File name:

ReShade_Setup_6.0.1.exe

Full analysis: https://app.any.run/tasks/b09651ce-4920-46dd-98ff-f7d96af9356d
Verdict: Malicious activity
Analysis date: February 18, 2024, 02:31:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A3806058C04E58965116BDD546114097

SHA1:

257DF8A18405A5B9C0907DC0F98EBA8DB00BADDB

SHA256:

293B4E2A879EC1C2EEB8F7C948F49D7E4CC5C3C0A0637D476BD9097F7E91B52E

SSDEEP:

98304:SBSHCVSUWrcY4wv4pJHCHPbI1pIBnUAH/oVuGOaPqznWtuoaR66p8hHZkg8ccB05:gt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

  • SUSPICIOUS

    • Application launched itself

      • ReShade_Setup_6.0.1.exe (PID: 3864)

    • Reads security settings of Internet Explorer

      • ReShade_Setup_6.0.1.exe (PID: 3864)

    • Reads the Internet Settings

      • ReShade_Setup_6.0.1.exe (PID: 1696)
      • ReShade_Setup_6.0.1.exe (PID: 3864)

    • Reads settings of System Certificates

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • ReShade_Setup_6.0.1.exe (PID: 1696)

  • INFO

    • Reads Environment values

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Checks supported languages

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads the computer name

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads the machine GUID from the registry

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Creates files in the program directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Creates files or folders in the user directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Create files in a temporary directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads the software policy settings

      • ReShade_Setup_6.0.1.exe (PID: 1696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:27 15:22:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 119296
InitializedDataSize: 103936
UninitializedDataSize: -
EntryPoint: 0x1f012
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.0
ProductVersionNumber: 6.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: crosire
FileDescription: ReShade Setup
FileVersion: 6.0.1.0
InternalName: ReShade Setup.exe
LegalCopyright: Copyright © 2014. All rights reserved.
OriginalFileName: ReShade Setup.exe
ProductName: ReShade
ProductVersion: 6.0.1
AssemblyVersion: 6.0.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start reshade_setup_6.0.1.exe no specs reshade_setup_6.0.1.exe

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe" "C:\Program Files\CCleaner\CCleaner.exe" --elevated --left 393 --top 29C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe
ReShade_Setup_6.0.1.exe
User:
admin
Company:
crosire
Integrity Level:
HIGH
Description:
ReShade Setup
Exit code:
3221225547
Version:
6.0.1.0
Modules
Images
c:\users\admin\downloads\reshade_setup_6.0.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3864"C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe" C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exeexplorer.exe
User:
admin
Company:
crosire
Integrity Level:
MEDIUM
Description:
ReShade Setup
Exit code:
0
Version:
6.0.1.0
Modules
Images
c:\users\admin\downloads\reshade_setup_6.0.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
16 437
Read events
16 196
Write events
227
Delete events
14

Modification events

(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
ReShade_Setup_6.0.1.exe
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
07000000020000000100000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7
Operation:writeName:MRUListEx
Value:
0000000001000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000070000000200000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
07000000010000000200000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:Mode
Value:
4
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:LogicalViewMode
Value:
1
Executable files
2
Suspicious files
2
Text files
95
Unknown types
0

Dropped files

PID
Process
Filename
Type
1696ReShade_Setup_6.0.1.exeC:\Program Files\CCleaner\ReShade.logtext
MD5:D9A1DD79235BDE84B66C30A881D724D5
SHA256:A649CCD07DC38931801DE04C3523DA3F22CC021232095938D59DF693CAE77670
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\EffectPackages[1].cachetext
MD5:E44F524B89A45F5DBA7A76BCBD5549F5
SHA256:30181A2FD1B8B8BE8B34D0E4FE7AFF9BB9712D87836ACA34AA5C1285B966A1B3
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\Daltonize.fxtext
MD5:F5871BE80D0CA8F5EDF4CC9D1B269AC5
SHA256:AB6006E886DB0F1FDB9845B892DEBE774EDA9EC498182373AA6ADE601D258D3F
1696ReShade_Setup_6.0.1.exeC:\Program Files\CCleaner\d3d9.dllexecutable
MD5:291B8AE9D2B535AED6A78A4949F2871F
SHA256:613EC48122A7DF9547BAD83BDFCD07A41397424E8A6A79F1ABD885CF3BF5E1A0
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\README.mdtext
MD5:F13E2E27F7DFCC7A64E7F0AB1045A82D
SHA256:BB6AAF14074E4EDD73ABF730CE0EA11CC97267AB4B219F791E913E5325DFECE5
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\tmpCF22.tmpcompressed
MD5:42A1C5086581952E7FA93BBC22CBF11A
SHA256:BC996DC25A575C4ACA6A7AE090965541C157D1DF2DA302858377B9CDC577712B
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\REFERENCE.mdtext
MD5:E198F914E679444A054C493E04A82ADD
SHA256:ED666C28B7C5437B6DBA390A680A80123E167DDE3C40D10E499C9DE773C43EF8
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\Blending.fxhtext
MD5:66720778A8178B7D690960D3D7FB248F
SHA256:1EAB08B853014FD6AAAAE6783C5052DE2EC2A74792C149635E4ED44A58660BA3
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\DisplayDepth.fxtext
MD5:D4421758A6D4F205FFF2AF5EF8A768A8
SHA256:E2266C47C75DCC30030C8EC68CF62CF16F2AEBE1ECDECF0265D91CE65DBD7F32
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\Deband.fxtext
MD5:4B48FAD97630526702BC33C1F38A6497
SHA256:8959CA995090BC89762CC0BF4BA3BB1FFCFFDF143E9E0DDAF84F0E004B53DD29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1696
ReShade_Setup_6.0.1.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
unknown
1696
ReShade_Setup_6.0.1.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
1696
ReShade_Setup_6.0.1.exe
140.82.121.9:443
codeload.github.com
GITHUB
US
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
shared
github.com
  • 140.82.121.3
shared
codeload.github.com
  • 140.82.121.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ReShade_Setup_6.0.1.exe