analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pdfelement6-pro_setup_full2990.exe

Full analysis: https://app.any.run/tasks/04940d33-9bd2-478f-b8f9-6513b899a444
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 18:48:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

22BFE0DB8CB700048B1CAB4AF1E6834B

SHA1:

C5DF3E6F41957B117503AC8811A687732B1884EB

SHA256:

8EAAF2DF6DF0B310A2F613B921F93C02DA49B4849B30A937E85E9F62C104CE58

SSDEEP:

12288:jmksnrb46qwBpJEVwPQXXXgp5fmWlWYwU0fClaLM/UtfvHB1+jKB:k3XCZXXXgpxm9Yw0WuUFvv++B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • pdfelement6-pro_setup_full2990.exe (PID: 3796)

    • Changes the autorun value in the registry

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • Wondershare Helper Compact.tmp (PID: 2472)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3652)
      • PrinterRepaireTool.exe (PID: 968)
      • spoolsv.exe (PID: 1192)
      • WSHelper.exe (PID: 1092)
      • spoolsv.exe (PID: 3616)
      • spoolsv.exe (PID: 2192)
      • install.exe (PID: 3164)
      • FileAssociation.exe (PID: 2272)
      • PDFelement.exe (PID: 2996)
      • WSHelper.exe (PID: 3928)

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 3652)
      • WSHelper.exe (PID: 1092)
      • PrinterRepaireTool.exe (PID: 968)
      • WSPrtSetup.exe (PID: 2972)
      • WSPrtSetup.exe (PID: 3000)
      • install.exe (PID: 3164)
      • FileAssociation.exe (PID: 2272)
      • PEOfficeAddInInstall.exe (PID: 2716)
      • Wondershare Helper Compact.exe (PID: 3800)
      • WSPrtSetup.exe (PID: 2220)
      • PDFelement.exe (PID: 2996)
      • WSHelper.exe (PID: 3928)

    • Changes settings of System certificates

      • PDFelement.exe (PID: 2996)

  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • pdfelement6-pro_setup_full2990.exe (PID: 3796)

    • Reads Windows owner or organization settings

      • pdfelement6-pro_full2990.tmp (PID: 3640)

    • Reads the Windows organization settings

      • pdfelement6-pro_full2990.tmp (PID: 3640)

    • Executable content was dropped or overwritten

      • pdfelement6-pro_full2990.exe (PID: 2572)
      • vcredist_x86_vc2008sp1.exe (PID: 3976)
      • msiexec.exe (PID: 2212)
      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • vcredist_x86_vc2010sp1.exe (PID: 2348)
      • vcredist_x86_vc2015.exe (PID: 4068)
      • Wondershare Helper Compact.exe (PID: 3800)
      • Wondershare Helper Compact.tmp (PID: 2472)
      • WSPrtSetup.exe (PID: 3000)
      • spoolsv.exe (PID: 1192)

    • Reads internet explorer settings

      • pdfelement6-pro_setup_full2990.exe (PID: 3796)

    • Uses TASKKILL.EXE to kill process

      • pdfelement6-pro_full2990.tmp (PID: 3640)

    • Creates files in the user directory

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • PDFelement.exe (PID: 2996)

    • Modifies the open verb of a shell class

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • FileAssociation.exe (PID: 2272)

    • Creates files in the Windows directory

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • msiexec.exe (PID: 2212)
      • WSPrtSetup.exe (PID: 3000)
      • spoolsv.exe (PID: 1192)

    • Removes files from Windows directory

      • msiexec.exe (PID: 2212)
      • spoolsv.exe (PID: 1192)
      • WSPrtSetup.exe (PID: 3000)

    • Searches for installed software

      • vcredist_x86_vc2015.exe (PID: 4068)

    • Executes scripts

      • pdfelement6-pro_full2990.tmp (PID: 3640)

    • Creates files in the program directory

      • WSPrtSetup.exe (PID: 3000)
      • WSPrtSetup.exe (PID: 2972)
      • WSPrtSetup.exe (PID: 2220)
      • WSHelper.exe (PID: 3928)

