File name:

filmora_setup_full846.exe

Full analysis: https://app.any.run/tasks/630cfb1b-5a7d-486a-b9cb-2833bd1ba184
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 10, 2023, 13:13:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

12A71BD68FB7A0DE36FC331C78CA6793

SHA1:

A5F80A93044897A1D85FBC615242FDDFD6D9E7AC

SHA256:

D6CBEF38EF501558176CE076CAF98ADEED9AB2E4EFD100858835B097957BFFBC

SSDEEP:

98304:F4fEeHzHtJ1v52VaIFnGQB9EIsATrKCLVDO:I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • filmora_setup_full846.exe (PID: 3496)
      • filmora_full846.exe (PID: 664)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • filmora_setup_full846.exe (PID: 3496)

    • Reads the Internet Settings

      • filmora_setup_full846.exe (PID: 3496)

    • Reads Internet Explorer settings

      • filmora_setup_full846.exe (PID: 3496)

    • Reads settings of System Certificates

      • filmora_setup_full846.exe (PID: 3496)

    • Reads security settings of Internet Explorer

      • filmora_setup_full846.exe (PID: 3496)

    • Checks Windows Trust Settings

      • filmora_setup_full846.exe (PID: 3496)

    • Connects to unusual port

      • filmora_setup_full846.exe (PID: 3496)

    • Process requests binary or script from the Internet

      • filmora_setup_full846.exe (PID: 3496)

  • INFO

    • Reads the machine GUID from the registry

      • filmora_setup_full846.exe (PID: 3496)
      • NFWCHK.exe (PID: 3556)
      • wmpnscfg.exe (PID: 3752)

    • Reads the computer name

      • filmora_setup_full846.exe (PID: 3496)
      • NFWCHK.exe (PID: 3556)
      • wmpnscfg.exe (PID: 3752)

    • Create files in a temporary directory

      • filmora_setup_full846.exe (PID: 3496)
      • filmora_full846.exe (PID: 664)
      • filmora_full846.tmp (PID: 1816)

    • Checks supported languages

      • filmora_setup_full846.exe (PID: 3496)
      • NFWCHK.exe (PID: 3556)
      • wmpnscfg.exe (PID: 3752)
      • filmora_full846.exe (PID: 664)
      • filmora_full846.tmp (PID: 1816)

    • Checks proxy server information

      • filmora_setup_full846.exe (PID: 3496)

    • Creates files or folders in the user directory

      • filmora_setup_full846.exe (PID: 3496)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:23 11:55:08+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1269760
InitializedDataSize: 792064
UninitializedDataSize: -
EntryPoint: 0x1049b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.13
ProductVersionNumber: 4.0.4.13
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: wondershare-filmora_setup_full846.exe
FileVersion: 4.0.4.13
LegalCopyright: Copyright©2023 Wondershare. All rights reserved.
ProductName: Wondershare Filmora
ProductVersion: 13.0.25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start filmora_setup_full846.exe nfwchk.exe no specs wmpnscfg.exe no specs filmora_full846.exe no specs filmora_full846.tmp no specs filmora_setup_full846.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Users\Public\Documents\Wondershare\filmora_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Users\admin\AppData\Local\Wondershare\Wondershare Filmora\" /DIR="C:\Users\admin\AppData\Local\Wondershare\Wondershare Filmora\" /WAEWIN=70184 /PID=846C:\Users\Public\Documents\Wondershare\filmora_full846.exefilmora_setup_full846.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Wondershare Filmora 12 Setup
Exit code:
0
Version:
12.2.12.2498
Modules
Images
c:\users\public\documents\wondershare\filmora_full846.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1816"C:\Users\admin\AppData\Local\Temp\is-PFOTJ.tmp\filmora_full846.tmp" /SL5="$80180,478278272,421888,C:\Users\Public\Documents\Wondershare\filmora_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Users\admin\AppData\Local\Wondershare\Wondershare Filmora\" /DIR="C:\Users\admin\AppData\Local\Wondershare\Wondershare Filmora\" /WAEWIN=70184 /PID=846C:\Users\admin\AppData\Local\Temp\is-PFOTJ.tmp\filmora_full846.tmpfilmora_full846.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pfotj.tmp\filmora_full846.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3416"C:\Users\admin\AppData\Local\Temp\filmora_setup_full846.exe" C:\Users\admin\AppData\Local\Temp\filmora_setup_full846.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
wondershare-filmora_setup_full846.exe
Exit code:
3221226540
Version:
4.0.4.13
Modules
Images
c:\users\admin\appdata\local\temp\filmora_setup_full846.exe
c:\windows\system32\ntdll.dll
3496"C:\Users\admin\AppData\Local\Temp\filmora_setup_full846.exe" C:\Users\admin\AppData\Local\Temp\filmora_setup_full846.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
wondershare-filmora_setup_full846.exe
Exit code:
0
Version:
4.0.4.13
Modules
Images
c:\users\admin\appdata\local\temp\filmora_setup_full846.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3556C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exefilmora_setup_full846.exe
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
.NET Framework Checker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\public\documents\wondershare\nfwchk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3752"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
5 768
Read events
5 731
Write events
34
Delete events
3

Modification events

(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(3496) filmora_setup_full846.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
B09C7CB5D713DA01
Executable files
2
Suspicious files
15
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3496filmora_setup_full846.exeC:\Users\Public\Documents\Wondershare\filmora_full846.exe.~P2S
MD5:
SHA256:
3496filmora_setup_full846.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:AE9123CEB53333CCAF0F7F3C88872A31
SHA256:E2339F55B27E56E6FE8FC1A3EF6FEB6B0B23DB467D7EFB61FB582420D091CC5C
3496filmora_setup_full846.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:AD0967A0AB95AA7D71B3DC92B71B8F7A
SHA256:9C1212BC648A2533B53A2D0AFCEC518846D97630AFB013742A9622F0DF7B04FC
3496filmora_setup_full846.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
3496filmora_setup_full846.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\json2[1].jstext
MD5:E78199FE40036021717F4A18BCDB91CE
SHA256:9DD0F1D3CECD1368D46CD881FF6F6529485F0414BC40F35D2A4D2C08769517F0
3496filmora_setup_full846.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:D009B74056ADAE774107DB891AE82595
SHA256:6900E7A6247F3A8FFCCF4D7023EF5AA6FCA81972486DD5095BF8CE5FECA79C2B
3496filmora_setup_full846.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3496filmora_setup_full846.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_846.xmlxml
MD5:51659916B3BD25BED8AA9BB96D269A85
SHA256:DEFAF2DE0CD70F498B2901B68623A05B9A18F5AA57F7CC990263B17F8E2E78A7
3496filmora_setup_full846.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57binary
MD5:ECE8223F7C4486346442D807FFBC8C9C
SHA256:F27B799AC391588A28F8174756FA75D9221DF08313A58C3839B52C65FDA6F432
3496filmora_setup_full846.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\jquery-2_1_4.min[1].jstext
MD5:5A78469E930137026167FC0FBA0FE3E6
SHA256:7BB14685F20EF4995672F51029F6BE814F866A035D7869F7DA6756A5FE8AC649
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
57
DNS requests
14
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3496
filmora_setup_full846.exe
GET
8.209.73.211:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={458d38c6-e354-4877-b1cb-c82c4d0b4c1bG}&product_id=846&wae=4.0.4.13&platform=win_x86
unknown
unknown
3496
filmora_setup_full846.exe
HEAD
200
2.16.164.83:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
HEAD
200
2.16.164.83:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
HEAD
200
2.16.164.115:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
GET
2.16.164.83:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
GET
2.16.164.83:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
GET
2.16.164.83:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
GET
2.16.164.115:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
unknown
3496
filmora_setup_full846.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?de08637f15dea0e8
unknown
compressed
4.66 Kb
unknown
3496
filmora_setup_full846.exe
GET
206
2.16.164.115:80
http://download.wondershare.com/cbs_down/filmora_full846.exe
unknown
text
2 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3496
filmora_setup_full846.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3496
filmora_setup_full846.exe
8.209.73.211:80
platform.wondershare.com
Alibaba US Technology Co., Ltd.
DE
unknown
3496
filmora_setup_full846.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
3496
filmora_setup_full846.exe
2.16.164.83:80
download.wondershare.com
Akamai International B.V.
NL
unknown
3496
filmora_setup_full846.exe
47.254.80.199:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
US
unknown
3496
filmora_setup_full846.exe
2.16.164.115:80
download.wondershare.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
pc-api.wondershare.cc
  • 8.209.72.213
unknown
platform.wondershare.com
  • 8.209.73.211
unknown
prod-web.wondershare.cc
  • 47.91.89.51
unknown
download.wondershare.com
  • 2.16.164.83
  • 2.16.164.115
whitelisted
analytics.wondershare.cc
  • 47.254.80.199
unknown
wae.wondershare.cc
  • 163.181.92.235
  • 163.181.92.237
  • 163.181.92.232
  • 163.181.92.231
  • 163.181.92.234
  • 163.181.92.236
  • 163.181.92.233
  • 163.181.92.238
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fonts.googleapis.com
  • 142.250.185.138
whitelisted
ocsp.pki.goog
  • 172.217.16.195
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3496
filmora_setup_full846.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3496
filmora_setup_full846.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
filmora_setup_full846.exe