File name:

mirror_go_setup_full8050.exe

Full analysis: https://app.any.run/tasks/a74314d7-96ba-4609-be76-7c3b0abf0fff
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 07, 2021, 17:54:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

67908CA5D434F495012FD58DB2D0FED2

SHA1:

20CAEBD7F3F99CF5B27F55C1F1AC082117046A2C

SHA256:

3E14C743DA4F94BA2A358AB45BD519C18D54931F5B840B0AEEEB3824BA2FEE69

SSDEEP:

24576:UQZ0NSLYmzgGi67SN9mOxrjyKSmNqtYRG3N:iNSLYmbB7SN9mArjy5mNsYQd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NFWCHK.exe (PID: 3364)

  • SUSPICIOUS

    • Reads the computer name

      • mirror_go_setup_full8050.exe (PID: 2980)
      • NFWCHK.exe (PID: 3364)

    • Drops a file that was compiled in debug mode

      • mirror_go_setup_full8050.exe (PID: 2980)

    • Checks supported languages

      • mirror_go_setup_full8050.exe (PID: 2980)
      • NFWCHK.exe (PID: 3364)

    • Reads Microsoft Outlook installation path

      • mirror_go_setup_full8050.exe (PID: 2980)

    • Reads internet explorer settings

      • mirror_go_setup_full8050.exe (PID: 2980)

    • Executable content was dropped or overwritten

      • mirror_go_setup_full8050.exe (PID: 2980)

  • INFO

    • Checks Windows Trust Settings

      • mirror_go_setup_full8050.exe (PID: 2980)

    • Reads settings of System Certificates

      • mirror_go_setup_full8050.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

ProductVersion: 1.0.1
ProductName: Wondershare MirrorGo
LegalCopyright: Copyright©2017 Wondershare. All rights reserved.
FileVersion: 3.0.0.0
FileDescription: wondershare-mirrorgo_setup_full8050.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 3.0.0.0
FileVersionNumber: 3.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x815e6
UninitializedDataSize: -
InitializedDataSize: 466432
CodeSize: 665088
LinkerVersion: 10
PEType: PE32
TimeStamp: 2020:09:24 09:37:08+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start mirror_go_setup_full8050.exe nfwchk.exe no specs mirror_go_setup_full8050.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2216"C:\Users\admin\AppData\Local\Temp\mirror_go_setup_full8050.exe" C:\Users\admin\AppData\Local\Temp\mirror_go_setup_full8050.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
wondershare-mirrorgo_setup_full8050.exe
Exit code:
3221226540
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\mirror_go_setup_full8050.exe
c:\windows\system32\ntdll.dll
2980"C:\Users\admin\AppData\Local\Temp\mirror_go_setup_full8050.exe" C:\Users\admin\AppData\Local\Temp\mirror_go_setup_full8050.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
wondershare-mirrorgo_setup_full8050.exe
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\mirror_go_setup_full8050.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3364C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exemirror_go_setup_full8050.exe
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
.NET Framework Checker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\public\documents\wondershare\nfwchk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
5 387
Read events
5 323
Write events
63
Delete events
1

Modification events

(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:(default)
Value:
sku-ween
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:8050
Value:
sku-ween
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2980) mirror_go_setup_full8050.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
4
Text files
11
Unknown types
3

Dropped files

PID
Process
Filename
Type
2980mirror_go_setup_full8050.exeC:\Users\Public\Documents\Wondershare\mirror_go_full8050.exe.~P2S
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\Local\Temp\wsWAE.logtext
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_CCF564BE5A3C924B17DDEBDEB5236E12binary
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_CCF564BE5A3C924B17DDEBDEB5236E12der
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AF3BA1CDD96BBC740C9CE3754F348BED_C4AB20CCE3B76E62E8198ED4F8C25089der
MD5:
SHA256:
2980mirror_go_setup_full8050.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:AD0967A0AB95AA7D71B3DC92B71B8F7A
SHA256:9C1212BC648A2533B53A2D0AFCEC518846D97630AFB013742A9622F0DF7B04FC
2980mirror_go_setup_full8050.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_8050.xmlxml
MD5:57CBB8A8BBCC6911B23D1279DB53CC22
SHA256:F0A47C92D5E920C39BCF278F844EA5F351DF66A2F0E7725B2758576BFB04836E
2980mirror_go_setup_full8050.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
48
DNS requests
6
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2980
mirror_go_setup_full8050.exe
HEAD
200
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
whitelisted
2980
mirror_go_setup_full8050.exe
GET
206
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
binary
16.0 Mb
whitelisted
2980
mirror_go_setup_full8050.exe
GET
206
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
executable
16.0 Mb
whitelisted
2980
mirror_go_setup_full8050.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAilokbNS1yMg9cCtLurU0k%3D
US
der
471 b
whitelisted
2980
mirror_go_setup_full8050.exe
GET
206
47.246.43.209:80
http://download.wondershare.com/cbs_down/mirror_go_full8050.exe
US
binary
16.0 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2980
mirror_go_setup_full8050.exe
47.91.67.36:80
platform.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
2980
mirror_go_setup_full8050.exe
47.246.43.209:80
download.wondershare.com
US
malicious
2980
mirror_go_setup_full8050.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2980
mirror_go_setup_full8050.exe
47.246.43.226:443
wae.wondershare.cc
US
malicious
47.246.43.209:80
download.wondershare.com
US
malicious
2980
mirror_go_setup_full8050.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
platform.wondershare.com
  • 47.91.67.36
suspicious
download.wondershare.com
  • 47.246.43.209
whitelisted
wae.wondershare.cc
  • 47.246.43.226
  • 79.133.177.230
  • 79.133.177.228
  • 79.133.177.229
  • 79.133.177.225
  • 79.133.177.227
  • 79.133.177.232
  • 47.246.43.228
  • 47.246.43.229
  • 47.246.43.225
  • 47.246.43.227
  • 47.246.43.230
  • 47.246.43.224
  • 47.246.43.223
malicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.rapidssl.com
  • 93.184.220.29
shared

Threats

PID
Process
Class
Message
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
Potentially Bad Traffic
ET DNS Query for .cc TLD
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
2980
mirror_go_setup_full8050.exe
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mirror_go_setup_full8050.exe