Malware Analysis Report

2024-10-19 08:22

Sample ID 240613-v36t6s1emn
Target Lossless.Scaling.2.9.rar
SHA256 2d12142fd2f399a53ebcc2355d73589e05e92307151a1da00055637902e45245
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

2d12142fd2f399a53ebcc2355d73589e05e92307151a1da00055637902e45245

Threat Level: Likely benign

The file Lossless.Scaling.2.9.rar was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Modifies Control Panel

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 17:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 179.77.117.104.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 513ba517638ff848a496749659c69607
SHA1 01a5523f6b4e233de6bf98a32c708ef91a5964ef
SHA256 07648e353501604cc3a54f7ebe0a7ee30ed7cbd1a577524d3055cfe6039331f6
SHA512 919a67e81d2f7a2831da5502dc8bfd092a3df15419086eaeccaa99cceb5d1d8c4e5a81b9e597f8577f4a4a80e108a5373eff982d5cbe16cc926ea18e35eb76b3

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 fb78abb668a30f0cd177a6643f2b03e8
SHA1 4c49576d65eb4805c6758a3ca157c97d7381a15e
SHA256 3b858f842959b62d42cb2f86993454b2a269b186fb67dbe399c9f1ef68562e39
SHA512 4c168f5183d8ba1b16a7b70154e49ec47c705af1cadddfb29d0f0d99fe04a11ac06e0ac0357707a5bdeca79d117d445ec44dcd177a39edb3f49f42627416574a

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 179.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7355a152f9c3b38415696bcba88f0f33
SHA1 1b9af746be7ad09dd998a63dabab2e4c4193aa1d
SHA256 0e826566981f37a227fa94e2d62d547f6b6aa4b7d0e8202261331ee0015f75f3
SHA512 82a5862c7d2545b12c3702a58b4685124822e697483f698076ddb7350c0e9a1c4ccc4f5a4632df0e9dbdc3161ef1e2885796abb7f9fe9a63ef4965978e047cc4

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Licenses.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Licenses.txt"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240611-en

Max time kernel

117s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000d05367b1ccd5814fafd0b380b713d30e033da3bd5630e4b2fd1fbfc089cbcd16000000000e80000000020000200000004c6d280bbadbe2e8e2db0c315bcd0f8146d32fad901a11e18cf9786138ff123420000000acff10b201d5df3574eec43ce99ee7956d74869c2e71d703fcd40613a647e47040000000443f936374c53b896006a92b5c89420cff1f6e82d437dd4952d73c992b244af3af8ed2985529762c4e89f7de690db40e65d7c378b26b06a4f633ba5aa6f3f9f6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0660ec9b7bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424461833" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000b87146ba27f36efb06816bd7c21af18981e7af74a0e7541dd18c807fe8a25434000000000e8000000002000020000000423d4992a45c0b583fb972dd9a5a4162b1f3acf2a9d9d132b3dd5b2147690d1a900000003f52b78aeaf7687f8abea40c19b1020b046c382118ec527687fe773d18a2c831fba9494a088d5fe971c1aa76701ef09c099c2c265c27d3b0404b0df7f28b806fc496c47a28eccdb2bcbbb2a28daf8bd8738765b4f31cf75cddd6c0eda54a388e19161729c8aa389d2de4384e945fbc5954211ba55980c26353292b04d507895de075c15847ceb1df9751013b71ce326640000000a7826ba36df91fe544b1eaa8cfdffeb2b61c99c685a0c6143b291de9b3ed3e6e482a3e20f90ec810c4527a9348d08dccc69715668a92495baeae3c9774a47a15 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0F69631-29AA-11EF-A8D3-D2DB9F9EC2A6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe

"C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=LosslessScaling.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab76D7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7738.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07f4633cd0cf32f3d101ce41c07e39a4
SHA1 2e2d8fba0ca9b468f7b0183a80ab73168c35ddf0
SHA256 ec080038200da5beeefa2a5891dae4161e8f58998d1b58ce5368eaab95a4305e
SHA512 55ef972d27484ffc6f26e6b15f0c5ba7997242cec32eafd42c305691756f999219b9d09ee80c058a97bc5e334a5be3c7f4c6557375f2ae7b47c114fb27d7dd92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e897973b6a4cd68d991e9527f7fb047
SHA1 b1a2d1190b622ceaaf8437deffd84b64541ee6ba
SHA256 8921fb10800a50517c8231062510ecfcedd28a564b80976f16acb92ea0a82eab
SHA512 216583f4fcf0f0f51ff9ae783f43109f8c893ac1d62933de7c80cbc8ea73ad347e0617616104d7ffae2b4bab4462bea02d909fdb86ef6a50bbfadaba6aa83175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac2a92992d466ec42e1b1ee25ae2644d
SHA1 be860e342995f9e9e93d22ce52e6a0aa31864cea
SHA256 613408df75c736980c738bacb3192f42d3c3355d827becfdc8e5ae4aa2738b23
SHA512 aacb4c8edfb18c6bc08ab8f7de73bb9790fb71bf60b92e7f15bf43e11b4ac86422de0a88a822dfa2d89cc36ee909baf091214582184d05ef1414c7daf19705f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22e401c80f4d8c9dee9e25f5af331005
SHA1 4cc70d533f868ebd3ed5a350e9b7456a4cbbf56e
SHA256 4117d3ff796c1b3f39834fa058643db249dcf2f70f4e652d66063a920f99bb64
SHA512 a2a59fe495eb2f42a8439c50f5f769248fff0da9514fcf57714b00c6f0951f3aa71dccc8db36ef53668a5633a237c45057ebd83810978392ed4599af0405e710

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a869220a8e5eb3c28c8939432de0610
SHA1 e9d2a2f76ab61fa07e4f487e6268668a4007d00a
SHA256 ff5bc5542c81e2d079e225532dd22786b5ca27731a8a0d7d0cc8bb0888e177b9
SHA512 68f59de69d122383b17afcee18395a58075040e6dae611ce89aa45d6156d699f2f44d92030b98c452c22a7e8da9455b101bc913ec8f64b946737c4fd7dd696fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f5dfec9ab77fedd3edeced0692eb1d7
SHA1 5686e411b2344ea6b6bd2599633057f61b72ef7d
SHA256 61d6839bc5e8f2e314666f4953f0d3f151bd626394106dd3b19e4cf01d3f7819
SHA512 5a70e371987ef0a3e4fa1ff71581025a85f579d96b0a952d7ea28a92e884c081af64b025c010706c53b50f733f919f79c6f6fc054d0166c7c5d082fb8d65b792

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 209a4cad937890d43525f262bd4ba450
SHA1 ef3382637537e723436db4384a2c1a4d94b5d9d3
SHA256 faa1b039b9758d5902e2833005e5e077bc1c593e032c7ebf0cb8f2262211ce6c
SHA512 eca0f43b4eb1833b882b028dd4ebbf2292fcded7126ec0587a23d20ee3a8c7ddfc17fba31f0c35ee6bb9bf1491662eea9310da704e9c8cb0ffc19ca7a4897dec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39758c763deb697d8943e8ed3b054995
SHA1 00bd970cef68739bcaf64ce415a55ed22d993ce5
SHA256 c4f76f98e43c38f1fa9d866b23c116928924186d6c0654213026201dc2e4140d
SHA512 54cb00c2aeb57513014bbc72ab08b1069c3999971a0015b75d7c0759200bb086b5c43c67a414717c4a4a06c9379f6498482e7f8cc256a4e1463ca37a358f0a3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed12fdcddd81467c39ea8bf23c386452
SHA1 1cdab00b43233012aaf7eafa5756874edb564149
SHA256 c8b8f689cc94f9263b68070c4cdc7a553ae26c062d3e03ee2bbc5acf7758476c
SHA512 33dcc23a32394e5342152cfcf35b508e1383b9e29083b9b8b3b6a64b63afa40d6fcf36223178c04ab2e48cfd927b97dc51ef030afa1ba44c989ccb84d571ff6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d46a6aad7abd864e1a9502929c997626
SHA1 dfd9f3b690072d718d6435be8dfcead3781e5676
SHA256 5f423bb00c513d327f5f3be02d688e5bb05ff60d40d4c5ec7aa11adc25ee9301
SHA512 5c55be8becd6ff0fd5f8614fce48515ba05ce07c0cd7699b0090bfe08830fd4cb2038320271a7b8a978814d83b7ce08a04de31723112b164a88af0ca50ad7684

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe274babf1cde4419179c51e0dc124ae
SHA1 d8ae0b364e87b8ccbc2a8d13be82a6e5d9cf3bf1
SHA256 7f7b6680c6db098e7bac4a45465093f0034ad39854477c7d2c17673bee137cf4
SHA512 4941d2c9c0050021c63c0cf3dbc34390cbb86761136aa0264f05ac69e7eb3c5cffd8f2119fe8ba1b80d8c6facc242627d0cbfbcf44b038a589dd1d84bbad1635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a4d6dd78b4b355e617dbd65eb9cd36a
SHA1 e041d5233c86e8e56d76ea85baedaaed940bd967
SHA256 6fd2e2c6cdbab8314205e65557840796f0a4a8bacfd18c91386f04832e68224a
SHA512 5783800922eec12ce02ba3fdbe5cc19b6f9c7db9e0b47548e46c894ee7c0d9b476fd69094d0e5ac99e5ef16c9ce2b0be19dd8fb2a8a00adde8d8c76ef6166ff6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e90305110f949d83b3e8a08a95821d8f
SHA1 29cd671890b84a240d1ae7674297bdd08f0b535f
SHA256 4221a1e3372d2a0906016ade531928e129b3463e25ed8a093adefd2b1fbbf6da
SHA512 fefdc4c7e5901b42b05d318ef7b1ba8a6c0aec645598fc227fffb162221def91aef5b1991250131accd1ee7d349b511dcaae046c89dc3c102d422f676e6ac159

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48b5ebd82ce1d439bd534169639d60f8
SHA1 d9833cb495e2de0b59b2c0b288ef705650964354
SHA256 c1ab7936053f2b83a194439338003c3bb99f6c1a071255e4251a10642670feef
SHA512 bd5c765dfd2c8d628fca52166b133b80263eddcb5204a1bffcd9e04859bca87c36c741f83f70b28cf74afdb6b0ca9edd8c55af4d351133552b7499a4763bf3e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9b1c05bbf0899612bb8e336b6d96474
SHA1 98a722f83f49c02a55f459a228a66eb15a9020f6
SHA256 5236fffb02faa9e9f6ba0493c94fe7e0b937d44f98ff60844fe4e5229476653a
SHA512 ff9f8f51d70529844a4a4364025c43154b0b2450dd8b5a0f519471395f68042d413a42f58eb71ad95457ca4de16dffb56e9f67d79454a55deb3136184f0fb14a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c9de3b500eb8d7ea981e9b3319e8e29
SHA1 f63824e61426b88d8c73c0dbe81aacf56aa9a102
SHA256 d09810ece3cc413bd9197259278e3a86e2cb73341d9523894f819fa2cf6a2712
SHA512 e8372e988800e3eecdb9264bdbd9bf5b6639f8eb8e54288e41474cc145d8ba72c885d1e2b5e0266f38c2b6f3dfbff8aa4ef552b4a7564acf42c2240d39a089de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 634767e362d2db79f7982899b2c1a725
SHA1 a1e35a639846e9384622d66674341081460cf14e
SHA256 83007ceb60352919eeb8fa37e243ffb94b9ac0dd21d75b6882b9a76d435d7804
SHA512 400e8a8f049239d82eb303f5150d2d32be4e4b5f9b5ae65ae44289a6199214347ab0c67c7238464e881698649de415cac5aff69fba5e2f20085182ca05d57748

