File name:

ReShade_Setup_6.0.1.exe

Full analysis: https://app.any.run/tasks/b09651ce-4920-46dd-98ff-f7d96af9356d
Verdict: Malicious activity
Analysis date: February 18, 2024, 02:31:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A3806058C04E58965116BDD546114097

SHA1:

257DF8A18405A5B9C0907DC0F98EBA8DB00BADDB

SHA256:

293B4E2A879EC1C2EEB8F7C948F49D7E4CC5C3C0A0637D476BD9097F7E91B52E

SSDEEP:

98304:SBSHCVSUWrcY4wv4pJHCHPbI1pIBnUAH/oVuGOaPqznWtuoaR66p8hHZkg8ccB05:gt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ReShade_Setup_6.0.1.exe (PID: 3864)

    • Application launched itself

      • ReShade_Setup_6.0.1.exe (PID: 3864)

    • Reads the Internet Settings

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads settings of System Certificates

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • ReShade_Setup_6.0.1.exe (PID: 1696)

  • INFO

    • Reads the machine GUID from the registry

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Checks supported languages

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads the computer name

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads Environment values

      • ReShade_Setup_6.0.1.exe (PID: 3864)
      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Reads the software policy settings

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Creates files or folders in the user directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Creates files in the program directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)

    • Create files in a temporary directory

      • ReShade_Setup_6.0.1.exe (PID: 1696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:27 15:22:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 119296
InitializedDataSize: 103936
UninitializedDataSize: -
EntryPoint: 0x1f012
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.0
ProductVersionNumber: 6.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: crosire
FileDescription: ReShade Setup
FileVersion: 6.0.1.0
InternalName: ReShade Setup.exe
LegalCopyright: Copyright © 2014. All rights reserved.
OriginalFileName: ReShade Setup.exe
ProductName: ReShade
ProductVersion: 6.0.1
AssemblyVersion: 6.0.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start reshade_setup_6.0.1.exe no specs reshade_setup_6.0.1.exe

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe" "C:\Program Files\CCleaner\CCleaner.exe" --elevated --left 393 --top 29C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe
ReShade_Setup_6.0.1.exe
User:
admin
Company:
crosire
Integrity Level:
HIGH
Description:
ReShade Setup
Exit code:
3221225547
Version:
6.0.1.0
Modules
Images
c:\users\admin\downloads\reshade_setup_6.0.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3864"C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exe" C:\Users\admin\Downloads\ReShade_Setup_6.0.1.exeexplorer.exe
User:
admin
Company:
crosire
Integrity Level:
MEDIUM
Description:
ReShade Setup
Exit code:
0
Version:
6.0.1.0
Modules
Images
c:\users\admin\downloads\reshade_setup_6.0.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
16 437
Read events
16 196
Write events
227
Delete events
14

Modification events

(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
ReShade_Setup_6.0.1.exe
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
07000000020000000100000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7
Operation:writeName:MRUListEx
Value:
0000000001000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000070000000200000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
07000000010000000200000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:Mode
Value:
4
(PID) Process:(3864) ReShade_Setup_6.0.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:LogicalViewMode
Value:
1
Executable files
2
Suspicious files
2
Text files
95
Unknown types
0

Dropped files

PID
Process
Filename
Type
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\README.mdtext
MD5:F13E2E27F7DFCC7A64E7F0AB1045A82D
SHA256:BB6AAF14074E4EDD73ABF730CE0EA11CC97267AB4B219F791E913E5325DFECE5
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\DisplayDepth.fxtext
MD5:D4421758A6D4F205FFF2AF5EF8A768A8
SHA256:E2266C47C75DCC30030C8EC68CF62CF16F2AEBE1ECDECF0265D91CE65DBD7F32
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\Macros.fxhtext
MD5:65662C5DDA1E465942C159925F76FAE3
SHA256:78D8974469B0E7BB2FDD5C6A98EE6304D03A614FFD2BC2A66985A54FF5F9B3A0
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\Daltonize.fxtext
MD5:F5871BE80D0CA8F5EDF4CC9D1B269AC5
SHA256:AB6006E886DB0F1FDB9845B892DEBE774EDA9EC498182373AA6ADE601D258D3F
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\EffectPackages[1].cachetext
MD5:E44F524B89A45F5DBA7A76BCBD5549F5
SHA256:30181A2FD1B8B8BE8B34D0E4FE7AFF9BB9712D87836ACA34AA5C1285B966A1B3
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\REFERENCE.mdtext
MD5:E198F914E679444A054C493E04A82ADD
SHA256:ED666C28B7C5437B6DBA390A680A80123E167DDE3C40D10E499C9DE773C43EF8
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\DrawText.fxhtext
MD5:FD33D6B47DF4A4E69E3F4669E52BE9D8
SHA256:B79CC4DFB3E98BCF4C06193D00EA7631D74F467F73A4DEEEEE13E71336D3E680
1696ReShade_Setup_6.0.1.exeC:\Program Files\CCleaner\ReShade.initext
MD5:3B22047F2EE952E9D7DAC112225CF944
SHA256:09E20962EE19F09F3C07760E15C6A9A5C285F87AA4769899D9E42A3DECB03791
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\LUT.fxtext
MD5:6D4B5D63AB0F440911A55903E5767076
SHA256:E3179C023A599D1EBE0C73FA00084A64D0BE66F4E5B43A45C1BB25C3C9DF0363
1696ReShade_Setup_6.0.1.exeC:\Users\admin\AppData\Local\Temp\ReShadeSetup\reshade-shaders-slim\Shaders\ReShadeUI.fxhtext
MD5:A4851A3A31B433F7B608421200067DCF
SHA256:78ADF672DF47460297EB9FE6DD238D2AAFA24510B52B84FEB1A745DFF70EB901
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1696
ReShade_Setup_6.0.1.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
unknown
1696
ReShade_Setup_6.0.1.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
1696
ReShade_Setup_6.0.1.exe
140.82.121.9:443
codeload.github.com
GITHUB
US
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
shared
github.com
  • 140.82.121.3
shared
codeload.github.com
  • 140.82.121.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ReShade_Setup_6.0.1.exe