File name:

Stub.exe

Full analysis: https://app.any.run/tasks/04141405-15e4-4a2f-9bf1-25649c524b8f
Verdict: Malicious activity
Analysis date: June 26, 2024, 03:47:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4EED490208FBD04D9D7C6775727ED245

SHA1:

A6CCB4D162ED30C1C6C86881F4351FB4B90115BF

SHA256:

773361EA394307A3DC74E1E28F5B7E6A230AFEDBB6415E34C2D3EFAA1FD802DA

SSDEEP:

98304:SQpA0cf91rXL9AQW9iNyk+AUMjRACxeLHFelew7CqwQFm1NfU84hg9FUgiJJOg2P:wgqk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Stub.exe (PID: 3204)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Stub.exe (PID: 3204)

    • Process drops legitimate windows executable

      • Stub.exe (PID: 3204)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:20 08:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 492032
UninitializedDataSize: -
EntryPoint: 0x19b6c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.0
ProductVersionNumber: 6.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ReasonLabs
FileDescription: ReasonLabs-setup-wizard.exe
FileVersion: 6.0.1
InternalName: 7zS.sfx
LegalCopyright: Copyright (C) 2024 Reason Software Company Inc.
OriginalFileName: 7zS.sfx.exe
ProductName: ReasonLabs Setup Wizard
ProductVersion: 6.0.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stub.exe stub.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Users\admin\Desktop\Stub.exe" C:\Users\admin\Desktop\Stub.exe
explorer.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Exit code:
0
Version:
6.0.1
3380"C:\Users\admin\Desktop\Stub.exe" C:\Users\admin\Desktop\Stub.exeexplorer.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
MEDIUM
Description:
ReasonLabs-setup-wizard.exe
Exit code:
3221226540
Version:
6.0.1
Modules
Images
c:\users\admin\desktop\stub.exe
c:\windows\system32\ntdll.dll
Total events
1
Read events
1
Write events
0
Delete events
0

Modification events

No data
Executable files
55
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\System.ValueTuple.dllexecutable
MD5:F34410B23B973CE915C40345C96DD82D
SHA256:E461CD2F7700FD28A3869D7C65F805058E0C30D44D9BCAF390ADF1896548B0D3
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\ArchiveUtilityx64.dllexecutable
MD5:C70238BD9FB1A0B38F50A30BE7623EB7
SHA256:88FB2446D4EAC42A41036354006AFADFCA5ACD38A0811110F7337DC5EC434884
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\rsDatabase.dllexecutable
MD5:72689B177CD84AE5260532F5C7A10EBD
SHA256:062FD8045911EAAB4B5F505DADE6C0E23E6200C1AC1FDB86EA73E69AB801E037
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Microsoft.Win32.TaskScheduler.dllexecutable
MD5:87D7FB0770406BC9B4DC292FA9E1E116
SHA256:AAEB1EACBDAEB5425FD4B5C28CE2FD3714F065756664FA9F812AFDC367FBBB46
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\rsAtom.dllexecutable
MD5:F5CF4F3E8DEDDC2BF3967B6BFF3E4499
SHA256:9D31024A76DCAD5E2B39810DFF530450EE5A1B3ECBC08C72523E6E7EA7365A0B
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\rsStubLib.dllexecutable
MD5:FA4E3D9B299DA1ABC5F33F1FB00BFA4F
SHA256:9631939542E366730A9284A63F1D0D5459C77EC0B3D94DE41196F719FC642A96
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\rsSyncSvc.exeexecutable
MD5:CC7167823D2D6D25E121FC437AE6A596
SHA256:6138D9EA038014B293DAC1C8FDE8C0D051C0435C72CD6E7DF08B2F095B27D916
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\System.Data.SQLite.dllexecutable
MD5:FFBB71041C9A01DA9EA90BDD4C0096A2
SHA256:178570575291B95C767BA304D71C5310A94E93B6C1F673B9179D41A75A48D0E8
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\el-GR\UnifiedStub.resources.dllexecutable
MD5:765162C01B6A1D4B1EF68832658F4EDA
SHA256:0EF2B0E94D98919186598312218A6BDF5E5C58D7BBA15E85C08CC64454081970
3204Stub.exeC:\Users\admin\AppData\Local\Temp\7zS48C5E1D4\Translations\da-DK\UnifiedStub.resources.dllexecutable
MD5:C2819AE6DB238F0D9FDD865347819A40
SHA256:DA090057B5388EF09CA5F6E72C729F0330FC3CC0352E2EE704982E979DC4E1F1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3128
UnifiedStub-installer.exe
52.201.189.129:443
track.analytics-data.io
AMAZON-AES
US
unknown
1372
svchost.exe
88.221.110.91:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
3128
UnifiedStub-installer.exe
13.224.189.105:443
update.reasonsecurity.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
track.analytics-data.io
  • 52.201.189.129
  • 44.206.171.65
  • 3.214.152.143
malicious
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 88.221.110.91
  • 2.16.100.168
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
update.reasonsecurity.com
  • 13.224.189.105
  • 13.224.189.61
  • 13.224.189.78
  • 13.224.189.107
unknown
electron-shell.reasonsecurity.com
  • 18.66.102.87
  • 18.66.102.77
  • 18.66.102.5
  • 18.66.102.10
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Stub.exe