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34f0fc26d18af12fdcd0831051839d38
SHA1 4184007c93f9050d1f435fe73dcb60e2bd52f121
SHA256 512e86fce56f30079354b26dc4e158b78a3df7616098ef32fa2803152c1ad531
SHA512 b10611a4b616d6604fcab27f29240868a5872c6fec6ca570975b075839c59018d69fece264f5ab93c25b81ab64a672294034b711244407cc19056f03b4a7ef06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca241f3a08940028093cc437802bec81
SHA1 90a50f8cb9d52ed98557ed0c9c52658b082c950c
SHA256 63888da63e8eab747e759ed0531f3309435ce6d831e0fc337cc3666607bd3337
SHA512 4ad974bdec3c8cfffba00656b43df22a09753465ef730f345fb852da6bc54feb251221cf0366ddbcf2b6ce8b97894c4e87ed3f9637de21b02bd253c5cf9eb557

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d96d0ce287d6bad7e055032bfe5abc1
SHA1 c29514f0f57c8c2be5e1367c66f6aca2bbb720e2
SHA256 2a2cb71cc378cf9d04c44e23a50a3da59052e8b1b4f35c7bd8c2fa53012188f7
SHA512 c96247614fd70b0167565c7854d7141bbfebfbf0ccaa594b5e001d03e49a69a67f5ea056a4b1e145bf01b7a0f89e4198ff6c917bc4c2c5b22bf226e1ca2afac8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a5a69a41f4325b40eeb7659572becbc
SHA1 d0c514d1ee31649a978b2a3c6f2429a70120372d
SHA256 aeb4ec966170c1237471e2663939da2b700c1c270abb95356df3e91f982acf5f
SHA512 f58dbccaa7c3a57074533e48baa90195e7b683d5d843482035e4f9796537103f819c9ff52348b4b808ef50af89a562d2e03a67b3d9e6351c2815294add5ef3c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baf72129a355c9937d98e50940f0a26f
SHA1 08fd9fc50cf3cba320dc4a0198d77c0a14650255
SHA256 702712ade9a245647f7c27068b3567cb87165e470aa9ef551dafe8ef8341f6c4
SHA512 2ccff41ec25370c3af44b37df2d39b7e2f196ae99d3a253c96c09842fb1409a764694c5102c38ae5a8ced726af20ab3d898b6d3b2c1aa6a098338a023b14f9dc

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_6.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6c2341f3a44b78743ac334dfb2040d68
SHA1 e21df5c460a087f1be730d03a547674cc53c6743
SHA256 301578d9f40bbc38ba61f8ca1fee36f1576880516cda269b1310fe37e39f9516
SHA512 f75fba19bffa05c6daeed32754deb606e0c26800b14950ae7cbcf783d49d70367477696403dadb6e1021c1b06af7c202ec1169cf63cab5f3c30a927bc9e25d6a

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Lossless.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Lossless.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_4.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3e7abdb68aa2a24ffc95b33f88ad7810
SHA1 46755e90c851f28007fbeba55662e7abfc5d192a
SHA256 be7995af504e7262891bd3f66f6509ef93980d00cab3a47e0c46e620fd3f7584
SHA512 69c57a8e0447d4fac7584135a5a63ccf5cfc729d2eacee67d7c365e0a958209d7f20eef66200374d580cdec923470ff725bb8c5a7c7d7116096533461d61201e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

95s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Lossless.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Lossless.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.202:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_1.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_7.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20231129-en

Max time kernel

147s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1960 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1960 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2116 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2116 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2116 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.2.9.rar"