    • Creates COM task schedule object

      • PEOfficeAddInInstall.exe (PID: 2716)

    • Starts Internet Explorer

      • pdfelement6-pro_setup_full2990.exe (PID: 3796)

    • Reads Environment values

      • PDFelement.exe (PID: 2996)

    • Adds / modifies Windows certificates

      • PDFelement.exe (PID: 2996)

  • INFO

    • Application was dropped or rewritten from another process

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • vcredist_x86_vc2015.exe (PID: 4068)
      • vcredist_x86_vc2015.exe (PID: 560)
      • vcredist_x86_vc2010sp1.exe (PID: 2348)
      • Wondershare Helper Compact.tmp (PID: 2472)
      • vcredist_x86_vc2008sp1.exe (PID: 3976)

    • Loads dropped or rewritten executable

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • Wondershare Helper Compact.tmp (PID: 2472)
      • vcredist_x86_vc2015.exe (PID: 4068)

    • Creates a software uninstall entry

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • msiexec.exe (PID: 2212)
      • Wondershare Helper Compact.tmp (PID: 2472)

    • Dropped object may contain Bitcoin addresses

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • PDFelement.exe (PID: 2996)

    • Creates files in the program directory

      • Wondershare Helper Compact.tmp (PID: 2472)
      • pdfelement6-pro_full2990.tmp (PID: 3640)

    • Reads settings of System Certificates

      • pdfelement6-pro_full2990.tmp (PID: 3640)
      • PDFelement.exe (PID: 2996)

    • Application launched itself

      • iexplore.exe (PID: 708)

    • Creates files in the user directory

      • iexplore.exe (PID: 3676)

    • Changes internet zones settings

      • iexplore.exe (PID: 708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

ProductVersion: 6.8.7
ProductName: PDFelement 6 Professional
LegalCopyright: Copyright©2017 Wondershare. All rights reserved.
FileVersion: 2.0.13.2
FileDescription: pdfelement-6-professional_setup_full2990.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 2.0.13.2
FileVersionNumber: 2.0.13.2
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x513f5
UninitializedDataSize: -
InitializedDataSize: 521728
CodeSize: 451584
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:01:18 03:07:35+01:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
30
Malicious processes
9
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start pdfelement6-pro_setup_full2990.exe no specs pdfelement6-pro_setup_full2990.exe pdfelement6-pro_full2990.exe pdfelement6-pro_full2990.tmp taskkill.exe no specs vcredist_x86_vc2008sp1.exe install.exe no specs msiexec.exe vcredist_x86_vc2010sp1.exe setup.exe vcredist_x86_vc2015.exe no specs vcredist_x86_vc2015.exe wondershare helper compact.exe wondershare helper compact.tmp wshelper.exe no specs cscript.exe no specs wsprtsetup.exe spoolsv.exe printerrepairetool.exe no specs rundll32.exe no specs spoolsv.exe wsprtsetup.exe no specs spoolsv.exe wsprtsetup.exe no specs peofficeaddininstall.exe no specs fileassociation.exe no specs pdfelement.exe iexplore.exe iexplore.exe wshelper.exe

