analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

free_ram_installer.exe

Full analysis: https://app.any.run/tasks/6c030beb-4976-4865-8c34-411a7e6e6b62
Verdict: Malicious activity
Analysis date: September 30, 2020, 00:09:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3954FE1A189C9DD3D1717C74C1060E8F

SHA1:

99652D5EE4DFF54CC7708721471D43B6D3734EB1

SHA256:

CEC6D1FEC3EE71FA5304AF51B9F2E3BD2F93D3DEC69D3369C362C4CBD8E1D414

SSDEEP:

24576:40YPMCcEsGRpTss0915fPHG04BgCz96ZzlwwZw4YYw0WDmqUFvv+523:40YPMCcEsspQcY0JUNm58

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • free_ram_installer.exe (PID: 3692)

  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • free_ram_installer.exe (PID: 3692)

    • Adds / modifies Windows certificates

      • free_ram_installer.exe (PID: 3692)

    • Reads Internet Cache Settings

      • free_ram_installer.exe (PID: 3692)

    • Reads internet explorer settings

      • free_ram_installer.exe (PID: 3692)

  • INFO

    • Reads settings of System Certificates

      • free_ram_installer.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:18 10:50:20+01:00
PEType: PE32
LinkerVersion: 10
CodeSize: 432640
InitializedDataSize: 576512
UninitializedDataSize: -
EntryPoint: 0x4ea68
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.15.2
ProductVersionNumber: 2.0.15.2
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: wondershare-filmora(2019)_setup_full5869.exe
FileVersion: 2.0.15.2
LegalCopyright: Copyright©2017 Wondershare. All rights reserved.
ProductName: Wondershare Filmora(2019)
ProductVersion: 9.3.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start free_ram_installer.exe no specs free_ram_installer.exe nfwchk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" C:\Users\admin\AppData\Local\Temp\free_ram_installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
wondershare-filmora(2019)_setup_full5869.exe
Version:
2.0.15.2
3692"C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
wondershare-filmora(2019)_setup_full5869.exe
Version:
2.0.15.2
2108C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exefree_ram_installer.exe
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
.NET Framework Checker
Exit code:
0
Version:
1.0.0.0
Total events
152
Read events
124
Write events
28
Delete events
0

Modification events

(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:(default)
Value:
sku-ween
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:5869
Value:
sku-ween
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
2
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\filmora-installer-win[1].htm
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\filmora_full5869.exe.~P2S
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Temp\Cab929C.tmp
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Temp\Tar929D.tmp
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\3[1].pngimage
MD5:A932801371F407496086187B87B9D788
SHA256:2A153075C9E151351BEF978CE58CC0EA66AA02016C3581FA894690619DFC2285
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\create-a-hollywood-video-installer[1].pngimage
MD5:A5D75560F6FEEF896992388A8C86DCCA
SHA256:10BD1151EF836F7D7E308443798A06FC67B09346D35A6DEBFFB6F6C9814003F6
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1].pngimage
MD5:AC80DEA7CA74A1E79DA445252E3FEE16
SHA256:84CA1146D1A23EC0BC13C0F024CBA2E551658023BCA7B3C22B0D8070174ECACA
3692free_ram_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cder
MD5:66AAF0048B2524635CA68601CDAA63E6
SHA256:877BA88C1B9E925BA503FF95D36908903DEF8BB301763E6D3779DD867B3638A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
29
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3692
free_ram_installer.exe
GET
2.16.107.8:80
http://pop.wondershare.com/filmora-8.6-test/images/1.png
unknown
malicious
3692
free_ram_installer.exe
HEAD
200
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
200
2.16.107.8:80
http://pop.wondershare.com/filmora-8.6-test/images/3.png
unknown
image
17.4 Kb
malicious
3692
free_ram_installer.exe
GET
200
2.16.107.8:80
http://pop.wondershare.com/filmora-8.6-test/filmora-installer-win.html
unknown
html
1.13 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3692
free_ram_installer.exe
47.91.67.36:80
platform.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
3692
free_ram_installer.exe
2.16.107.8:80
pop.wondershare.com
Akamai International B.V.
suspicious
3692
free_ram_installer.exe
104.111.228.73:443
images.wondershare.com
Akamai International B.V.
NL
unknown
3692
free_ram_installer.exe
47.246.43.209:80
download.wondershare.com
US
malicious
47.246.43.209:80
download.wondershare.com
US
malicious
3692
free_ram_installer.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
1056
svchost.exe
2.18.233.62:80
www.microsoft.com
Akamai International B.V.
whitelisted
1056
svchost.exe
104.18.25.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
platform.wondershare.com
  • 47.91.67.36
suspicious
download.wondershare.com
  • 47.246.43.209
whitelisted
pop.wondershare.com
  • 2.16.107.8
  • 2.16.107.106
malicious
dlinst.wondershare.com
  • 47.91.67.36
suspicious
images.wondershare.com
  • 104.111.228.73
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
ocsp.pki.goog
  • 172.217.22.35
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted

Threats

PID
Process
Class
Message
3692
free_ram_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
free_ram_installer.exe