File name:

sagethumbs_2.0.0.23_setup.exe

Full analysis: https://app.any.run/tasks/f4cb21e7-79f0-4d96-997b-267d53183a31
Verdict: Malicious activity
Analysis date: July 26, 2025, 14:26:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

2AF65ABF462C9B3170C6E80428F90888

SHA1:

DD798C6DDC1FE523B0919C0D70C36B7932A67BE5

SHA256:

705D743E28B487E34A4A7245A0DBC303A10E45BA0FD9E4DA4101C8CDF506839A

SSDEEP:

98304:bhMGV3jIjAXbgsgxZHBcsp/X1mIBFagQM1UYKzlke2vPxA/9A3Kjnry2OKH+pPth:lZM1Uw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • There is functionality for taking screenshot (YARA)

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Executable content was dropped or overwritten

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates a software uninstall entry

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1828)
      • regsvr32.exe (PID: 5564)

    • Changes default file association

      • regsvr32.exe (PID: 1828)

  • INFO

    • The sample compiled with turkish language support

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Checks supported languages

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Reads the computer name

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Checks proxy server information

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)
      • slui.exe (PID: 3556)

    • Create files in a temporary directory

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates files in the program directory

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • The sample compiled with english language support

      • sagethumbs_2.0.0.23_setup.exe (PID: 4032)

    • Creates files or folders in the user directory

      • regsvr32.exe (PID: 1828)

    • Reads the software policy settings

      • slui.exe (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:10:07 04:40:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 117760
UninitializedDataSize: 1024
EntryPoint: 0x3217
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.23
ProductVersionNumber: 2.0.0.23
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
Comments: http://sagethumbs.sourceforge.net/
CompanyName: Cherubic Software
FileDescription: SageThumbs
FileVersion: 2.0.0.23
LegalCopyright: Copyright © 2004-2017 Nikolay Raspopov
OriginalFileName: ..\..\redist\sagethumbs_2.0.0.23_setup.exe
ProductName: SageThumbs
ProductVersion: 2.0.0.23
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sagethumbs_2.0.0.23_setup.exe slui.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs sagethumbs_2.0.0.23_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1652"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\SageThumbs\64\SageThumbs.dll"C:\Windows\SysWOW64\regsvr32.exesagethumbs_2.0.0.23_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1828"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\SageThumbs\32\SageThumbs.dll"C:\Windows\SysWOW64\regsvr32.exesagethumbs_2.0.0.23_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2140"C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe" C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exeexplorer.exe
User:
admin
Company:
Cherubic Software
Integrity Level:
MEDIUM
Description:
SageThumbs
Exit code:
3221226540
Version:
2.0.0.23
Modules
Images
c:\users\admin\desktop\sagethumbs_2.0.0.23_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3556C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4032"C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe" C:\Users\admin\Desktop\sagethumbs_2.0.0.23_setup.exe
explorer.exe
User:
admin
Company:
Cherubic Software
Integrity Level:
HIGH
Description:
SageThumbs
Exit code:
0
Version:
2.0.0.23
Modules
Images
c:\users\admin\desktop\sagethumbs_2.0.0.23_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5564 /s "C:\Program Files (x86)\SageThumbs\64\SageThumbs.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
23 964
Read events
20 232
Write events
3 595
Delete events
137

Modification events

(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\SageThumbs
Operation:writeName:Install
Value:
C:\Program Files (x86)\SageThumbs
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayName
Value:
SageThumbs 2.0.0.23
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:ModifyPath
Value:
C:\Program Files (x86)\SageThumbs\Repair.exe
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\SageThumbs\Uninst.exe
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\SageThumbs
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\SageThumbs\32\SageThumbs.dll
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:DisplayVersion
Value:
2.0.0.23
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:Publisher
Value:
Cherubic Software
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:URLInfoAbout
Value:
http://sagethumbs.sourceforge.net/
(PID) Process:(4032) sagethumbs_2.0.0.23_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SageThumbs
Operation:writeName:NoModify
Value:
0
Executable files
24
Suspicious files
7
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\nsDialogs.dllexecutable
MD5:36BDF3E282EE81EA2F9A400604A55FF6
SHA256:C5BF321A3A2AACE7B42014CF78A3D0FB3EEC03B2C8FF00AD72445F56657377AF
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\SageThumbs.dllexecutable
MD5:B3A7DE1EE3B0EE68989BD68D8A2ECCC4
SHA256:366D169DDB3897C77D632466CE969BEBD8DEF4E8F111AE21598CB5BE5FC71DB4
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfl340.dllexecutable
MD5:EDFCA3D1CB2147DE6CED48284932F5ED
SHA256:7A00B2C60F914205371CD49EC683C0720AC7AC90360D604DEF30227B4E6FABD2
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\SageThumbs.dll.tmpexecutable
MD5:B3A7DE1EE3B0EE68989BD68D8A2ECCC4
SHA256:366D169DDB3897C77D632466CE969BEBD8DEF4E8F111AE21598CB5BE5FC71DB4
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfle340.dll.tmpexecutable
MD5:1D3C7D9388FA818FFC7F5BDF0479C05D
SHA256:58F19E055060193ED63A4D33F5ED334217D61EA4ECAE6BFA25E02EAB9696C504
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfl340.dll.tmpexecutable
MD5:EDFCA3D1CB2147DE6CED48284932F5ED
SHA256:7A00B2C60F914205371CD49EC683C0720AC7AC90360D604DEF30227B4E6FABD2
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\libgfle340.dllexecutable
MD5:1D3C7D9388FA818FFC7F5BDF0479C05D
SHA256:58F19E055060193ED63A4D33F5ED334217D61EA4ECAE6BFA25E02EAB9696C504
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
4032sagethumbs_2.0.0.23_setup.exeC:\Program Files (x86)\SageThumbs\32\sqlite3.dllexecutable
MD5:654888380D8EB02CB752E18918CA8283
SHA256:0EEEF7A93F51584EE88420A2F12BC8073697C68443226411803611530D00B0F6
4032sagethumbs_2.0.0.23_setup.exeC:\Users\admin\AppData\Local\Temp\nspD86B.tmp\LangDLL.dllexecutable
MD5:FEEDCA220D8A53786FA10DACADB75619
SHA256:5795C00A067C4D3A9F04BD34108C5541189C3F8D8D8EE75A3FAEF337F27CF909
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
134
TCP/UDP connections
148
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
4032
sagethumbs_2.0.0.23_setup.exe
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
GET
301
104.18.12.149:80
http://sagethumbs.sourceforge.net/pad/sagethumbs.xml
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 52.167.249.196
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
sagethumbs.sourceforge.net
  • 104.18.12.149
  • 104.18.13.149
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sagethumbs_2.0.0.23_setup.exe