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Users\admin\AppData\Local\Temp\pdfelement6-pro_setup_full2990.exe" C:\Users\admin\AppData\Local\Temp\pdfelement6-pro_setup_full2990.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdfelement-6-professional_setup_full2990.exe
Exit code:
3221226540
Version:
2.0.13.2
3796"C:\Users\admin\AppData\Local\Temp\pdfelement6-pro_setup_full2990.exe" C:\Users\admin\AppData\Local\Temp\pdfelement6-pro_setup_full2990.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
pdfelement-6-professional_setup_full2990.exe
Exit code:
0
Version:
2.0.13.2
2572"C:\Users\Public\Documents\Wondershare\pdfelement6-pro_full2990.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-PDFelement 6 Professional.log" /installpath: "C:\Program Files\Wondershare\PDFelement 6 Professional\" /DIR="C:\Program Files\Wondershare\PDFelement 6 Professional\"C:\Users\Public\Documents\Wondershare\pdfelement6-pro_full2990.exe
pdfelement6-pro_setup_full2990.exe
User:
admin
Company:
Wondershare Software Co.,Ltd.
Integrity Level:
HIGH
Description:
Wondershare PDFelement 6 Pro Setup
Exit code:
0
Version:
6.8.8.4159
3640"C:\Users\admin\AppData\Local\Temp\is-CMFGS.tmp\pdfelement6-pro_full2990.tmp" /SL5="$30110,74609247,548864,C:\Users\Public\Documents\Wondershare\pdfelement6-pro_full2990.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-PDFelement 6 Professional.log" /installpath: "C:\Program Files\Wondershare\PDFelement 6 Professional\" /DIR="C:\Program Files\Wondershare\PDFelement 6 Professional\"C:\Users\admin\AppData\Local\Temp\is-CMFGS.tmp\pdfelement6-pro_full2990.tmp
pdfelement6-pro_full2990.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3832"C:\Windows\System32\taskkill.exe" /F /T /IM BsSndRpt.exe /IM PDFSaveAsPrinter.exeC:\Windows\System32\taskkill.exepdfelement6-pro_full2990.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3976"C:\Users\admin\AppData\Local\Temp\is-QNV5S.tmp\vcredist_x86_vc2008sp1.exe" /q /norestartC:\Users\admin\AppData\Local\Temp\is-QNV5S.tmp\vcredist_x86_vc2008sp1.exe
pdfelement6-pro_full2990.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.30729.17
3164c:\391853386070633bdd11\.\install.exe /q /norestartc:\391853386070633bdd11\install.exevcredist_x86_vc2008sp1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.30729.1 built by: SP
2212C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2348"C:\Users\admin\AppData\Local\Temp\is-QNV5S.tmp\vcredist_x86_vc2010sp1.exe" /q /norestartC:\Users\admin\AppData\Local\Temp\is-QNV5S.tmp\vcredist_x86_vc2010sp1.exe
pdfelement6-pro_full2990.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2010 x86 Redistributable Setup
Exit code:
0
Version:
10.0.40219.01
3652c:\ad572f4ba1b1074aa62525852e90\Setup.exe /q /norestartc:\ad572f4ba1b1074aa62525852e90\Setup.exe
vcredist_x86_vc2010sp1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Exit code:
0
Version:
10.0.40219.1 built by: SP1Rel
Total events
3 668
Read events
2 256
Write events
0
Delete events
0

