File name:

stopabit.exe

Full analysis: https://app.any.run/tasks/4b44c509-0361-49dd-8973-2a1e247f11c0
Verdict: Malicious activity
Analysis date: August 06, 2024, 23:51:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F48B8DCA81A54EE64C43A1DB389636D1

SHA1:

CAFE60B0A29AFDFF230A367F34D29BB574213970

SHA256:

9397BF27C48BE348EF2DB687475BA5AA44DFC3A85E8AFF2F891123C44A34FE55

SSDEEP:

98304:l+cD4dnE+zc4rAG/xKN2sPGE9IPDVAAWXHUFcTdNuKKkQFuUoYepyk2dqBXOrasG:5BiMbzRJyJs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • stopabit.exe (PID: 6268)
      • stopabit.tmp (PID: 6288)

    • Changes the autorun value in the registry

      • Stopabit.exe (PID: 6880)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • stopabit.tmp (PID: 6288)

    • Executable content was dropped or overwritten

      • stopabit.tmp (PID: 6288)

    • Process drops legitimate windows executable

      • stopabit.tmp (PID: 6288)

    • Checks Windows Trust Settings

      • Stopabit.exe (PID: 6880)

    • Reads security settings of Internet Explorer

      • Stopabit.exe (PID: 6880)

    • Reads Internet Explorer settings

      • Stopabit.exe (PID: 6880)

    • Reads Microsoft Outlook installation path

      • Stopabit.exe (PID: 6880)

  • INFO

    • Reads the computer name

      • stopabit.tmp (PID: 6288)
      • Stopabit.exe (PID: 6880)

    • Create files in a temporary directory

      • stopabit.exe (PID: 6268)
      • stopabit.tmp (PID: 6288)

    • Checks supported languages

      • stopabit.exe (PID: 6268)
      • stopabit.tmp (PID: 6288)
      • Stopabit.exe (PID: 6880)

    • Creates files or folders in the user directory

      • stopabit.tmp (PID: 6288)
      • Stopabit.exe (PID: 6880)

    • Reads the machine GUID from the registry

      • stopabit.tmp (PID: 6288)
      • Stopabit.exe (PID: 6880)

    • Creates a software uninstall entry

      • stopabit.tmp (PID: 6288)

    • Reads the software policy settings

      • stopabit.tmp (PID: 6288)
      • Stopabit.exe (PID: 6880)

    • Checks proxy server information

      • Stopabit.exe (PID: 6880)

    • Reads the time zone

      • Stopabit.exe (PID: 6880)

    • Reads Environment values

      • Stopabit.exe (PID: 6880)

    • Disables trace logs

      • Stopabit.exe (PID: 6880)

    • Process checks Internet Explorer phishing filters

      • Stopabit.exe (PID: 6880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 74240
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.9.0
ProductVersionNumber: 1.0.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Globalhop
FileDescription: Stopabit installer
FileVersion: 1.0.9.0
LegalCopyright: © Globalhop
OriginalFileName: Stopabit.exe
ProductName: Stopabit
ProductVersion: 1.0.9.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start stopabit.exe no specs stopabit.tmp stopabit.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\stopabit.exe" C:\Users\admin\Desktop\stopabit.exeexplorer.exe
User:
admin
Company:
Globalhop
Integrity Level:
MEDIUM
Description:
Stopabit installer
Exit code:
0
Version:
1.0.9.0
Modules
Images
c:\users\admin\desktop\stopabit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6288"C:\Users\admin\AppData\Local\Temp\is-B9JC9.tmp\stopabit.tmp" /SL5="$C0044,3291176,817152,C:\Users\admin\Desktop\stopabit.exe" C:\Users\admin\AppData\Local\Temp\is-B9JC9.tmp\stopabit.tmp
stopabit.exe
User:
admin
Company:
Globalhop
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-b9jc9.tmp\stopabit.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6880"C:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exe"C:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exe
stopabit.tmp
User:
admin
Company:
Globalhop
Integrity Level:
MEDIUM
Description:
Stopabit launcher
Version:
1.0.9.0
Modules
Images
c:\users\admin\appdata\local\programs\stopabit\stopabit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
12 334
Read events
12 275
Write events
53
Delete events
6

Modification events

(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
9018000092210E9C5BE8DA01
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
B0CE60567A35E5D5402E39D801AAE465C711ACE224B99223F5D1794477372EAE
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exe
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
2BE36EA82B2653E1C1329BEC29F06CE030F176BD20A4FDB756CADB15B86C4B8A
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\SlowJobber
Operation:writeName:version
Value:
1.0.9.0
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Programs\Stopabit
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\Stopabit\
(PID) Process:(6288) stopabit.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Stopabit
Executable files
20
Suspicious files
11
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
6268stopabit.exeC:\Users\admin\AppData\Local\Temp\is-B9JC9.tmp\stopabit.tmpexecutable
MD5:115968165DEAF7D78BFE2FD013955198
SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823
6288stopabit.tmpC:\Users\admin\AppData\Local\Temp\is-5BURH.tmp\consent.rtftext
MD5:3838FFE840CFC9809B548E857211BEDD
SHA256:8D6D3E06B0C4E02267D449CF6B8121C6E781AF8F943213309A58C25863B4756D
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\is-8P9PA.tmpexecutable
MD5:C52DA72F8D82116756F30B6FBD2B18C1
SHA256:25BC7911BFAB63D64FD722937260FE3240608277CF90FE5859DE041DB63674E4
6288stopabit.tmpC:\Users\admin\AppData\Local\Temp\is-5BURH.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\unins000.exeexecutable
MD5:115968165DEAF7D78BFE2FD013955198
SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\is-K8839.tmpexecutable
MD5:115968165DEAF7D78BFE2FD013955198
SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\Modules\is-ONRJO.tmpexecutable
MD5:EE6B93C13EC66A61FE85120E3932727E
SHA256:34F6FB8B54AD939F6833B9A915A56222925B2BCF1141C943558E2450DC4CAA71
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exeexecutable
MD5:C52DA72F8D82116756F30B6FBD2B18C1
SHA256:25BC7911BFAB63D64FD722937260FE3240608277CF90FE5859DE041DB63674E4
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\is-GJBL4.tmpxml
MD5:3E8F51C2B6FD8149C32819EADEC0CA72
SHA256:0E7ACBB755E5161D596D65BC357EC09EE0F82017D15F65504E4EEC47DAC927BD
6288stopabit.tmpC:\Users\admin\AppData\Local\Programs\Stopabit\is-OFMEA.tmpexecutable
MD5:35CBDBE6987B9951D3467DDA2F318F3C
SHA256:E4915F18FD6713EE84F27A06ED1F6F555CDBEBE1522792CF4B4961664550CF83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6880
Stopabit.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
6880
Stopabit.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEDPXCKiRQFMZ4qW70zm5rW4%3D
unknown
whitelisted
GET
200
104.21.82.170:443
https://track.stopabit.com/v1/?c=381B2D6D-3DF2-41A2-8798-9AD14FB5F586&i=ad1f12af3f363c28b3512ce4355f42c2&e=preinstall&n=Stopabit&v=1.0.9.0
unknown
text
2 b
GET
200
172.67.159.214:443
https://stats.stopabit.com/i?app_key=89531f58dcc968643c19188f5fc3b7250f3b2236&device_id=ad1f12af3f363c28b3512ce4355f42c2&events=%5B%7B%22key%22%3A%22PreInstall%22%2C%22count%22%3A1%2C%22segmentation%22%3A%7B%22version%22%3A%221.0.9.0%22%2C%22dotNet%22%3A%22True%22%7D%7D%5D
unknown
binary
20 b
POST
200
172.67.159.214:443
https://stats.stopabit.com/i?app_key=89531f58dcc968643c19188f5fc3b7250f3b2236&device_id=ad1f12af3f363c28b3512ce4355f42c2&sdk_version=21.11.2&begin_session=1&metrics=%7B%22_os%22%3A%22Windows%2010%20Enterprise%22%2C%22_os_version%22%3A%2210.0.19045%22%2C%22_resolution%22%3A%221280x720%22%2C%22_app_version%22%3A%221.0.9.0%22%2C%22_locale%22%3A%22en-US%22%7D&timestamp=1722988346530&sdk_name=csharp-net35&hour=23&dow=2&tz=0
unknown
binary
20 b
6880
Stopabit.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRd0JozUYXMqqW4y4zJTrLcMCRSkAQUgTKSQSsozUbIxKLGKjkS7EipPxQCEQC67%2BPv6JBMH8tNHthn3EeN
unknown
whitelisted
6880
Stopabit.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
6880
Stopabit.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
unknown
whitelisted
GET
200
172.67.159.214:443
https://track.stopabit.com/v1/?c=381B2D6D-3DF2-41A2-8798-9AD14FB5F586&i=ad1f12af3f363c28b3512ce4355f42c2&e=install&n=Stopabit&v=1.0.9.0
unknown
text
2 b
GET
200
104.21.82.170:443
https://stats.stopabit.com/i?app_key=89531f58dcc968643c19188f5fc3b7250f3b2236&device_id=ad1f12af3f363c28b3512ce4355f42c2&events=%5B%7B%22key%22%3A%22Install%22%2C%22count%22%3A1%2C%22segmentation%22%3A%7B%22version%22%3A%221.0.9.0%22%2C%22dotNet%22%3A%22True%22%7D%7D%5D
unknown
binary
20 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2768
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4064
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6288
stopabit.tmp
104.21.82.170:443
stats.stopabit.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:137
whitelisted
4064
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6288
stopabit.tmp
172.67.159.214:443
stats.stopabit.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
stats.stopabit.com
  • 104.21.82.170
  • 172.67.159.214
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
track.stopabit.com
  • 172.67.159.214
  • 104.21.82.170
unknown
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
quickmapping.eu
  • 188.40.60.220
  • 136.243.37.39
  • 46.4.69.35
  • 188.40.23.175
  • 46.4.105.181
  • 136.243.37.116
  • 148.251.184.159
  • 116.202.83.221
  • 78.46.65.190
  • 46.4.68.57
  • 136.243.130.37
  • 188.40.23.174
  • 144.76.83.59
  • 88.99.115.32
  • 148.251.184.167
  • 116.202.83.222
unknown
quickspongsible.com
  • 138.201.83.67
  • 88.198.62.169
  • 116.202.237.235
  • 88.198.64.137
  • 188.40.63.34
  • 46.4.79.62
  • 157.90.208.43
  • 213.133.98.140
  • 88.99.242.212
  • 188.40.126.181
  • 116.202.232.105
  • 88.99.115.184
  • 188.40.64.154
  • 178.63.14.102
  • 159.69.138.94
  • 195.201.84.182
unknown
trippinglyfast.com
  • 46.4.68.57
  • 136.243.130.96
  • 116.202.83.220
  • 188.40.23.176
  • 144.76.226.156
  • 46.4.88.126
  • 188.40.64.49
  • 188.40.23.174
  • 78.46.65.190
  • 144.76.83.59
  • 188.40.23.172
  • 46.4.88.118
  • 188.40.23.175
  • 116.202.83.219
  • 46.4.69.35
  • 46.4.89.122
  • 176.9.20.82
  • 148.251.184.150
  • 188.40.60.220
  • 46.4.68.50
  • 116.202.83.221
  • 144.76.137.185
  • 88.99.115.32
  • 46.4.68.51
  • 46.4.105.181
  • 188.40.23.171
  • 148.251.184.143
  • 148.251.184.167
  • 116.202.83.222
  • 136.243.130.37
  • 148.251.184.186
  • 148.251.184.159
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
stopabit.exe