File name:

filmora-idco_setup_full1901.exe

Full analysis: https://app.any.run/tasks/829532cf-a1d5-45b1-917f-fde5464bd05c
Verdict: Malicious activity
Analysis date: February 14, 2024, 17:41:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AEB7797267CB552CF82E0348C985543E

SHA1:

A080667A17D09A4E6B333C6A99A528C75E9DA468

SHA256:

B26919B9167CC1AC3C06FF8B2506FF50B23FFA346B9203CAFCE3972F702FE31E

SSDEEP:

98304:1JFfX3z+2Pwwgpzp5suNP4Uv5+/wDMXCWI74Y:I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • filmora-idco_setup_full1901.exe (PID: 2852)

  • SUSPICIOUS

    • Connects to unusual port

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads security settings of Internet Explorer

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads Microsoft Outlook installation path

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads the Internet Settings

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads Internet Explorer settings

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Executable content was dropped or overwritten

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 3956)

    • Reads settings of System Certificates

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Checks Windows Trust Settings

      • filmora-idco_setup_full1901.exe (PID: 2852)

  • INFO

    • Checks supported languages

      • filmora-idco_setup_full1901.exe (PID: 2852)
      • NFWCHK.exe (PID: 3956)

    • Reads the computer name

      • filmora-idco_setup_full1901.exe (PID: 2852)
      • NFWCHK.exe (PID: 3956)

    • Create files in a temporary directory

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Checks proxy server information

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads the software policy settings

      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Reads the machine GUID from the registry

      • NFWCHK.exe (PID: 3956)
      • filmora-idco_setup_full1901.exe (PID: 2852)

    • Creates files or folders in the user directory

      • filmora-idco_setup_full1901.exe (PID: 2852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:13 08:19:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1278976
InitializedDataSize: 693760
UninitializedDataSize: -
EntryPoint: 0x1069f0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.18
ProductVersionNumber: 4.0.4.18
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: wondershare-filmora-(cpc)_setup_full1901.exe
FileVersion: 4.0.4.18
LegalCopyright: Copyright©2023 Wondershare. All rights reserved.
ProductName: Wondershare Filmora (CPC)
ProductVersion: 13.0.26
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filmora-idco_setup_full1901.exe nfwchk.exe no specs filmora-idco_setup_full1901.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2852"C:\Users\admin\AppData\Local\Temp\filmora-idco_setup_full1901.exe" C:\Users\admin\AppData\Local\Temp\filmora-idco_setup_full1901.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
wondershare-filmora-(cpc)_setup_full1901.exe
Exit code:
0
Version:
4.0.4.18
Modules
Images
c:\users\admin\appdata\local\temp\filmora-idco_setup_full1901.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3700"C:\Users\admin\AppData\Local\Temp\filmora-idco_setup_full1901.exe" C:\Users\admin\AppData\Local\Temp\filmora-idco_setup_full1901.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
wondershare-filmora-(cpc)_setup_full1901.exe
Exit code:
3221226540
Version:
4.0.4.18
Modules
Images
c:\users\admin\appdata\local\temp\filmora-idco_setup_full1901.exe
c:\windows\system32\ntdll.dll
3956C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exefilmora-idco_setup_full1901.exe
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
.NET Framework Checker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\public\documents\wondershare\nfwchk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
7 578
Read events
7 516
Write events
50
Delete events
12

Modification events

(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:1901
Value:
sku-ppc-idco
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{0a413126-50cb-44bc-bb36-698541333fa2G}
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{0a413126-50cb-44bc-bb36-698541333fa2G}
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2852) filmora-idco_setup_full1901.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
8
Text files
14
Unknown types
6

Dropped files

PID
Process
Filename
Type
2852filmora-idco_setup_full1901.exeC:\Users\Public\Documents\Wondershare\filmora-idco_full1901.exe.~P2S
MD5:
SHA256:
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:EC3FBA63FAF2A7849F758AE3A17920EF
SHA256:2C837151729926EEF62B36E6D569FE9C34F837F0AE72C98FC66434BAECDB1EDE
2852filmora-idco_setup_full1901.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7binary
MD5:02BD15BDC844DA565C7E2CFA1A87CA74
SHA256:453D09392005018BF7E29AC00CAFF176C323B5D35FF17DA11091DC9E3971C100
2852filmora-idco_setup_full1901.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:5BABF2A106C883A8E216F768DB99AD51
SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\javascript_call_native[1].jstext
MD5:B9DA127236EFDB755F568304B5EF3044
SHA256:01C839C0A9C47DC571175312EBC208EAE6FF28CED3A3EFA13C1EE81CD9764F71
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:EDB556532E3C58F2F88862C5E1E91A95
SHA256:F0D61E13016304314524274B710C0770E76C96629EAD64256DE65942265407F0
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\filmora_v13[1].htmhtml
MD5:CC09E4349D6CCC6E3E32B986C9F96EE6
SHA256:37E5850E3768B6F736F118938B341EDA5A7B1AE52E68939806D29C7A336D29F9
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57binary
MD5:B0308A0E9980344FB9858035F121D549
SHA256:C976372DC4BEA2C94E1E63576F12267E12B1EDFB91CB429ECCD76B8AFD453B78
2852filmora-idco_setup_full1901.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
41
DNS requests
13
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2852
filmora-idco_setup_full1901.exe
HEAD
200
2.21.20.203:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
2852
filmora-idco_setup_full1901.exe
GET
206
2.21.20.203:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
text
2 b
unknown
2852
filmora-idco_setup_full1901.exe
HEAD
200
2.21.20.203:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
2852
filmora-idco_setup_full1901.exe
GET
2.21.20.198:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
2852
filmora-idco_setup_full1901.exe
GET
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?24ddb4487e7e8edc
unknown
unknown
2852
filmora-idco_setup_full1901.exe
GET
2.21.20.198:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
2852
filmora-idco_setup_full1901.exe
GET
8.209.73.211:80
http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={0a413126-50cb-44bc-bb36-698541333fa2G}&product_id=1901&wae=4.0.4&platform=win_x86
unknown
unknown
2852
filmora-idco_setup_full1901.exe
HEAD
200
2.21.20.198:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
1080
svchost.exe
GET
200
173.222.108.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fc91d912a85a08d5
unknown
compressed
65.2 Kb
unknown
2852
filmora-idco_setup_full1901.exe
GET
2.21.20.203:80
http://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2852
filmora-idco_setup_full1901.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2852
filmora-idco_setup_full1901.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2852
filmora-idco_setup_full1901.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2852
filmora-idco_setup_full1901.exe
2.21.20.203:80
download.wondershare.net
Akamai International B.V.
DE
unknown
2852
filmora-idco_setup_full1901.exe
47.91.90.244:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2852
filmora-idco_setup_full1901.exe
2.21.20.198:80
download.wondershare.net
Akamai International B.V.
DE
unknown
2852
filmora-idco_setup_full1901.exe
163.181.92.235:443
wae.wondershare.cc
Zhejiang Taobao Network Co.,Ltd
DE
unknown

DNS requests

Domain
IP
Reputation
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
unknown
prod-web.wondershare.cc
  • 47.91.89.51
unknown
download.wondershare.net
  • 2.21.20.203
  • 2.21.20.198
whitelisted
analytics.wondershare.cc
  • 47.91.90.244
unknown
wae.wondershare.cc
  • 163.181.92.235
  • 163.181.92.236
  • 163.181.92.238
  • 163.181.92.231
  • 163.181.92.232
  • 163.181.92.237
  • 163.181.92.234
  • 163.181.92.233
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
  • 173.222.108.249
  • 173.222.108.243
  • 173.222.108.201
  • 173.222.108.226
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fonts.googleapis.com
  • 142.250.185.202
whitelisted
ocsp.pki.goog
  • 142.250.186.99
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2852
filmora-idco_setup_full1901.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
filmora-idco_setup_full1901.exe