File name:	Sigmanly_48ebd0e60eed1e5cc38195aa33694afd2a387be44a34270890f7fa756833d9c8
Full analysis:	https://app.any.run/tasks/64e07329-3b96-4934-a5f4-05116c50d871
Verdict:	Malicious activity
Analysis date:	May 16, 2025, 12:13:35
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion delphi auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	81DAACD7018A10EF90057C993545BB0B
SHA1:	E966C8FAF9EC0C445C3D0AA483B4CC770EE24D19
SHA256:	48EBD0E60EED1E5CC38195AA33694AFD2A387BE44A34270890F7FA756833D9C8
SSDEEP:	196608:p7Oze8wD8n5oJ+UEwzOA4z7ctzkplPcH0Sxo2Do35d1:1Oy8PuJxEJA/zkpvSG2Do35

.exe	\|	Win32 EXE PECompact compressed (generic) (83)
.exe	\|	Win32 Executable (generic) (9)
.exe	\|	Generic Win/DOS Executable (3.9)
.exe	\|	DOS Executable Generic (3.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2059:06:18 22:24:49+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	28903424
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x1b927e2
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	CosmicCheats
FileVersion:	1.0.0.0
InternalName:	CosmicCheats.exe
LegalCopyright:	Copyright © 2025
LegalTrademarks:	-
OriginalFileName:	CosmicCheats.exe
ProductName:	CosmicCheats
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(2284) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WindowsService
Value: C:\Users\admin\AppData\Roaming\WindowsService\WinService.exe
(PID) Process:	(300) WinService.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WindowsService
Value: C:\Users\admin\AppData\Roaming\WindowsService\WinService.exe

PID	Process	Filename		Type
2284	Update.exe	C:\Users\admin\AppData\Roaming\WindowsService\WinService.exe		executable
		MD5:F040303D85C56F3B40066FD4B535D277	SHA256:CBF4E04802D850CBC223D439C336703AABA205EEBD6E8D300048DAE293B47722
644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qoousaih.uut.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mkpslubx.hab.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5548	Sigmanly_48ebd0e60eed1e5cc38195aa33694afd2a387be44a34270890f7fa756833d9c8.exe	C:\Users\admin\AppData\Roaming\Update.exe		executable
		MD5:F040303D85C56F3B40066FD4B535D277	SHA256:CBF4E04802D850CBC223D439C336703AABA205EEBD6E8D300048DAE293B47722
644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tavoe00s.voz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1mqpvvpc.ixi.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5352	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q40csnwf.de4.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5352	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_opg0wtju.odr.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
644	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:895A9C35142D9B25C5E3F5B9597B3CEF	SHA256:847951ED1F4AC9303EC66985CB36AABFA04F6086189EF2F88F88F6F03AF8158C
5352	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tqcycr0j.spa.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.13:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2284	Update.exe	GET	200	104.26.12.205:80	http://api.ipify.org/	unknown	—	—	malicious
300	WinService.exe	GET	200	104.26.12.205:80	http://api.ipify.org/	unknown	—	—	malicious
2284	Update.exe	GET	200	104.26.12.205:80	http://api.ipify.org/	unknown	—	—	malicious
300	WinService.exe	GET	200	104.26.12.205:80	http://api.ipify.org/	unknown	—	—	malicious
6228	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6228	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6228	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
6228	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.216.77.13:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2284	Update.exe	104.26.12.205:80	api.ipify.org	CLOUDFLARENET	US	shared
2284	Update.exe	51.38.196.118:7777	yaptikanladin.mentality.cloud	OVH SAS	FR	malicious
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.216.77.13 23.216.77.16 23.216.77.31 23.216.77.18 23.216.77.29 23.216.77.21 23.216.77.28 23.216.77.23 23.216.77.19 2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
api.ipify.org	104.26.12.205 104.26.13.205 172.67.74.152	shared
yaptikanladin.mentality.cloud	51.38.196.118	malicious
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
2284	Update.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2284	Update.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
2284	Update.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2284	Update.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
2284	Update.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2284	Update.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
300	WinService.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
300	WinService.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
300	WinService.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

General Info

Sigmanly_48ebd0e60eed1e5cc38195aa33694afd2a387be44a34270890f7fa756833d9c8

81DAACD7018A10EF90057C993545BB0B

E966C8FAF9EC0C445C3D0AA483B4CC770EE24D19

48EBD0E60EED1E5CC38195AA33694AFD2A387BE44A34270890F7FA756833D9C8

196608:p7Oze8wD8n5oJ+UEwzOA4z7ctzkplPcH0Sxo2Do35d1:1Oy8PuJxEJA/zkpvSG2Do35

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Adds path to the Windows Defender exclusion list

Changes the autorun value in the registry

Changes Windows Defender settings

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Executable content was dropped or overwritten

Connects to unusual port

Checks for external IP

Uses REG/REGEDIT.EXE to modify registry

Reads security settings of Internet Explorer

INFO

The sample compiled with english language support

Process checks computer location settings

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Auto-launch of the file from Registry key

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Compiled with Borland Delphi (YARA)

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings