Windows Analysis Report
filmora-idco_setup_full1901.exe

Overview

General Information

Sample name:	filmora-idco_setup_full1901.exe
Analysis ID:	1428767
MD5:	aeb7797267cb552cf82e0348c985543e
SHA1:	a080667a17d09a4e6b333c6a99a528c75e9da468
SHA256:	b26919b9167cc1ac3c06ff8b2506ff50b23ffa346b9203cafce3972f702fe31e
Infos:

Detection

Score:	14
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	48
Range:	0 - 100

Signatures

Sigma detected: Execution from Suspicious Folder

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Cryptography

Source: filmora-idco_setup_full1901.exe, 00000000.00000000.1119233376.00000000003CA000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_db5fc684-b

Compliance

Uses 32bit PE files

Source: filmora-idco_setup_full1901.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: filmora-idco_setup_full1901.exe

Static PE information: certificate valid

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdb source: filmora-idco_setup_full1901.exe
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdbn" source: filmora-idco_setup_full1901.exe
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: filmora-idco_setup_full1901.exe, NFWCHK.exe.0.dr

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.34.82.12 23.34.82.12
Source: Joe Sandbox View	IP Address: 47.254.80.199 47.254.80.199

Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.12/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.12/cbs_down/filmora-idco_64bit_full1901.exey
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.26/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.com/in
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://download.wondershare.com/inst/NetFxLite.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A48000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A8C000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1900772172.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2386212187.000000000BE90000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1913987875.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1918842662.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1971922486.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1976584877.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1883788985.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1927103496.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1909528066.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1922570929.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1931777431.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1905075119.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down.exe
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bi
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_
Source: filmora-idco_setup_full1901.exe, wsWAE.log.0.dr	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeS
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSY
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSl
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSr:
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.execom
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exewin_x64
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down1
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down3
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downP
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2386212187.000000000BE90000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1971922486.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1976584877.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downexe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downm
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downo;
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downp
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downq
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://platform.wondershare.cc
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://platform.wondershare.cc/
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1151227324.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pop.wondersha
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://pop.wondershare.com/filmora-license.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.2068524982.000000000BFD6000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.2032533661.000000000F0F4000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.2045645040.000000000BF73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.5.5.5
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.5.5.5Mzc4Miop0xjZfMjQzNzgwOTYzOTcyMTg4MTY=&uid=/resolve?type=1&short=1&name=&ak=&key=&ts
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.6.6.6
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.300624.com:8106/sa?project=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.300624.com:8106/sa?project=UA_Wae_Web
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=UA_Wae_Web
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=UA_Wae_Web:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=https://analytics.300624.com:8106/sa?project=downlo
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.wond
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.wondershare.net/cbs_down/filmora-idco_full1901.exey
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=install
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=installap
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://pc-api.300624.com
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://pc-api.wondershare.cc
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://prod-web.wondershare.cc/api/v1/prodweb/trk&os=Windows
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://wae.tmp
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://www.wondershare.com/company/end-user-license-agreement.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://www.wondershare.com/privacy.html
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wondershare.com/privacy.htmle.html

System Summary

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Process Stats: CPU usage > 24%

Detected potential crypto function

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Code function: 2_2_00007FFEC92C6DF4		2_2_00007FFEC92C6DF4
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Code function: 2_2_00007FFEC92C90B0		2_2_00007FFEC92C90B0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Documents\Wondershare\NFWCHK.exe 43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146

PE file contains executable resources (Code or Archives)

Source: filmora-idco_setup_full1901.exe	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: filmora-idco_setup_full1901.exe	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: filmora-idco_setup_full1901.exe, 00000000.00000000.1119294056.0000000000429000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNFWCHK.exe0 vs filmora-idco_setup_full1901.exe
Source: filmora-idco_setup_full1901.exe	Binary or memory string: OriginalFilenameNFWCHK.exe0 vs filmora-idco_setup_full1901.exe

Uses 32bit PE files

Source: filmora-idco_setup_full1901.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean14.winEXE@4/76@0/6

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\Public\Documents\Wondershare\

Jump to behavior

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\user\AppData\Local\Temp\Wondershare

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: filmora-idco_setup_full1901.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <?xml version="1.0" encoding="UTF-8"?> <config> <Status>1</Status> <JoinExp>1</JoinExp> <SelectLang>English</SelectLang> <InstallPath>C:\Users\user\AppData\Local\</InstallPath> <AgreeExtInstall>1</AgreeExtInstall> </config>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=install
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: C:\Users\user\AppData\Local\</InstallPath>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: dir=[%s]prodstarttimeprodstartcode&product_version=&installtime=&m_nProductID=client_sign=;[WARN] %d - jump url=[%s] is invalid.&?[WARN] %d - thanks url=[%s] is invalid.&?thank_you_pagepagedownloader_web1browserdownpackage_pagepagedownloader_webretrycbs_down[INFO] %d - set select lang=[%s].\\\\[INFO] %d - BuildInstallPara, common./VERYSILENT /NOPAGE [INFO] %d - BuildInstallPara, product startup=[%d]..logWAE-" /LOG="/VERYSILENT /NOPAGE /LANG=" /WAEWIN= /DIR="" /installpath: " /PID=[INFO] %d - BuildInstallPara product arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN[INFO] %d - BuildInstallPara dependent startup=[%d]..log" /WAEWIN=WAE- /LOG="/VERYSILENT /NOPAGE /LANG= /PID=" /DIR="" /installpath: "[INFO] %d - BuildInstallPara dependent arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN" /HOSTINFOPATH="3264[INFO] %d - BuildProductAndDepentTask, bit=[%s] package.64downpackagebits32downpackagebitsstartupproduct1[INFO] %d - BuildProductAndDepentTask, use local x86 down url.1[INFO] %d - BuildProductAndDepentTask, use local x64 down url.[INFO] %d - query package size=[%I64u] by domain_url.[WARN] %d - dir=[%s], disk_free_size=[%lld],,true[INFO] %d - already install wcc.1.NET Frameworkdotnetver[INFO] %d - PrepareDown0[INFO] %d - set host hwnd=[%x].-startmodel:floatmode[INFO] %d - startup wcc ret=[%d]:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: dir=[%s]prodstarttimeprodstartcode&product_version=&installtime=&m_nProductID=client_sign=;[WARN] %d - jump url=[%s] is invalid.&?[WARN] %d - thanks url=[%s] is invalid.&?thank_you_pagepagedownloader_web1browserdownpackage_pagepagedownloader_webretrycbs_down[INFO] %d - set select lang=[%s].\\\\[INFO] %d - BuildInstallPara, common./VERYSILENT /NOPAGE [INFO] %d - BuildInstallPara, product startup=[%d]..logWAE-" /LOG="/VERYSILENT /NOPAGE /LANG=" /WAEWIN= /DIR="" /installpath: " /PID=[INFO] %d - BuildInstallPara product arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN[INFO] %d - BuildInstallPara dependent startup=[%d]..log" /WAEWIN=WAE- /LOG="/VERYSILENT /NOPAGE /LANG= /PID=" /DIR="" /installpath: "[INFO] %d - BuildInstallPara dependent arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN" /HOSTINFOPATH="3264[INFO] %d - BuildProductAndDepentTask, bit=[%s] package.64downpackagebits32downpackagebitsstartupproduct1[INFO] %d - BuildProductAndDepentTask, use local x86 down url.1[INFO] %d - BuildProductAndDepentTask, use local x64 down url.[INFO] %d - query package size=[%I64u] by domain_url.[WARN] %d - dir=[%s], disk_free_size=[%lld],,true[INFO] %d - already install wcc.1.NET Frameworkdotnetver[INFO] %d - PrepareDown0[INFO] %d - set host hwnd=[%x].-startmodel:floatmode[INFO] %d - startup wcc ret=[%d]:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <Url_Install><![CDATA[https://filmora.wondershare.net/install/filmora-win-idco.html?act=install]]></Url_Install>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: </Installurl>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <InstallTime>240</InstallTime>

Source: unknown	Process created: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe "C:\Users\user\Desktop\filmora-idco_setup_full1901.exe"
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4657278A-411B-11d2-839A-00C04FD918D0}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: filmora-idco_setup_full1901.exe

Static PE information: certificate valid

Source: filmora-idco_setup_full1901.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: filmora-idco_setup_full1901.exe

Static file information: File size 1995256 > 1048576

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x138400

Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: filmora-idco_setup_full1901.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: filmora-idco_setup_full1901.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdb source: filmora-idco_setup_full1901.exe
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdbn" source: filmora-idco_setup_full1901.exe
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: filmora-idco_setup_full1901.exe, NFWCHK.exe.0.dr

Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00D6126A push esi; retf	0_2_00D61279
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA3ECD push eax; retf	0_2_00CA3ECE
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0AD1 push eax; retf	0_2_00CA0AD2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0CD5 push esi; retf	0_2_00CA0CD6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA54E9 push ebp; retf 0000h	0_2_00CA553E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1E89 push ds; retf 0000h	0_2_00CA1E8A
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA5489 push esp; retf 0000h	0_2_00CA5496
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0AA9 push cs; retf 0000h	0_2_00CA0AAA
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA10B0 push ecx; retf	0_2_00CA10B2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0CB1 push esp; retf	0_2_00CA0CB2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C934B4 push edx; retf	0_2_00C934CA
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA106F push ebx; retf	0_2_00CA1072
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0E63 push cs; retf 0000h	0_2_00CA0E66
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1660 push ss; retf 0000h	0_2_00CA1662
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1005 push cs; retf 0000h	0_2_00CA1026
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1031 push ecx; retf	0_2_00CA1032
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA09CD push ebp; retf	0_2_00CA09D6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0FE4 push ebx; retf	0_2_00CA0FF2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C9A797 push C700001Bh; ret	0_2_00C9A7C1
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA09A4 push ebp; retf	0_2_00CA09B6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA53BD push ebx; retf 0000h	0_2_00CA53BE
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA3F5D push ebx; retf	0_2_00CA3F5E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C97D67 push ss; retf	0_2_00C97D6A
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0D31 push esp; retf	0_2_00CA0D32
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C748F8 pushfd ; iretd	0_2_00C748F9
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C7265D push esi; retf	0_2_00C7265E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A832A1 push eax; iretd	0_2_05A832A2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A83275 push eax; iretd	0_2_05A83276
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A305 push ecx; iretd	0_2_05A6A317
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A48E push edi; iretd	0_2_05A6A4B4
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A311 push ecx; iretd	0_2_05A6A317

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Memory allocated: 54C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 1B330000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Window / User API: threadDelayed 8030

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7036	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7040	Thread sleep time: -77100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7108	Thread sleep time: -71400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7040	Thread sleep time: -14400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7108	Thread sleep time: -14400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7036	Thread sleep time: -2409000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe TID: 6276	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: filmora-idco_setup_full1901.exe	Binary or memory string: Hyper-V RAW
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
47.251.49.246	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
23.34.82.12	unknown	United States	25019	SAUDINETSTC-ASSA	false
47.254.80.199	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
23.34.82.26	unknown	United States	25019	SAUDINETSTC-ASSA	false
47.88.57.97	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
127.0.0.1

Cryptography

Source: filmora-idco_setup_full1901.exe, 00000000.00000000.1119233376.00000000003CA000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_db5fc684-b

Compliance

Uses 32bit PE files

Source: filmora-idco_setup_full1901.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: filmora-idco_setup_full1901.exe

Static PE information: certificate valid

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdb source: filmora-idco_setup_full1901.exe
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdbn" source: filmora-idco_setup_full1901.exe
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: filmora-idco_setup_full1901.exe, NFWCHK.exe.0.dr

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.34.82.12 23.34.82.12
Source: Joe Sandbox View	IP Address: 47.254.80.199 47.254.80.199

Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.12/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.12/cbs_down/filmora-idco_64bit_full1901.exey
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.34.82.26/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.com/in
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://download.wondershare.com/inst/NetFxLite.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A48000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A8C000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1900772172.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2386212187.000000000BE90000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1913987875.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1918842662.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1971922486.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1976584877.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1883788985.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1927103496.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1909528066.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1922570929.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1931777431.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1905075119.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down.exe
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bi
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_
Source: filmora-idco_setup_full1901.exe, wsWAE.log.0.dr	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeS
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSY
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSl
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exeSr:
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.execom
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down/filmora-idco_64bit_full1901.exewin_x64
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down1
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_down3
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downP
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2386212187.000000000BE90000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1971922486.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1976584877.000000000BE93000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.1980986954.000000000BE93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downexe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downm
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downo;
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downp
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.wondershare.net/cbs_downq
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://platform.wondershare.cc
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://platform.wondershare.cc/
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.1151227324.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pop.wondersha
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://pop.wondershare.com/filmora-license.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: filmora-idco_setup_full1901.exe, 00000000.00000003.2068524982.000000000BFD6000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.2032533661.000000000F0F4000.00000004.00000020.00020000.00000000.sdmp, filmora-idco_setup_full1901.exe, 00000000.00000003.2045645040.000000000BF73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.5.5.5
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.5.5.5Mzc4Miop0xjZfMjQzNzgwOTYzOTcyMTg4MTY=&uid=/resolve?type=1&short=1&name=&ak=&key=&ts
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://223.6.6.6
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.300624.com:8106/sa?project=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.300624.com:8106/sa?project=UA_Wae_Web
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=UA_Wae_Web
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=UA_Wae_Web:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=https://analytics.300624.com:8106/sa?project=downlo
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: filmora-idco_setup_full1901.exe, filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.wond
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://download.wondershare.net/cbs_down/filmora-idco_full1901.exe
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.wondershare.net/cbs_down/filmora-idco_full1901.exey
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=install
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2384496374.0000000005A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=installap
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://pc-api.300624.com
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://pc-api.wondershare.cc
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://prod-web.wondershare.cc/api/v1/prodweb/trk&os=Windows
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://wae.tmp
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://www.wondershare.com/company/end-user-license-agreement.html
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://www.wondershare.com/privacy.html
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wondershare.com/privacy.htmle.html

System Summary

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Process Stats: CPU usage > 24%

Detected potential crypto function

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Code function: 2_2_00007FFEC92C6DF4		2_2_00007FFEC92C6DF4
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Code function: 2_2_00007FFEC92C90B0		2_2_00007FFEC92C90B0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Documents\Wondershare\NFWCHK.exe 43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146

PE file contains executable resources (Code or Archives)

Source: filmora-idco_setup_full1901.exe	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: filmora-idco_setup_full1901.exe	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: filmora-idco_setup_full1901.exe, 00000000.00000000.1119294056.0000000000429000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNFWCHK.exe0 vs filmora-idco_setup_full1901.exe
Source: filmora-idco_setup_full1901.exe	Binary or memory string: OriginalFilenameNFWCHK.exe0 vs filmora-idco_setup_full1901.exe

Uses 32bit PE files

Source: filmora-idco_setup_full1901.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean14.winEXE@4/76@0/6

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\Public\Documents\Wondershare\

Jump to behavior

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\user\AppData\Local\Temp\Wondershare

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: filmora-idco_setup_full1901.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <?xml version="1.0" encoding="UTF-8"?> <config> <Status>1</Status> <JoinExp>1</JoinExp> <SelectLang>English</SelectLang> <InstallPath>C:\Users\user\AppData\Local\</InstallPath> <AgreeExtInstall>1</AgreeExtInstall> </config>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: https://filmora.wondershare.net/install/filmora-win-idco.html?act=install
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: C:\Users\user\AppData\Local\</InstallPath>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: dir=[%s]prodstarttimeprodstartcode&product_version=&installtime=&m_nProductID=client_sign=;[WARN] %d - jump url=[%s] is invalid.&?[WARN] %d - thanks url=[%s] is invalid.&?thank_you_pagepagedownloader_web1browserdownpackage_pagepagedownloader_webretrycbs_down[INFO] %d - set select lang=[%s].\\\\[INFO] %d - BuildInstallPara, common./VERYSILENT /NOPAGE [INFO] %d - BuildInstallPara, product startup=[%d]..logWAE-" /LOG="/VERYSILENT /NOPAGE /LANG=" /WAEWIN= /DIR="" /installpath: " /PID=[INFO] %d - BuildInstallPara product arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN[INFO] %d - BuildInstallPara dependent startup=[%d]..log" /WAEWIN=WAE- /LOG="/VERYSILENT /NOPAGE /LANG= /PID=" /DIR="" /installpath: "[INFO] %d - BuildInstallPara dependent arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN" /HOSTINFOPATH="3264[INFO] %d - BuildProductAndDepentTask, bit=[%s] package.64downpackagebits32downpackagebitsstartupproduct1[INFO] %d - BuildProductAndDepentTask, use local x86 down url.1[INFO] %d - BuildProductAndDepentTask, use local x64 down url.[INFO] %d - query package size=[%I64u] by domain_url.[WARN] %d - dir=[%s], disk_free_size=[%lld],,true[INFO] %d - already install wcc.1.NET Frameworkdotnetver[INFO] %d - PrepareDown0[INFO] %d - set host hwnd=[%x].-startmodel:floatmode[INFO] %d - startup wcc ret=[%d]:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: dir=[%s]prodstarttimeprodstartcode&product_version=&installtime=&m_nProductID=client_sign=;[WARN] %d - jump url=[%s] is invalid.&?[WARN] %d - thanks url=[%s] is invalid.&?thank_you_pagepagedownloader_web1browserdownpackage_pagepagedownloader_webretrycbs_down[INFO] %d - set select lang=[%s].\\\\[INFO] %d - BuildInstallPara, common./VERYSILENT /NOPAGE [INFO] %d - BuildInstallPara, product startup=[%d]..logWAE-" /LOG="/VERYSILENT /NOPAGE /LANG=" /WAEWIN= /DIR="" /installpath: " /PID=[INFO] %d - BuildInstallPara product arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN[INFO] %d - BuildInstallPara dependent startup=[%d]..log" /WAEWIN=WAE- /LOG="/VERYSILENT /NOPAGE /LANG= /PID=" /DIR="" /installpath: "[INFO] %d - BuildInstallPara dependent arg.token /TOKEN_PRODUCTINSTALL_ARG= /NOTRUN" /HOSTINFOPATH="3264[INFO] %d - BuildProductAndDepentTask, bit=[%s] package.64downpackagebits32downpackagebitsstartupproduct1[INFO] %d - BuildProductAndDepentTask, use local x86 down url.1[INFO] %d - BuildProductAndDepentTask, use local x64 down url.[INFO] %d - query package size=[%I64u] by domain_url.[WARN] %d - dir=[%s], disk_free_size=[%lld],,true[INFO] %d - already install wcc.1.NET Frameworkdotnetver[INFO] %d - PrepareDown0[INFO] %d - set host hwnd=[%x].-startmodel:floatmode[INFO] %d - startup wcc ret=[%d]:
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <Url_Install><![CDATA[https://filmora.wondershare.net/install/filmora-win-idco.html?act=install]]></Url_Install>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: </Installurl>
Source: filmora-idco_setup_full1901.exe	String found in binary or memory: <InstallTime>240</InstallTime>

Source: unknown	Process created: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe "C:\Users\user\Desktop\filmora-idco_setup_full1901.exe"
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4657278A-411B-11d2-839A-00C04FD918D0}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: filmora-idco_setup_full1901.exe

Static PE information: certificate valid

Source: filmora-idco_setup_full1901.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: filmora-idco_setup_full1901.exe

Static file information: File size 1995256 > 1048576

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: filmora-idco_setup_full1901.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x138400

Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: filmora-idco_setup_full1901.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: filmora-idco_setup_full1901.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: filmora-idco_setup_full1901.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdb source: filmora-idco_setup_full1901.exe
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_ENG.pdbn" source: filmora-idco_setup_full1901.exe
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: filmora-idco_setup_full1901.exe, NFWCHK.exe.0.dr

Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: filmora-idco_setup_full1901.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00D6126A push esi; retf	0_2_00D61279
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA3ECD push eax; retf	0_2_00CA3ECE
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0AD1 push eax; retf	0_2_00CA0AD2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0CD5 push esi; retf	0_2_00CA0CD6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA54E9 push ebp; retf 0000h	0_2_00CA553E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1E89 push ds; retf 0000h	0_2_00CA1E8A
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA5489 push esp; retf 0000h	0_2_00CA5496
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0AA9 push cs; retf 0000h	0_2_00CA0AAA
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA10B0 push ecx; retf	0_2_00CA10B2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0CB1 push esp; retf	0_2_00CA0CB2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C934B4 push edx; retf	0_2_00C934CA
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA106F push ebx; retf	0_2_00CA1072
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0E63 push cs; retf 0000h	0_2_00CA0E66
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1660 push ss; retf 0000h	0_2_00CA1662
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1005 push cs; retf 0000h	0_2_00CA1026
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA1031 push ecx; retf	0_2_00CA1032
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA09CD push ebp; retf	0_2_00CA09D6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0FE4 push ebx; retf	0_2_00CA0FF2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C9A797 push C700001Bh; ret	0_2_00C9A7C1
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA09A4 push ebp; retf	0_2_00CA09B6
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA53BD push ebx; retf 0000h	0_2_00CA53BE
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA3F5D push ebx; retf	0_2_00CA3F5E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C97D67 push ss; retf	0_2_00C97D6A
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00CA0D31 push esp; retf	0_2_00CA0D32
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C748F8 pushfd ; iretd	0_2_00C748F9
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_00C7265D push esi; retf	0_2_00C7265E
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A832A1 push eax; iretd	0_2_05A832A2
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A83275 push eax; iretd	0_2_05A83276
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A305 push ecx; iretd	0_2_05A6A317
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A48E push edi; iretd	0_2_05A6A4B4
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Code function: 0_2_05A6A311 push ecx; iretd	0_2_05A6A317

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

File created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Memory allocated: 54C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Memory allocated: 1B330000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Window / User API: threadDelayed 8030

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7036	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7040	Thread sleep time: -77100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7108	Thread sleep time: -71400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7040	Thread sleep time: -14400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7108	Thread sleep time: -14400000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe TID: 7036	Thread sleep time: -2409000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe TID: 6276	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Thread delayed: delay time: 7200000	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: filmora-idco_setup_full1901.exe	Binary or memory string: Hyper-V RAW
Source: filmora-idco_setup_full1901.exe, 00000000.00000002.2380025162.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Process created: C:\Users\Public\Documents\Wondershare\NFWCHK.exe C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\Wondershare\NFWCHK.exe	Queries volume information: C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\filmora-idco_setup_full1901.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1428767
Product:	CloudBasic
Start time:	15:38:25
Start date:	19.04.2024
Sample:	filmora-idco_setup_full1901.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	aeb7797267cb552cf82e0348c985543e
SHA1:	a080667a17d09a4e6b333c6a99a528c75e9da468
SHA256:	b26919b9167cc1ac3c06ff8b2506ff50b23ffa346b9203cafce3972f702fe31e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Documents\Wondershare\NFWCHK.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	27CFB3990872CAA5930FA69D57AEFE7B	5E1C80D61E8DB0CDC0C9B9FA3B2E36D156D45F8F	43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config	XML 1.0 document, ASCII text	5BABF2A106C883A8E216F768DB99AD51	F39E84A226DBF563BA983C6F352E68D561523C8E	9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
C:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_1901.xml	XML 1.0 document, ASCII text, with CRLF, LF line terminators	5A524D7178A0AD7E93057AE4F6E4DEE1	A17B5AC52A0744754F4AD07508CF2ECD5D783F4C	D66C1CB6C4136C49EABDA7414FE0D5F156ADBA0771C0C415375C4598C812D969
C:\Users\Public\Documents\Wondershare\filmora-idco_64bit_full1901.exe.~P2S	data	D8CB2A263850170444C84A6040C49FD1	0FBE43E80C638AB0F8D80DB5CB0CB40FC5401FED	D81923C8A9067E8633F59D0043913FB857720B9DF0FF75863BD6D38EC2D51200
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-04-19 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-04-20 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-04-24 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-02 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-02.1 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-03 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-04 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-05 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-06 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-07 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-09 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-13 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-14 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-15 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-16 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-17 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-18 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-19 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-22 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-24 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-25 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-26 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\Wondershare\WAE\wsWAE.log.2024-05-27 (copy)	ASCII text, with CRLF line terminators	16A55B1E259AB28A918D25A3A047B44C	CEF2457E47C8362C452BB9D585CBEC4C6E067F6A	D0F4313058DAAD9B910E10033769216E464D28D276DEF180A9DC9637F306F739
C:\Users\user\AppData\Local\Temp\wsduilib.log	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-19 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-20 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-21 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-22 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-23 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-24 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-25 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-25.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-28 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-28.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-29 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-29.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-30 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-04-30.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-02 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-02.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-02.2 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-03 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-03.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-04 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-05 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-06 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-07 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-07.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-08 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-09 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-09.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-12 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-13 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-13.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-14 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-14.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-15 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-16 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-16.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-17 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-17.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-19 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-22 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-22.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-23 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-24 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-24.1 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-25 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-26 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
C:\Users\user\AppData\Local\Temp\wsduilib.log.2024-05-27 (copy)	ISO-8859 text, with CRLF line terminators	C92E8F0A7ABE56FA9B3C79CB1C7F3CB2	74924219AB9668B8A79CA1898405A619D42A61DE	CF6A166CB25AB3823AA379F28AAE976C7239266070F70842476FFA2C50CF5C9D
\Device\ConDrv	ASCII text, with CRLF line terminators	253AA8FA326429A98BF3147D3AF60BBD	483404DCC5C7BFCB7D78C4131042FA6961E9A6D8	7B3077115D1C499F3D4CC121237500803CD0CC49C460595EE7CC5EBD9BAB7E1B

Windows Analysis Report filmora-idco_setup_full1901.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
filmora-idco_setup_full1901.exe