Network

N/A

Files

memory/2864-30-0x000007FEF72A0000-0x000007FEF72D4000-memory.dmp

memory/2864-29-0x000000013F340000-0x000000013F438000-memory.dmp

memory/2864-32-0x000007FEFBB90000-0x000007FEFBBA8000-memory.dmp

memory/2864-33-0x000007FEF7150000-0x000007FEF7167000-memory.dmp

memory/2864-35-0x000007FEF6B80000-0x000007FEF6B97000-memory.dmp

memory/2864-34-0x000007FEF7130000-0x000007FEF7141000-memory.dmp

memory/2864-38-0x000007FEF6B20000-0x000007FEF6B31000-memory.dmp

memory/2864-37-0x000007FEF6B40000-0x000007FEF6B5D000-memory.dmp

memory/2864-36-0x000007FEF6B60000-0x000007FEF6B71000-memory.dmp

memory/2864-31-0x000007FEF6500000-0x000007FEF67B4000-memory.dmp

memory/2864-39-0x000007FEF6300000-0x000007FEF6500000-memory.dmp

memory/2864-41-0x000007FEF6AE0000-0x000007FEF6B1F000-memory.dmp

memory/2864-44-0x000007FEF6A70000-0x000007FEF6A81000-memory.dmp

memory/2864-43-0x000007FEF6A90000-0x000007FEF6AA8000-memory.dmp

memory/2864-47-0x000007FEF6A10000-0x000007FEF6A2B000-memory.dmp

memory/2864-46-0x000007FEF6A30000-0x000007FEF6A41000-memory.dmp

memory/2864-45-0x000007FEF6A50000-0x000007FEF6A61000-memory.dmp

memory/2864-42-0x000007FEF6AB0000-0x000007FEF6AD1000-memory.dmp

memory/2864-48-0x000007FEF5230000-0x000007FEF5241000-memory.dmp

memory/2864-49-0x000007FEF5210000-0x000007FEF5228000-memory.dmp

memory/2864-52-0x000007FEF5100000-0x000007FEF516F000-memory.dmp

memory/2864-54-0x000007FEF5080000-0x000007FEF50D6000-memory.dmp

memory/2864-53-0x000007FEF50E0000-0x000007FEF50F1000-memory.dmp

memory/2864-51-0x000007FEF5170000-0x000007FEF51D7000-memory.dmp

memory/2864-50-0x000007FEF51E0000-0x000007FEF5210000-memory.dmp

memory/2864-66-0x000007FEF1CD0000-0x000007FEF1CE6000-memory.dmp

memory/2864-65-0x000007FEF1CF0000-0x000007FEF1D01000-memory.dmp

memory/2864-64-0x000007FEF1D10000-0x000007FEF1D3F000-memory.dmp

memory/2864-63-0x000007FEF7CB0000-0x000007FEF7CC0000-memory.dmp

memory/2864-62-0x000007FEF42B0000-0x000007FEF42C1000-memory.dmp

memory/2864-61-0x000007FEF4400000-0x000007FEF4411000-memory.dmp

memory/2864-60-0x000007FEF4F90000-0x000007FEF4FA2000-memory.dmp

memory/2864-59-0x000007FEF4FB0000-0x000007FEF4FC1000-memory.dmp

memory/2864-67-0x000007FEF03D0000-0x000007FEF0495000-memory.dmp

memory/2864-58-0x000007FEF4FD0000-0x000007FEF4FF3000-memory.dmp

memory/2864-57-0x000007FEF5000000-0x000007FEF5017000-memory.dmp

memory/2864-56-0x000007FEF5020000-0x000007FEF5044000-memory.dmp

memory/2864-55-0x000007FEF5050000-0x000007FEF5078000-memory.dmp

memory/2864-40-0x000007FEF5250000-0x000007FEF62FB000-memory.dmp

memory/2864-68-0x000007FEF1C50000-0x000007FEF1CC5000-memory.dmp

memory/2864-69-0x000007FEF0360000-0x000007FEF03C2000-memory.dmp

memory/2864-70-0x000007FEF02F0000-0x000007FEF035D000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ad394c74889f9c0d27dafb950625bf1b
SHA1 96e7741f4677b443306865d40ef777f66a24cd43
SHA256 ef5f49dded15e44f4633d53f9d3a74a03619bc1e44547a95b996a10b60c1282d
SHA512 8914968a6ff8285fc0387bf34b0fc381a6ab2bdb835920647a03df08f301bbe16a1ec7fae615991e760acaa2136e1ffd4df667d4eef29262068cebd9554ce3b2

