File name:

pdfelement-pro_setup_full5252.exe

Full analysis: https://app.any.run/tasks/91d71ded-e323-475a-bc8a-30eb442b9675
Verdict: Malicious activity
Analysis date: August 01, 2024, 14:37:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD5F035AF4106E03A8A2BA50D5536DCF

SHA1:

BA0324B0A1BF411013B366963239965C05623688

SHA256:

72069D1C69D2A44072A2ACDB08A49BFA90C5064F6142930D49492C1EB81DE3A9

SSDEEP:

98304:G6fBnZjWww5ZOdNvMT0yyzM/dOjCBsTo7:O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Connects to unusual port

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Reads Internet Explorer settings

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Reads Microsoft Outlook installation path

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

  • INFO

    • Reads the computer name

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Checks supported languages

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Create files in a temporary directory

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Checks proxy server information

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Process checks Internet Explorer phishing filters

      • pdfelement-pro_setup_full5252.exe (PID: 6588)

    • Reads the machine GUID from the registry

      • pdfelement-pro_setup_full5252.exe (PID: 6588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:26 03:27:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1257984
InitializedDataSize: 875520
UninitializedDataSize: -
EntryPoint: 0x1020b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.11
ProductVersionNumber: 4.0.4.11
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: pdfelement10_setup_full5252.exe
FileVersion: 4.0.4.11
LegalCopyright: Copyright©2023 Wondershare. All rights reserved.
ProductName: PDFelement10
ProductVersion: 10.0.3
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pdfelement-pro_setup_full5252.exe svchost.exe pdfelement-pro_setup_full5252.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6540"C:\Users\admin\Desktop\pdfelement-pro_setup_full5252.exe" C:\Users\admin\Desktop\pdfelement-pro_setup_full5252.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdfelement10_setup_full5252.exe
Exit code:
3221226540
Version:
4.0.4.11
Modules
Images
c:\users\admin\desktop\pdfelement-pro_setup_full5252.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6588"C:\Users\admin\Desktop\pdfelement-pro_setup_full5252.exe" C:\Users\admin\Desktop\pdfelement-pro_setup_full5252.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
pdfelement10_setup_full5252.exe
Version:
4.0.4.11
Modules
Images
c:\users\admin\desktop\pdfelement-pro_setup_full5252.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wldap32.dll
Total events
1 204
Read events
1 190
Write events
14
Delete events
0

Modification events

(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:5252
Value:
sku-wers
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{9a5d7147-f610-4b14-9794-cb963fbe4a37G}
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{9a5d7147-f610-4b14-9794-cb963fbe4a37G}
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6588) pdfelement-pro_setup_full5252.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6588pdfelement-pro_setup_full5252.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:27AE9EA85AA70526489DE5C155DF7CCB
SHA256:
6588pdfelement-pro_setup_full5252.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:354DE05A0E599369BE42ACF0A7EDCCB9
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6588
pdfelement-pro_setup_full5252.exe
GET
8.209.73.211:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={9a5d7147-f610-4b14-9794-cb963fbe4a37G}&product_id=5252&wae=4.0.4&platform=win_x64
unknown
whitelisted
6588
pdfelement-pro_setup_full5252.exe
HEAD
200
23.48.23.22:80
http://download-ru.wondershare.com/cbs_down/pdfelement-pro_64bit_full5252.exe
unknown
whitelisted
GET
200
47.91.89.51:443
https://prod-web.wondershare.cc/api/v1/prodweb/trk?pid=5252&os=Windows
unknown
binary
107 b
unknown
POST
200
8.209.72.213:443
https://pc-api.wondershare.cc/v3/user/client/token
unknown
binary
132 b
unknown
POST
200
8.209.72.213:443
https://pc-api.wondershare.cc/v1/product/series
unknown
binary
31 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3068
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3028
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
6588
pdfelement-pro_setup_full5252.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
3028
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
unknown
pc-api.wondershare.cc
  • 8.209.72.213
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
unknown
platform.wondershare.com
  • 8.209.73.211
unknown
prod-web.wondershare.cc
  • 47.91.89.51
unknown
download-ru.wondershare.com
  • 23.48.23.22
  • 23.48.23.28
unknown
analytics.wondershare.cc
  • 47.91.90.244
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pdfelement-pro_setup_full5252.exe