe (PID: 7880)
      • wuefhdgm.exe (PID: 7992)

    • Process checks computer location settings

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Reads the computer name

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)
      • wuefhdgm.exe (PID: 7880)
      • wuefhdgm.exe (PID: 7992)

    • Create files in a temporary directory

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Auto-launch of the file from Registry key

      • Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe (PID: 7656)

    • Manual execution by a user

      • wuefhdgm.exe (PID: 7992)

    • Checks proxy server information

      • slui.exe (PID: 4880)

    • Reads the software policy settings

      • slui.exe (PID: 4880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:20 04:29:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 137728
InitializedDataSize: 1533440
UninitializedDataSize: -
EntryPoint: 0x470b
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 94.0.0.0
ProductVersionNumber: 87.0.0.0
FileFlagsMask: 0x141a
FileFlags: (none)
FileOS: Unknown (0x20761)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Faeroese
CharacterSet: Unknown (31F2)
InternalName: Western
FileDescription: Underweather
ProductsVersion: 32.64.57.64
ProductName: GoldenSeg
ProductionVersion: 90.26.1.43
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe wusa.exe no specs wusa.exe wuefhdgm.exe no specs werfault.exe no specs wuefhdgm.exe no specs svchost.exe no specs svchost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7656"C:\Users\admin\Desktop\Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe" C:\Users\admin\Desktop\Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7788"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exeSigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7856"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7880"C:\Users\admin\wuefhdgm.exe" /d"C:\Users\admin\Desktop\Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe" /e5E0402100000007FC:\Users\admin\wuefhdgm.exeSigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\wuefhdgm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7956C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7656 -s 1032C:\Windows\SysWOW64\WerFault.exeSigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7992"C:\Users\admin\wuefhdgm.exe"C:\Users\admin\wuefhdgm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2002934592
Modules
Images
c:\users\admin\wuefhdgm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8036svchost.exeC:\Windows\SysWOW64\svchost.exewuefhdgm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
8080svchost.exeC:\Windows\SysWOW64\svchost.exewuefhdgm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
4 698
Read events
4 693
Write events
3
Delete events
2

Modification events

(PID) Process:(7656) Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:nvalhmzh
Value:
"C:\Users\admin\wuefhdgm.exe"
(PID) Process:(8036) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D863FFC63353D24EDB47D450DD49D084297DCE82E72BAA494D9FFE422031DEAD2C732D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC864D7C35E6AE644490BDB57F20E4915E0DC9F1B854758DF21D5904E0A76F16DD80457C34E59D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED962B05CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945F72CCF2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD6E83078428BD6547B89CC40743F91D9221DC48E8D1267B4995D06B880CB6529DCA42B596DF0A46F61A9F24D743EDDC2065DC98DB608509B955800F49BFE2420D49F3179418BD7652E9FD109793DE6DB5515C58CB44464EC995D06BBF6BD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD6658A0EB450A47C7E63850D0844F023C95A9516BFDCDB57024EFE25C0DBCF2CF5D6DD690440F42FCAD1C12AFBD0D7730E4AE541DC28DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB77D24EB945D04F4B4BF692AD295467B478FA45454DE894D743DE4AD541DB5B4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(8036) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
(PID) Process:(8080) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D443EFC63353D24EDB47D450DD49D084297DCE82E72BAA494D9FFE422031D4E984D2ED3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC864D7C35E6AE644490BDB57F20E4915E0DC9F1B854758DF21D5904E0A76F16DD80457C34E59D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED975F72CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945E06BBF2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD79F367B34F9D2547B89CC40743EE6DF221DC18A8D1267B4995D07CF86CB6524A7A42B596DF0A46E16AFF24D713ADDC2065DC98DB77F569B952C0CF49BFE2420D49E467F42FDA51E2E9FD109793DE7AF2215C58CB44464EC995D07CEF4BD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD672FA6EB457934C7E63850D0844E764B95A9516BFDCDB57024EE962B0DBCF2CF5D6DD690440E368BAD1C12AFBD0D7730E4AE556BC18DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB77C52E8945D04F4B4BF692AD295467B478FA45454DE894D773F96DB251DCCB4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(8080) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8036svchost.exeC:\Users\admin:.reposbinary
MD5:A82166958F942C7197FED7CA2BCA3088
SHA256:9A70D916F1C96E610089B6B4F95325989C18FAD0FC3EC421793A61F8BE893FA5
7656Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exeC:\Users\admin\AppData\Local\Temp\elsvkyrb.exeexecutable
MD5:988C9F6A899D1C620B0B1255AF9112EF
SHA256:7159D984211D7DBA90A0D93485B974ECAF7FFFD537586E30B75BE005852405ED
7656Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004.exeC:\Users\admin\wuefhdgm.exeexecutable
MD5:C98508C46B7E8F0C5B8DE6935433324C
SHA256:1D75C76FFB70D69C284D61F295E5B9DF4A81A0E03B46DB51B0B62BE1C347ADF6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
42
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4996
RUXIMICS.exe
GET
200
2.18.190.86:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4996
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4996
RUXIMICS.exe
2.18.190.86:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4996
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6272
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6272
SIHClient.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6272
SIHClient.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 2.18.190.86
  • 2.18.190.71
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
login.live.com
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.2
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.134
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_b1dcb6f705467aabe6e6306b0ce17aedfe286ff2c9c35e769bbd3ce530db1004