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c2cf1647480c3b097f4c953b46800824
SHA1 0567da39a2c9400b1349bab84a90d11a0e015bcc
SHA256 a8ba5be321175ecca1a9f92744614a1ce2e294b4f9dbff3c3d17d9564af2eba6
SHA512 2a6a721544342e4be797ac8cda01141f0fc5a01e185e58ce600189a1757e59dce6266b1dddea5bd7fa21227ac8d98954a9fe713018eb383d8f6a42899e2ef049

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

96s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_3.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a077d2beb7bdda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000a15bfd2372f534623aeda7625ddb3989f26ce53302a49013671680e7b7c7f3af000000000e800000000200002000000091b2b8369c3c1381358bb3041fd5fe00465a614c82b5ec695eafd33636530376200000000af95e545ba5907dec0f80bd2f0b3ac8780b90d58ca472a82fbb70b56ebc23dc400000007e82da1e2806c6253a2e87ebbeb6ef122cb0793687ebac5f7a7b3d94261202289c2092ff0e01ab82f002a43755a57f929160b383fe031da040e2c5c7dcb832c5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424461842" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA5D5111-29AA-11EF-8B04-EAF6CDD7B231} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000004e9f6f4da7982d6bdc3b9b8bb0955056ba140f06e87d8fa5173806cecaadd48a000000000e8000000002000020000000b13fc3e6516f2e6d69f056761bf313878ca8a624ce6cbc4bca20c8aa983e75f6900000007c76dbda3ec39e485df32c0fa803ea9d65f11399c6a6bed73600d3ff7fd4d3c3a5ea5f1838e42e76480a9e5f4e686d75b25271054bf661c81b885394da60134e1cbeb439bbd920a273ddb824a03a1b10ceb3c2950b145006808f9cb5140c4e8f79f911703aac708df4ac14510d0a23e14fe29ff2702cfa464e882f9b8933972d2e607a8d0c680788b64785998cf6780d400000006fe8a9c5464536abdc48709255d92e7095e756578f6667517d7adeaee70b894aa40c53bc5af07d8b71ad5a92f44e79fa5e9378d16b7ac7b3ed953d42eed4b796 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2888 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2888 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2888 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2888 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2888 wrote to memory of 2064 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2888 wrote to memory of 2064 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2888 wrote to memory of 2064 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2888 wrote to memory of 2064 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_1.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_4.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2cee55363463e60e6721292894967fbf
SHA1 52cfe0a0d1ae8f361fa1f265adb14a7b2b50462e
SHA256 775a7934de1d4c51aca5e09fccf2946fcfde9add936e7148134162e22cbff6e8
SHA512 c5a9d565ca135b18d5482d2b90cf4d443899fee01bdf95bef17313d9e1a06bcdaf59de03a9d1ed16aac8d188e8b06dae06fc4007b0b7c187eb994e7108d4ff5f

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_2.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c00994341d1a68c563cc71ba5d0d5ab2
SHA1 dc9b1a447d95661a83d7992729451962a3353564
SHA256 e8ae91371208de6f5235b7ea4fa658d7cd6f6402b09feed27bbe27c70448e002
SHA512 9c4b11422eb94408b66638adf853ee1b7e9da0e6ff84372a4d8005e8b0b2ba3be2b9a6357c45bdd56e332853333dde5728f791c5a71630edd539fea133847ae5

