File name:

sagethumbs_2.0.0.23_setup.exe

Full analysis: https://app.any.run/tasks/f4cb21e7-79f0-4d96-997b-267d53183a31
Verdict: Malicious activity
Analysis date: July 26, 2025, 14:26:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

2AF65ABF462C9B3170C6E80428F90888

SHA1:

DD798C6DDC1FE523B0919C0D70C36B7932A67BE5

SHA256:

705D743E28B487E34A4A7245A0DBC303A10E45BA0FD9E4DA4101C8CDF506839A

SSDEEP:

98304:bhMGV3jIjAXbgsgxZHBcsp/X1mIBFagQM1UYKzlke2vPxA/9A3Kjnry2OKH+pPth:lZM1Uw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • There is functionality for taking screenshot (YARA)

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates a software uninstall entry

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • The process creates files with name similar to system file names

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Changes default file association

      • regsvr32.exe (PID: 1828)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1828)
      • regsvr32.exe (PID: 5564)

  • INFO

    • The sample compiled with turkish language support

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • The sample compiled with english language support

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Create files in a temporary directory

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Reads the computer name

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates files in the program directory

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates files or folders in the user directory

      • regsvr32.exe (PID: 1828)

    • Checks proxy server information

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)
      • slui.exe (PID: 3556)

    • Checks supported languages

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Reads the software policy settings

      • slui.exe (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:10:07 04:40:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 117760
UninitializedDataSize: 1024
EntryPoint: 0x3217
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.23
ProductVersionNumber: 2.0.0.23
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
Comments: http://sagethumbs.sourceforge.net/
CompanyName: Cherubic Software
FileDescription: SageThumbs
FileVersion: 2.0.0.23
LegalCopyright: Copyright © 2004-2017 Nikolay Raspopov
OriginalFileName: ..\..\redist\sagethumbs_2.0.0.23_setup.exe
ProductName: SageThumbs
ProductVersion: 2.0.0.23
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sagethumbs_2.0.0.23_setup.exe slui.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs sagethumbs_2.0.0.23_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1652"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\SageThumbs\64\SageThumbs.dll"C:\Windows\SysWOW64\regsvr32.exesagethumbs_2.0.0.23_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1828"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\SageThumbs\32\SageThumbs.dll"C:\Windows\SysWOW64\regsvr32.exesagethumbs_2.0.0.23_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2140"C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe" C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exeexplorer.exe
User:
admin
Company:
Cherubic Software
Integrity Level:
MEDIUM
Description:
SageThumbs
Exit code:
3221226540
Version:
2.0.0.23
Modules
Images
c:\users\admin\desktop\sagethumbs_2.0.0.23_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3556C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4032"C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe" C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe
explorer.exe
User:
admin
Company:
Cherubic Software
Integrity Level:
HIGH
Description:
SageThumbs
Exit code:
0
Version:
2.0.0.23
Modules
Images
c:\users\admin\desktop\sagethumbs_2.0.0.23_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5564 /s "C:\Program Files (x86)\SageThumbs\64\SageThumbs.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
23 964
Read events
20 232
Write events
3 595
Delete events
137

Modification events

(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\SageThumbs
Operation:writeName:Install
Value:
C:\Program Files (x86)\SageThumbs
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayName
Value:
SageThumbs 2.0.0.23
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:ModifyPath
Value:
C:\Program Files (x86)\SageThumbs\Repair.exe
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\SageThumbs\Uninst.exe
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\SageThumbs
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\SageThumbs\32\SageThumbs.dll
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayVersion
Value:
2.0.0.23
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:Publisher
Value:
Cherubic Software
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:URLInfoAbout
Value:
http://sagethumbs.sourceforge.net/
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:NoModify
Value:
0
Executable files
24
Suspicious files
7
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\System.dllexecutable
MD5:883EFF06AC96966270731E4E22817E11
SHA256:44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\nsDialogs.dllexecutable
MD5:36BDF3E282EE81EA2F9A400604A55FF6
SHA256:C5BF321A3A2AACE7B42014CF78A3D0FB3EEC03B2C8FF00AD72445F56657377AF
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\modern-header.bmpimage
MD5:EADF80C79F88337C58CA0FB5032CB579
SHA256:8E58B3E6E3896A4BAE05FA2F6ADC238D391AA80BC51C138F851F373C6C23E518
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\xml.dllexecutable
MD5:42DF1FBAA87567ADF2B4050805A1A545
SHA256:E900FCB9D598643EB0EE3E4005DA925E73E70DBAA010EDC4473E99EA0638B845
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\nsisdl.dllexecutable
MD5:00CC8456BDAA5B8356ADE9D7910872FB
SHA256:DA9ED6FE10FBD507EAC842883BBD07025F786CD6AFC2855BB0BB51FE757956A6
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfl340.dll.tmpexecutable
MD5:EDFCA3D1CB2147DE6CED48284932F5ED
SHA256:7A00B2C60F914205371CD49EC683C0720AC7AC90360D604DEF30227B4E6FABD2
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\StartMenu.dllexecutable
MD5:5831D36066B6DAF42FBF2AB1773308C8
SHA256:994EB5C54F6E2F4C0328E6EB667A82CA133800964BEA7A0CCAE8ABA60C98E966
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\LangDLL.dllexecutable
MD5:FEEDCA220D8A53786FA10DACADB75619
SHA256:5795C00A067C4D3A9F04BD34108C5541189C3F8D8D8EE75A3FAEF337F27CF909
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\sqlite3.dll.tmpexecutable
MD5:654888380D8EB02CB752E18918CA8283
SHA256:0EEEF7A93F51584EE88420A2F12BC8073697C68443226411803611530D00B0F6
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfle340.dll.tmpexecutable
MD5:1D3C7D9388FA818FFC7F5BDF0479C05D
SHA256:58F19E055060193ED63A4D33F5ED334217D61EA4ECAE6BFA25E02EAB9696C504
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
134
TCP/UDP connections
148
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 52.167.249.196
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
sagethumbs.sourceforge.net
  • 104.18.12.149
  • 104.18.13.149
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sagethumbs_2.0.0.23_setup.exe