File name:

fr-pdfelement-pro_setup_full5478.exe

Full analysis: https://app.any.run/tasks/ddcd9ad0-3d6f-4271-bfc4-9d597f6b479b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 10, 2025, 11:31:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
pdfelement
tool
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

500CA8197643CAB88741DF8413AFEEC6

SHA1:

B150A6CDFFEC9794AA389DFEC36C1EC568B99B7E

SHA256:

C28BF0D2E80F02B632D6C88DDC2ABED2C9DB0445DB083FC31A8E040BB3CAA0F9

SSDEEP:

98304:xyfDAJpwQGhwIrz4MJpzD+br/Qfs/rCOTu1RYjC+VHg:m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Create files in the Startup directory

      • PEToolDeployment.exe (PID: 2316)
      • PEToolDeployment.exe (PID: 7508)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Reads Microsoft Outlook installation path

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)

    • Reads Internet Explorer settings

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)

    • Reads security settings of Internet Explorer

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • RegAsm.exe (PID: 4756)
      • PEToolDeployment.exe (PID: 7476)

    • Connects to unusual port

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • PENotify.exe (PID: 236)

    • Process requests binary or script from the Internet

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • PEToolDeploymentExtend.exe (PID: 7720)

    • Executable content was dropped or overwritten

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • PEOfficeAddIn4.exe (PID: 7392)
      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • PEShellContextMenu4.exe (PID: 856)
      • WSPrtSetup.exe (PID: 3024)

    • Reads the Windows owner or organization settings

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Drops 7-zip archiver for unpacking

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Process drops legitimate windows executable

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • WSPrtSetup.exe (PID: 3024)

    • The process drops C-runtime libraries

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Potential Corporate Privacy Violation

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)

    • Searches for installed software

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Creates/Modifies COM task schedule object

      • RegAsm.exe (PID: 4756)
      • RegAsm.exe (PID: 6676)
      • PEShellContextMenu4.exe (PID: 7580)
      • RegAsm.exe (PID: 8032)

    • Starts itself from another location

      • PEShellContextMenu4.exe (PID: 856)

    • Starts SC.EXE for service management

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7812)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 7936)
      • explorer.exe (PID: 7432)

    • Reads the date of Windows installation

      • PEToolDeployment.exe (PID: 7476)

  • INFO

    • The sample compiled with english language support

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • WSPrtSetup.exe (PID: 3024)

    • Reads the machine GUID from the registry

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • PEToolDeployment.exe (PID: 7196)
      • PEPreviewDeployment.exe (PID: 7200)
      • PEOfficeAddIn4.exe (PID: 7392)
      • RegAsm.exe (PID: 6676)
      • PEShellContextMenu4.exe (PID: 856)
      • FileAssociation.exe (PID: 864)
      • PEToolDeployment.exe (PID: 7508)
      • PEToolDeployment.exe (PID: 7476)
      • PEPreviewDeployment.exe (PID: 3888)
      • PENotify.exe (PID: 1672)

    • Reads the computer name

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • PEPreviewDeployment.exe (PID: 7200)
      • PEToolDeployment.exe (PID: 7196)
      • PEOfficeAddIn4.exe (PID: 7392)
      • RegAsm.exe (PID: 4756)
      • PEShellContextMenu4.exe (PID: 856)
      • FileAssociation.exe (PID: 864)
      • PEToolDeployment.exe (PID: 7476)

    • Checks supported languages

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • PEToolDeployment.exe (PID: 7196)
      • PEPreviewDeployment.exe (PID: 7200)
      • _setup64.tmp (PID: 5548)
      • RegAsm.exe (PID: 4756)
      • zip.exe (PID: 7400)
      • zip.exe (PID: 3100)
      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • PEOfficeAddIn4.exe (PID: 7392)
      • RegAsm.exe (PID: 6676)
      • PEShellContextMenu4.exe (PID: 856)
      • PEShellContextMenu4.exe (PID: 7580)
      • FileAssociation.exe (PID: 864)
      • PEToolDeployment.exe (PID: 2316)
      • PEToolDeployment.exe (PID: 7508)
      • PEPreviewDeployment.exe (PID: 7348)
      • PENotify.exe (PID: 236)
      • PEPreviewDeployment.exe (PID: 3888)
      • PEToolDeployment.exe (PID: 7476)

