File name:

lossless scaling.rar

Full analysis: https://app.any.run/tasks/57b49d83-b755-4103-bbf5-0b489cd20f3e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 17, 2025, 16:11:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
reflection
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D9CA57B897CA200A0C06CCD101A1DDB2

SHA1:

81FF05A7D05A7456A7DFEAB579BA301902615EC9

SHA256:

267C9614820FDEBB4E1C85553D991301E6BAC5F3BEE1DB426D5476E3715BD316

SSDEEP:

98304:KUtaPPfEq6ZFp2WpDpApLw+i85lOGnnONTV/qem7WcICcZPygN0O0OQdBbV1uLB9:26Z/D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6496)

    • Changes powershell execution policy (Bypass)

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6464)
      • powershell.exe (PID: 7032)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 6464)
      • powershell.exe (PID: 7032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Lossless Scaling.exe (PID: 6444)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 6464)
      • schtasks.exe (PID: 4876)
      • schtasks.exe (PID: 6636)
      • powershell.exe (PID: 7032)

    • The process bypasses the loading of PowerShell profile settings

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Application launched itself

      • Lossless Scaling.exe (PID: 6444)
      • Lossless Scaling.exe (PID: 4556)

    • The process executes Powershell scripts

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Reads security settings of Internet Explorer

      • Lossless Scaling.exe (PID: 6444)
      • Lossless Scaling.exe (PID: 6776)

    • Starts POWERSHELL.EXE for commands execution

      • Lossless Scaling.exe (PID: 6776)
      • Lossless Scaling.exe (PID: 6984)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6464)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6464)

  • INFO

    • Manual execution by a user

      • Lossless Scaling.exe (PID: 6444)
      • regedit.exe (PID: 2548)
      • regedit.exe (PID: 6748)
      • Lossless Scaling.exe (PID: 4556)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6496)
      • Lossless Scaling.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6496)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6464)

    • Checks supported languages

      • LosslessScaling.exe (PID: 5320)

    • Reads the computer name

      • LosslessScaling.exe (PID: 5320)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 700
UncompressedSize: 1248
OperatingSystem: Win32
ArchivedFileName: lossless scaling/language/diagerr.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
16
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs lossless scaling.exe lossless scaling.exe powershell.exe no specs conhost.exe no specs losslessscaling.exe no specs schtasks.exe no specs regedit.exe no specs regedit.exe lossless scaling.exe no specs lossless scaling.exe powershell.exe no specs conhost.exe no specs losslessscaling.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"regedit.exe" "C:\Users\admin\Desktop\lossless scaling\Registration ('Crack')\Double-click, confirm to merge, done.reg"C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
4188C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4556"C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe" C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exeexplorer.exe
User:
admin
Company:
Lossless Scaling
Integrity Level:
MEDIUM
Description:
Lossless Scaling
Exit code:
0
Version:
1.2.3.3
Modules
Images
c:\users\admin\desktop\lossless scaling\lossless scaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
4876"C:\WINDOWS\system32\schtasks.exe" /create /tn administartor /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHESTC:\Windows\SysWOW64\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5320"C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exe" C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exeLossless Scaling.exe
User:
admin
Company:
THS
Integrity Level:
HIGH
Description:
Lossless Scaling
Exit code:
0
Version:
2.12.0.0
Modules
Images
c:\users\admin\desktop\lossless scaling\language\uk-ua\losslessscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6252"C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exe" C:\Users\admin\Desktop\lossless scaling\language\uk-UA\LosslessScaling.exeLossless Scaling.exe
User:
admin
Company:
THS
Integrity Level:
HIGH
Description:
Lossless Scaling
Version:
2.12.0.0
Modules
Images
c:\users\admin\desktop\lossless scaling\language\uk-ua\losslessscaling.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6444"C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe" C:\Users\admin\Desktop\lossless scaling\Lossless Scaling.exe
explorer.exe
User:
admin
Company:
Lossless Scaling
Integrity Level:
MEDIUM
Description:
Lossless Scaling
Exit code:
0
Version:
1.2.3.3
Modules
Images
c:\users\admin\desktop\lossless scaling\lossless scaling.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6464"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\IObitUnlocker\hiberfil.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLossless Scaling.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\lossless scaling.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 773
Read events
14 761
Write events
12
Delete events
0

Modification events

(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\lossless scaling.rar
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6496) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6464) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(5320) LosslessScaling.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Left
Value:
0
Executable files
29
Suspicious files
3
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\ar\LosslessScaling.resources.dllexecutable
MD5:ED6F1B887ABD06C83ECB9C6AD4B6DDAE
SHA256:E078D3FE1E5C3EF3AE5A22DA414B33D29C3AE335397FD699A35F0B767E20AB29
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\diagerr.xmlcsv
MD5:25B86B2AB956DE39EC02EB0697599100
SHA256:507DBD9E93D64DC201894839A2E61A3CC5584696D2C35531A8F5A689AF4C582C
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\hiberfil.systext
MD5:5930DA51E25548966F2ECDC534A31D33
SHA256:B712A2D728EC27CF9CBFDC2CC1DA287B714D0F1BABE1BC9531518B070B48DFB1
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\RAR.exeexecutable
MD5:D3E9F98155C0FAAB869CCC74FB5E8A1E
SHA256:3E0FDB5C40336482DACEF3496116053D7772A51720900141B3C6F35C6E9B351B
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\id\LosslessScaling.resources.dllexecutable
MD5:8C512FAB259D4AB880B3D2D1833B03CB
SHA256:FEE70B83A178195944F9DC63E841DA5C72A217C6F3ED04854A54C55307424668
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\EN.dllcompressed
MD5:4F384906980CED627B07C36A5B4970FB
SHA256:05D2B90083B8856D9E38EBDD1646DC5293067D9B1A027707FD7F419E2683C77E
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\en-US\diagerr.xmlcsv
MD5:D81308249D1F667CC584FECA22AD3D9F
SHA256:353E9746747A49477F31264D9AB9EECCB237913F431B12958FD946D5E8193546
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\fr\LosslessScaling.resources.dllexecutable
MD5:39E11BAAAB6237BA61EB5E8B7A19A4FE
SHA256:FE406BBC2BBDD8039876AD12EC946D46CAC386A1EC9C73F40BCEBB414EA55881
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\bg\LosslessScaling.resources.dllexecutable
MD5:82DEB57274920AD713665B7ECDD1F1B4
SHA256:2B62DF6F0D46492562A7F2CB04E45C429E09FCBE76FB2FAF7E275CBE29101CA3
6496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6496.10650\lossless scaling\language\uk-UA\fa\LosslessScaling.resources.dllexecutable
MD5:4B67439A021661921731CA43EB8EFCEF
SHA256:0688BA5F3B55C43AD2436C2981F834B4AF7E1B294314AFA2F017BABA6F4411FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1760
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.48.23.173:80
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.142
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
lossless scaling.rar