Modification events

No data
Executable files
207
Suspicious files
12
Text files
339
Unknown types
37

Dropped files

PID
Process
Filename
Type
3796pdfelement6-pro_setup_full2990.exeC:\Users\Public\Documents\Wondershare\pdfelement6-pro_full2990.exe.~P2S
MD5:
SHA256:
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\2990-20190216180216[1].htm
MD5:
SHA256:
3796pdfelement6-pro_setup_full2990.exeC:\Users\Public\Documents\Wondershare\pdfelement6-pro_full2990.exe
MD5:
SHA256:
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.datdat
MD5:62A6B3CDC18BA4AA59C768F2EB8F46B1
SHA256:64DA4A857A1B899820C155C593AD2EC75B929F822BF2AFED7BB8D99CDD3C89AB
3796pdfelement6-pro_setup_full2990.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_2990.xmlxml
MD5:57CBB8A8BBCC6911B23D1279DB53CC22
SHA256:F0A47C92D5E920C39BCF278F844EA5F351DF66A2F0E7725B2758576BFB04836E
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\orbit-1.3.0[1].csstext
MD5:AD34AF4F9E2EDBC582E160B9436D5F7A
SHA256:EBEE997B48F765401646FB81E552854D49ADB484FA65D3B26CFABA5B1F00F171
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\Professional_8[1].pngimage
MD5:A7E3DE6776312146FE72CD6808B02F5B
SHA256:285602F5B9D3C752C6F64F2A4107D987C696DCA4041C690687E628BD1CA03B78
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\Professional_1[1].pngimage
MD5:C751C6982D3760FDF0DD868369E29EFC
SHA256:802623603C0E0DAE958B9C26571074FFD82BDA71BD24DEA1393ABEF126F315E0
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Professional_3[1].pngimage
MD5:99CE5A33EE0AB218E489FA60D6B1DC27
SHA256:B3EADD77E8D48B43C3E61E30002A952A94778CE9833E27FBA1A2656C8070608A
3796pdfelement6-pro_setup_full2990.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\Professional_7[1].pngimage
MD5:6EEDBC20F0CABC32CFB103C4A1806953
SHA256:EA987033D922A31C78DB9657D24E8CED61692EF8E14AF6BDBD00F2E529C30D36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
45
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3796
pdfelement6-pro_setup_full2990.exe
GET
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
GET
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
GET
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
HEAD
200
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
GET
200
47.91.67.36:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={C4BA3647-0000-0QM0-0001-5254004A04AF}&product_id=2990
US
xml
1.60 Kb
suspicious
3796
pdfelement6-pro_setup_full2990.exe
GET
206
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
gpg
11.9 Mb
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
GET
63.159.217.165:80
http://dlinst.wondershare.com/player/style/orbit-1.3.0.css
US
suspicious
3796
pdfelement6-pro_setup_full2990.exe
GET
200
63.159.217.165:80
http://dlinst.wondershare.com/player/style/jquery.orbit.min.js
US
text
2.66 Kb
suspicious
3796
pdfelement6-pro_setup_full2990.exe
GET
200
63.159.217.165:80
http://dlinst.wondershare.com/player/2990-20190216180216.html
US
html
914 b
suspicious
3796
pdfelement6-pro_setup_full2990.exe
GET
206
2.16.186.83:80
http://download.wondershare.com/cbs_down/pdfelement6-pro_full2990.exe
unknown
flc
11.9 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
216.58.210.14:80
Google Inc.
US
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
2.16.186.83:80
download.wondershare.com
Akamai International B.V.
whitelisted
3796
pdfelement6-pro_setup_full2990.exe
47.91.67.36:80
platform.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
3796
pdfelement6-pro_setup_full2990.exe
63.159.217.165:80
dlinst.wondershare.com
QUANTIL, INC
US
unknown
3928
WSHelper.exe
47.91.67.36:80
platform.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
3676
iexplore.exe
47.91.89.199:80
cbs.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
malicious
2996
PDFelement.exe
47.91.89.199:80
cbs.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
malicious
3640
pdfelement6-pro_full2990.tmp
47.91.89.199:80
cbs.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
malicious
2996
PDFelement.exe
172.217.22.14:443
www.google-analytics.com
Google Inc.
US
whitelisted
2996
PDFelement.exe
63.159.217.174:80
dc.wondershare.com
QUANTIL, INC
US
suspicious

DNS requests

Domain
IP
Reputation
platform.wondershare.com
  • 47.91.67.36
suspicious
download.wondershare.com
  • 2.16.186.83
whitelisted
dlinst.wondershare.com
  • 63.159.217.165
suspicious
cbs.wondershare.com
  • 47.91.89.199
  • 47.91.76.37
  • 47.91.89.20
  • 47.91.91.66
whitelisted
pdf.wondershare.com
  • 104.96.143.160
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
dc.wondershare.com
  • 63.159.217.174
suspicious
www.google-analytics.com
  • 172.217.22.14
whitelisted
us.wondershare.com
unknown
resource.wondershare.com
  • 163.171.128.153
malicious

Threats

PID
Process
Class
Message
3796
pdfelement6-pro_setup_full2990.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3796
pdfelement6-pro_setup_full2990.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
Setup.exe
The operation completed successfully.
spoolsv.exe
[ DBG ] PrtMonOpenPort( ... )
spoolsv.exe
[ DBG ] PrtMonOpenPort( ... )
WSHelper.exe
HTTP/1.1 200 OK
WSHelper.exe
HTTP/1.1 200 OK
WSHelper.exe
HTTP/1.1 404 Not Found
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pdfelement6-pro_setup_full2990.exe