File name:	Sigmanly_ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3
Full analysis:	https://app.any.run/tasks/17c725a5-0d3e-48a1-934f-0ecc9de75735
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 16:17:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	57AECBCDCB3A5AD31AC07C5A62B56085
SHA1:	A443C574F039828D237030BC18895027CA780337
SHA256:	AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3
SSDEEP:	12288:mjGB20Q5YI8Yu8uXG2wafWVmf1r/lGWlGR:mjGB2H5YI8Yu8uXG2wafWVmf9lGWlGR

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll	\|	Win32 Dynamic Link Library (generic) (6.7)
.exe	\|	Win32 Executable (generic) (4.6)
.exe	\|	Generic Win/DOS Executable (2)
.exe	\|	DOS Executable Generic (2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	229376
InitializedDataSize:	16384
UninitializedDataSize:	-
EntryPoint:	0x27cc
OSVersion:	4
ImageVersion:	5.5
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	5.5.0.0
ProductVersionNumber:	5.5.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Free Microsoft Games
ProductName:	2009-09-22
FileVersion:	5.05
ProductVersion:	5.05
InternalName:	open2
OriginalFileName:	open2.exe


(PID) Process:	(7416) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	smss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(7584) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	smss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(7952) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(8068) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	smss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(8152) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(496) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(5204) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(7428) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(7572) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe
(PID) Process:	(2040) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Csrss
Value: c:\RECYCLER\smss.exe

PID	Process	Filename		Type
7276	Sigmanly_ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3.exe	C:\Users\admin\AppData\Local\Temp\smss.exe		executable
		MD5:57AECBCDCB3A5AD31AC07C5A62B56085	SHA256:AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3
7276	Sigmanly_ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3.exe	C:\RECYCLER\smss.exe		executable
		MD5:57AECBCDCB3A5AD31AC07C5A62B56085	SHA256:AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3
7276	Sigmanly_ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3.exe	C:\RECYCLER\Downloads.exe		executable
		MD5:57AECBCDCB3A5AD31AC07C5A62B56085	SHA256:AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3
7744	smss.exe	C:\Users\admin\AppData\Local\Temp\~DF0F9965A0F0281101.TMP		binary
		MD5:E282EC2773982235D407598EA8D3253A	SHA256:601F6ABAD2FF2BBBB6EB24C0BB2278FB0824E5CC6E43CEA0AAF863CEC66AB197
7408	smss.exe	C:\RECYCLER\Checked_IPs.dlx		text
		MD5:CC19931A85B9CC4771F1C9A522A6DCDA	SHA256:C343143C0B0E252BB4406FCD4F9333C393A486E82926BF1A6CFF385191BC7F20
7408	smss.exe	C:\RECYCLER\autorun.INF		binary
		MD5:CBA289891EC7B2F21BDA3435F229537B	SHA256:34E37C589C9CDFEA750288F65D019AFEE10644722CC520F1E95FEBC5758FD4F0
728	cmd.exe	C:\RECYCLER\check_4_online.dlx		text
		MD5:1AEE8EDDEF535A3C072B7F520EAF5560	SHA256:18E39B4A5A91F2CF56367C2D7B53830881D5D885BCCCC234219C39FD0AF44353
7736	cmd.exe	C:\RECYCLER\check_4_online.dlx		text
		MD5:1AEE8EDDEF535A3C072B7F520EAF5560	SHA256:18E39B4A5A91F2CF56367C2D7B53830881D5D885BCCCC234219C39FD0AF44353
7216	cmd.exe	C:\RECYCLER\check_4_online.dlx		text
		MD5:1AEE8EDDEF535A3C072B7F520EAF5560	SHA256:18E39B4A5A91F2CF56367C2D7B53830881D5D885BCCCC234219C39FD0AF44353
6132	cmd.exe	C:\RECYCLER\check_4_online.dlx		text
		MD5:1AEE8EDDEF535A3C072B7F520EAF5560	SHA256:18E39B4A5A91F2CF56367C2D7B53830881D5D885BCCCC234219C39FD0AF44353

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2104	svchost.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2196	svchost.exe	224.0.0.251:5353	—	—	—	unknown
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	172.217.18.110	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

General Info

Sigmanly_ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3

57AECBCDCB3A5AD31AC07C5A62B56085

A443C574F039828D237030BC18895027CA780337

AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3

12288:mjGB20Q5YI8Yu8uXG2wafWVmf1r/lGWlGR:mjGB2H5YI8Yu8uXG2wafWVmf9lGWlGR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Starts NET.EXE to view/change shared resources

SUSPICIOUS

Starts application from unusual location

Executable content was dropped or overwritten

Creates file in the systems drive root

Uses REG/REGEDIT.EXE to modify registry

Process uses IPCONFIG to get network configuration information

Starts CMD.EXE for commands execution

Detected use of alternative data streams (AltDS)

INFO

Create files in a temporary directory

The sample compiled with english language support

Checks supported languages

Reads the computer name

Failed to create an executable file in Windows directory

Auto-launch of the file from Registry key

Manual execution by a user

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings