File name:

lossless scaling.rar

Full analysis: https://app.any.run/tasks/57b49d83-b755-4103-bbf5-0b489cd20f3e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 17, 2025, 16:11:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
reflection
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D9CA57B897CA200A0C06CCD101A1DDB2

SHA1:

81FF05A7D05A7456A7DFEAB579BA301902615EC9

SHA256:

267C9614820FDEBB4E1C85553D991301E6BAC5F3BEE1DB426D5476E3715BD316

SSDEEP:

98304:KUtaPPfEq6ZFp2WpDpApLw+i85lOGnnONTV/qem7WcICcZPygN0O0OQdBbV1uLB9:26Z/D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6496)

    • Changes powershell execution policy (Bypass)

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6464)
      • powershell.exe (PID: 7032)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 6464)
      • powershell.exe (PID: 7032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Lossless Scaling.exe (PID: 6444)

    • Reads security settings of Internet Explorer

      • Lossless Scaling.exe (PID: 6444)
      • Lossless Scaling.exe (PID: 6776)

    • Application launched itself

      • Lossless Scaling.exe (PID: 6444)
      • Lossless Scaling.exe (PID: 4556)

    • The process executes Powershell scripts

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • The process bypasses the loading of PowerShell profile settings

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 6464)
      • schtasks.exe (PID: 4876)
      • powershell.exe (PID: 7032)
      • schtasks.exe (PID: 6636)

    • Starts POWERSHELL.EXE for commands execution

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6464)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6464)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6496)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6496)
      • Lossless Scaling.exe (PID: 6444)

    • Manual execution by a user

      • Lossless Scaling.exe (PID: 6444)
      • regedit.exe (PID: 6748)
      • regedit.exe (PID: 2548)
      • Lossless Scaling.exe (PID: 4556)

    • Checks supported languages

      • LosslessScaling.exe (PID: 5320)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6464)

    • Reads the computer name

      • LosslessScaling.exe (PID: 5320)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 700
UncompressedSize: 1248
OperatingSystem: Win32
ArchivedFileName: lossless scaling/language/diagerr.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
16
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs lossless scaling.exe lossless scaling.exe powershell.exe no specs conhost.exe no specs losslessscaling.exe no specs schtasks.exe no specs regedit.exe no specs regedit.exe lossless scaling.exe no specs lossless scaling.exe powershell.exe no specs conhost.exe no specs losslessscaling.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"regedit.exe" "C:\Users\admin\Desktop\lossless scaling\Registration ('Crack')\Double-click, confirm to merge, done.reg"C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
4188C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4556"C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe" C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exeexplorer.exe
User:
admin
Company:
Lossless Scaling
Integrity Level:
MEDIUM
Description:
Lossless Scaling
Exit code:
0
Version:
1.2.3.3
Modules
Images
c:\users\admin\desktop\lossless scaling\lossless scaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
4876"C:\WINDOWS\system32\schtasks.exe" /create /tn administartor /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHESTC:\Windows\SysWOW64\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5320"C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exe" C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exeLossless Scaling.exe
User:
admin
Company:
THS
Integrity Level:
HIGH
Description:
Lossless Scaling
Exit code:
0
Version:
2.12.0.0
Modules
Images
c:\users\admin\desktop\lossless scaling\language\uk-ua\losslessscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6252"C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exe" C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exeLossless Scaling.exe
User:
admin
Company:
THS
Integrity Level:
HIGH
Description:
Lossless Scaling
Version:
2.12.0.0
Modules
Images
c:\users\admin\desktop\lossless scaling\language\uk-ua\losslessscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6444"C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe" C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe
explorer.exe
User:
admin
Company:
Lossless Scaling
Integrity Level:
MEDIUM
Description:
Lossless Scaling
Exit code:
0
Version:
1.2.3.3
Modules
Images
c:\users\admin\desktop\lossless scaling\lossless scaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6464"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\IObitUnlocker\hiberfil.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLossless Scaling.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\lossless scaling.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 773
Read events
14 761
Write events
12
Delete events
0

Modification events

(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\lossless scaling.rar
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6464) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(5320) LosslessScaling.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Left
Value:
0
Executable files
29
Suspicious files
3
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\config.initext
MD5:EF7D84D756944B899E4FB5D1A3339235
SHA256:069AE15289A748AE4E1A998183C41C35A873CB8DC205318813B157C826BAB6CA
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\EN.dllcompressed
MD5:4F384906980CED627B07C36A5B4970FB
SHA256:05D2B90083B8856D9E38EBDD1646DC5293067D9B1A027707FD7F419E2683C77E
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\ar\LosslessScaling.resources.dllexecutable
MD5:ED6F1B887ABD06C83ECB9C6AD4B6DDAE
SHA256:E078D3FE1E5C3EF3AE5A22DA414B33D29C3AE335397FD699A35F0B767E20AB29
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\diagerr.xmlcsv
MD5:D81308249D1F667CC584FECA22AD3D9F
SHA256:353E9746747A49477F31264D9AB9EECCB237913F431B12958FD946D5E8193546
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\es-ES\LosslessScaling.resources.dllexecutable
MD5:F6DD78C7F97A469C75152EC53D79BF8D
SHA256:8F0222D248A18119D84822A851FBFD0D844E6CF58642E5132D96E3C75940EBF7
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\RAR.exeexecutable
MD5:D3E9F98155C0FAAB869CCC74FB5E8A1E
SHA256:3E0FDB5C40336482DACEF3496116053D7772A51720900141B3C6F35C6E9B351B
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\bg\LosslessScaling.resources.dllexecutable
MD5:82DEB57274920AD713665B7ECDD1F1B4
SHA256:2B62DF6F0D46492562A7F2CB04E45C429E09FCBE76FB2FAF7E275CBE29101CA3
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\de\LosslessScaling.resources.dllexecutable
MD5:BEA43C84CDC466DDEA1398D4026C3EF9
SHA256:7BDB17BFA2E73143EFCD5BDAF089A2127C6175DAF0CED23C9C4102011D09A89A
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\cs\LosslessScaling.resources.dllexecutable
MD5:0009B54449D6EE8D723BE5266CB96C32
SHA256:6F4CD5D91EDEE8DBC547A6F914F1441C5A55D559B784893A98B9AB3A1C96EE62
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\he\LosslessScaling.resources.dllexecutable
MD5:854559CE6F1A4172247402BCB7BA6D6F
SHA256:4EDEC52A80B6F695343C617813B9D94260B1A31D02809D1055774DA5AC4943A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.48.23.173:80
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.142
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lossless scaling.rar