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d70e00e3605103b85b9c98c4ea12188a
SHA1 f8056bf967a0fd3c5958aba0b03099af600b2610
SHA256 332ef1f2ad6435d2403e87f1cdde99c679e62bb5fc8d819734bd2005c9de8b75
SHA512 d2d9f1f1168a9c676b639814b6e71c8c5a9d0c4c9bc0b6649a4a9ecbaa45cd6b07575d4a98b1f555a7518d1ba8afd9bbcd8e9827fbc5e022e9feb5e5522c4f89

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

133s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_2.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 179.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.cso\ = "cso_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\cso_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.cso C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_L_3.cso"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3106c3289cc700c03eefaa83b3fc34d7
SHA1 ddf4bee69dfd50e76036723be9deb2cb27d13cfb
SHA256 b4ca3b99080b11b69b432a6a3e70ea2e84235a901b66e103aa074a787b762a41
SHA512 4b2a13f8ee1ddd322a7169e207e9bba17df8b6f30757a733c2a30e6f4071c3793f100b51a9cab0ecaea0c84bfc7306db66aa9e337744fcb4a1745b80a8c92469

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/1504-0-0x00007FFD9A5B0000-0x00007FFD9A5C0000-memory.dmp

memory/1504-1-0x00007FFDDA5CD000-0x00007FFDDA5CE000-memory.dmp

memory/1504-2-0x00007FFDDA530000-0x00007FFDDA725000-memory.dmp

memory/1504-3-0x00007FFDDA530000-0x00007FFDDA725000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Shaders\ANIME4K_M_5.cso"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Licenses.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\Licenses.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 17:31

Reported

2024-06-13 17:35

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe"

Signatures

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Colors C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe

"C:\Users\Admin\AppData\Local\Temp\Lossless Scaling 2.9\LosslessScaling.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/848-0-0x00007FFF03E43000-0x00007FFF03E45000-memory.dmp

memory/848-1-0x000001B5E2900000-0x000001B5E29F6000-memory.dmp

memory/848-2-0x000001B5FE6F0000-0x000001B5FE7D6000-memory.dmp

memory/848-5-0x000001B5FCE50000-0x000001B5FCE5A000-memory.dmp

memory/848-6-0x00007FFF03E40000-0x00007FFF04901000-memory.dmp

memory/848-4-0x000001B5FCE30000-0x000001B5FCE38000-memory.dmp

memory/848-3-0x000001B5FE7D0000-0x000001B5FE7F6000-memory.dmp

memory/848-7-0x00007FFF03E40000-0x00007FFF04901000-memory.dmp

memory/848-9-0x000001B5FEDC0000-0x000001B5FEE72000-memory.dmp

memory/848-10-0x00007FFF03E40000-0x00007FFF04901000-memory.dmp

memory/848-11-0x000001B5FEF30000-0x000001B5FEFEA000-memory.dmp

memory/848-12-0x000001B5FEEB0000-0x000001B5FEEE8000-memory.dmp

memory/848-13-0x000001B5FF5F0000-0x000001B5FF5F8000-memory.dmp

memory/848-14-0x00007FFF03E40000-0x00007FFF04901000-memory.dmp

memory/848-16-0x000001B5FF600000-0x000001B5FF60E000-memory.dmp

C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

MD5 9722d4173cdb869a507c57629b6aecdd
SHA1 e816426039ca9a684a60b8923780550c19c85ccd
SHA256 5d1b53f734db6ae2c37c6dbbeefa03c6745dd033c7b55ffeeb03a11aae6bc8c2
SHA512 488e3a82ffba4f8d4e5eca9c3d81302e075bfc2c2319fe9c1d3c1d6025c2b0ddc752dd53d06a6cebab1fc0720a0e11068b2295d683069db6a33aadb06e3438d7

memory/848-30-0x00007FFF03E43000-0x00007FFF03E45000-memory.dmp

memory/848-31-0x00007FFF03E40000-0x00007FFF04901000-memory.dmp