    • Checks proxy server information

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • slui.exe (PID: 7992)

    • Create files in a temporary directory

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • PEToolDeployment.exe (PID: 2316)

    • Creates files in the program directory

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • PEOfficeAddIn4.exe (PID: 7392)
      • zip.exe (PID: 7400)
      • zip.exe (PID: 3100)
      • PEShellContextMenu4.exe (PID: 856)
      • PEToolDeployment.exe (PID: 2316)
      • PEToolDeployment.exe (PID: 7508)

    • The sample compiled with chinese language support

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • WSPrtSetup.exe (PID: 3024)

    • PDFELEMENT mutex has been found

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Creates files or folders in the user directory

      • PEToolDeployment.exe (PID: 7196)
      • PEPreviewDeployment.exe (PID: 7200)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)
      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • PEShellContextMenu4.exe (PID: 856)
      • WSPrtSetup.exe (PID: 1276)
      • WSPrtSetup.exe (PID: 3024)
      • regsvr32.exe (PID: 4868)
      • PEToolDeployment.exe (PID: 2316)

    • Compiled with Borland Delphi (YARA)

      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Reads the software policy settings

      • slui.exe (PID: 7992)
      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)

    • The sample compiled with german language support

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Detects InnoSetup installer (YARA)

      • fr-pdfelement-pro_64bit_full5478.exe (PID: 8128)
      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Creates a software uninstall entry

      • fr-pdfelement-pro_64bit_full5478.tmp (PID: 8164)

    • Process checks computer location settings

      • fr-pdfelement-pro_setup_full5478.exe (PID: 1676)
      • PEToolDeployment.exe (PID: 7476)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2152)

    • Reads Environment values

      • PEToolDeploymentExtend.exe (PID: 7720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:07 08:06:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1267200
InitializedDataSize: 914432
UninitializedDataSize: -
EntryPoint: 0x103f50
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.12
ProductVersionNumber: 4.0.4.12
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: pdfelement10_setup_full5478.exe
FileVersion: 4.0.4.12
LegalCopyright: Copyright©2023 Wondershare. All rights reserved.
ProductName: PDFelement10
ProductVersion: 10.0.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
54
Malicious processes
3
Suspicious processes
9

Behavior graph

Click at the process to see the details
start fr-pdfelement-pro_setup_full5478.exe svchost.exe sppextcomobj.exe no specs slui.exe fr-pdfelement-pro_64bit_full5478.exe fr-pdfelement-pro_64bit_full5478.tmp petooldeployment.exe no specs pepreviewdeployment.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs zip.exe no specs conhost.exe no specs zip.exe no specs conhost.exe no specs peofficeaddin4.exe conhost.exe no specs regasm.exe no specs conhost.exe no specs regasm.exe no specs conhost.exe no specs peshellcontextmenu4.exe conhost.exe no specs peshellcontextmenu4.exe no specs conhost.exe no specs fileassociation.exe no specs conhost.exe no specs wsprtsetup.exe no specs wsprtsetup.exe sc.exe no specs conhost.exe no specs regsvr32.exe no specs petooldeployment.exe explorer.exe no specs petooldeployment.exe explorer.exe no specs explorer.exe no specs petooldeploymentextend.exe explorer.exe no specs petooldeployment.exe no specs petooldeployment.exe no specs penotify.exe penotify.exe no specs pepreviewdeployment.exe no specs conhost.exe no specs regasm.exe no specs conhost.exe no specs regasm.exe no specs conhost.exe no specs pepreviewdeployment.exe no specs conhost.exe no specs fontlistsave.exe no specs conhost.exe no specs fr-pdfelement-pro_setup_full5478.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files\Wondershare\PDFelement10\PENotify.exe" "/enablenotify" "1" "/path" "PDFToolbox" "/defaultnotifydeviceboot" "1" "/explorerstartup" "proxy" "/entrance" "DeviceBoot" "/loggernameend" ".Install"C:\Program Files\Wondershare\PDFelement10\PENotify.exe
PEToolDeployment.exe
User:
admin
Company:
Wondershare
Integrity Level:
MEDIUM
Description:
PDFelement Tray
Version:
11.4.6.3342
Modules
Images
c:\program files\wondershare\pdfelement10\penotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
732"C:\WINDOWS\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Common Files\Wondershare\PDFelement11\Preview\1.0.0.80\PEPreview4.dll"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exePEPreviewDeployment.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
856"C:\Program Files\Wondershare\PDFelement10\PEShellContextMenu4.exe"C:\Program Files\Wondershare\PDFelement10\PEShellContextMenu4.exe
fr-pdfelement-pro_64bit_full5478.tmp
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
PEShellExtension
Exit code:
0
Version:
11.0.0.0
Modules
Images
c:\program files\wondershare\pdfelement10\peshellcontextmenu4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
864"C:\Program Files\Wondershare\PDFelement10\FileAssociation.exe" /a .fdf;.pdf;.ofd "C:\Program Files\Wondershare\PDFelement10\PDFelement.exe" "C:\Program Files\Wondershare\PDFelement10\projectfile.ico" /FriendlyAppName "Wondershare PDFelement"C:\Program Files\Wondershare\PDFelement10\FileAssociation.exefr-pdfelement-pro_64bit_full5478.tmp
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
Fix PDF file association
Exit code:
0
Version:
11.4.6.3342
Modules
Images
c:\program files\wondershare\pdfelement10\fileassociation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exefontlistsave.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"C:\Program Files\Wondershare\PDFelement10\WSPrtSetup\WSPrtSetup.exe" /log "C:\Users\admin\AppData\Roaming\Wondershare\PDFelement11\log\UnInstallVirtualPrinter.log" /dvrname "Wondershare PDFelement" /prtname "Wondershare PDFelement" /monname "Wondershare PDFelement Monitor" /monport "Wondershare PDFelement Port" /monfile "PEPrinterMonitor.dll" /uC:\Program Files\Wondershare\PDFelement10\WSPrtSetup\WSPrtSetup.exefr-pdfelement-pro_64bit_full5478.tmp
User:
admin
Company:
Wondershare Software
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\wondershare\pdfelement10\wsprtsetup\wsprtsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePEOfficeAddIn4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePEPreviewDeployment.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672"C:\Program Files\Wondershare\PDFelement10\PENotify.exe" "/enablenotify" "1" "/path" "PECaptureTool" "/defaultnotifydeviceboot" "1" "/explorerstartup" "proxy" "/entrance" "DeviceBoot" "/loggernameend" ".Install"C:\Program Files\Wondershare\PDFelement10\PENotify.exePEToolDeployment.exe
User:
admin
Company:
Wondershare
Integrity Level:
MEDIUM
Description:
PDFelement Tray
Exit code:
0
Version:
11.4.6.3342
Modules
Images
c:\program files\wondershare\pdfelement10\penotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1676"C:\Users\admin\AppData\Local\Temp\fr-pdfelement-pro_setup_full5478.exe" C:\Users\admin\AppData\Local\Temp\fr-pdfelement-pro_setup_full5478.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
pdfelement10_setup_full5478.exe
Version:
4.0.4.12
Modules
Images
c:\users\admin\appdata\local\temp\fr-pdfelement-pro_setup_full5478.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wldap32.dll
Total events
9 156
Read events
8 846
Write events
309
Delete events
1

Modification events

(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:5478
Value:
sku-ppcfr
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{f76303e9-90e9-47d1-8143-2b24d30d6a93G}
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{f76303e9-90e9-47d1-8143-2b24d30d6a93G}
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(1676) fr-pdfelement-pro_setup_full5478.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(8164) fr-pdfelement-pro_64bit_full5478.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\PDFelement11
Operation:writeName:RemindSwitch
Value:
1
(PID) Process:(8164) fr-pdfelement-pro_64bit_full5478.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\PDFelement11
Operation:writeName:TipsEnable
Value:
1
Executable files
271
Suspicious files
461
Text files
275
Unknown types
0

Dropped files

PID
Process
Filename
Type
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\Public\Documents\Wondershare\fr-pdfelement-pro_64bit_full5478.exe.~P2S
MD5:
SHA256:
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:CFA9147EE7C721B898A83D52C3FEB504
SHA256:9B4CFBC0ED144D0A067AAD5B383F198D3B59A1FD05D79D82CF27CCE279310326
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\index[1].htmhtml
MD5:40BDFECFA8CD70B22006C95C52120ADF
SHA256:56398121FD62A917A1DB8B7F060398EBDAF247BE187FE06FCBB62EB605533F92
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:91BFC1057906CE2AF88289A637DF6316
SHA256:305683013F7CD539DD9E04583DCCAF68FDE253FA1996F2B5F6A8D3122989F798
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\javascript_call_native[1].jsbinary
MD5:B9DA127236EFDB755F568304B5EF3044
SHA256:01C839C0A9C47DC571175312EBC208EAE6FF28CED3A3EFA13C1EE81CD9764F71
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_D700B3BF42AE699B26DDBDD3E4CB7EDDbinary
MD5:57F32E3D3D481D45FCB2C923A5419E03
SHA256:3E002B4CD5A50C71BA8521977EC17CB4B6E02B0AE9B9E6DBBAA4CCD8151AD27F
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_D700B3BF42AE699B26DDBDD3E4CB7EDDbinary
MD5:0F097E22437AF3E20D6B86A022D75BAA
SHA256:6C8A344E62EDDBAF8B48040DF479FBF6917A21823DC3B360745EF7CDBE54484C
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_5478.xmlxml
MD5:C15E9FD55D1ABC9C58726BCF1510494E
SHA256:4805296C89D1249BE3478986F2E8829545D373C97ADE9CA7C1BDCB48540DE140
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\jquery-2_1_4.min[1].jsbinary
MD5:5A78469E930137026167FC0FBA0FE3E6
SHA256:7BB14685F20EF4995672F51029F6BE814F866A035D7869F7DA6756A5FE8AC649
1676fr-pdfelement-pro_setup_full5478.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\json2[1].jsbinary
MD5:E78199FE40036021717F4A18BCDB91CE
SHA256:9DD0F1D3CECD1368D46CD881FF6F6529485F0414BC40F35D2A4D2C08769517F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
102
DNS requests
39
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
HEAD
200
2.22.242.114:80
http://download.wondershare.net/cbs_down/fr-pdfelement-pro_64bit_full5478.exe
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
GET
8.209.73.211:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={f76303e9-90e9-47d1-8143-2b24d30d6a93G}&product_id=5478&wae=4.0.4&platform=win_x64
unknown
whitelisted
7572
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7572
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
GET
200
47.246.46.225:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA%2FgMquETQMxBsUMjhPIsGg%3D
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
GET
200
184.30.131.245:80
http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAPrj%2B5bI3FwiQSxqsOJWBw%3D
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
HEAD
200
2.19.11.113:80
http://download.wondershare.net/cbs_down/fr-pdfelement-pro_64bit_full5478.exe
unknown
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
HEAD
200
2.19.11.114:80
http://download.wondershare.net/cbs_down/fr-pdfelement-pro_64bit_full5478.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
1676
fr-pdfelement-pro_setup_full5478.exe
8.209.73.211:80
platform.wondershare.com
Alibaba US Technology Co., Ltd.
DE
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
1676
fr-pdfelement-pro_setup_full5478.exe
2.22.242.114:80
download.wondershare.net
Akamai International B.V.
DE
whitelisted
1676
fr-pdfelement-pro_setup_full5478.exe
47.254.169.108:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.com
  • 8.209.73.211
whitelisted
prod-web.wondershare.cc
  • 47.91.89.51
malicious
download.wondershare.net
  • 2.22.242.114
  • 2.22.242.113
  • 2.19.11.113
  • 2.19.11.114
whitelisted
analytics.wondershare.cc
  • 47.254.169.108
  • 8.211.53.191
malicious
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.74
  • 20.190.160.2
  • 20.190.160.130
  • 20.190.160.132
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1676
fr-pdfelement-pro_setup_full5478.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1676
fr-pdfelement-pro_setup_full5478.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fr-pdfelement-pro_setup_full5478.exe