File name:

free_ram_installer.exe

Full analysis: https://app.any.run/tasks/6c030beb-4976-4865-8c34-411a7e6e6b62
Verdict: Malicious activity
Analysis date: September 30, 2020, 00:09:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3954FE1A189C9DD3D1717C74C1060E8F

SHA1:

99652D5EE4DFF54CC7708721471D43B6D3734EB1

SHA256:

CEC6D1FEC3EE71FA5304AF51B9F2E3BD2F93D3DEC69D3369C362C4CBD8E1D414

SSDEEP:

24576:40YPMCcEsGRpTss0915fPHG04BgCz96ZzlwwZw4YYw0WDmqUFvv+523:40YPMCcEsspQcY0JUNm58

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • free_ram_installer.exe (PID: 3692)

  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • free_ram_installer.exe (PID: 3692)

    • Adds / modifies Windows certificates

      • free_ram_installer.exe (PID: 3692)

    • Reads Internet Cache Settings

      • free_ram_installer.exe (PID: 3692)

    • Reads internet explorer settings

      • free_ram_installer.exe (PID: 3692)

  • INFO

    • Reads settings of System Certificates

      • free_ram_installer.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:18 10:50:20+01:00
PEType: PE32
LinkerVersion: 10
CodeSize: 432640
InitializedDataSize: 576512
UninitializedDataSize: -
EntryPoint: 0x4ea68
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.15.2
ProductVersionNumber: 2.0.15.2
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: wondershare-filmora(2019)_setup_full5869.exe
FileVersion: 2.0.15.2
LegalCopyright: Copyright©2017 Wondershare. All rights reserved.
ProductName: Wondershare Filmora(2019)
ProductVersion: 9.3.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start free_ram_installer.exe nfwchk.exe no specs free_ram_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exefree_ram_installer.exe
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
.NET Framework Checker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\public\documents\wondershare\nfwchk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3148"C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" C:\Users\admin\AppData\Local\Temp\free_ram_installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
wondershare-filmora(2019)_setup_full5869.exe
Exit code:
0
Version:
2.0.15.2
3692"C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
wondershare-filmora(2019)_setup_full5869.exe
Exit code:
0
Version:
2.0.15.2
Modules
Images
c:\users\admin\appdata\local\temp\free_ram_installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
152
Read events
124
Write events
28
Delete events
0

Modification events

(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:(default)
Value:
sku-ween
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:writeName:5869
Value:
sku-ween
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3692) free_ram_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
2
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\filmora-installer-win[1].htm
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\filmora_full5869.exe.~P2S
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Temp\Cab929C.tmp
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Temp\Tar929D.tmp
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_5869.xmlxml
MD5:57CBB8A8BBCC6911B23D1279DB53CC22
SHA256:F0A47C92D5E920C39BCF278F844EA5F351DF66A2F0E7725B2758576BFB04836E
3692free_ram_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cder
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cbinary
MD5:
SHA256:
3692free_ram_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\filmora-installer-win[1].htmhtml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
29
DNS requests
11
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3692
free_ram_installer.exe
GET
2.16.107.8:80
http://pop.wondershare.com/filmora-8.6-test/images/1.png
unknown
malicious
3692
free_ram_installer.exe
HEAD
200
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
200
47.91.67.36:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={C4BA3647-0000-0QM0-0001-12A9866C77DE}&product_id=5869
US
xml
1.59 Kb
suspicious
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
47.246.43.209:80
http://download.wondershare.com/cbs_down/filmora_full5869.exe
US
whitelisted
3692
free_ram_installer.exe
GET
200
2.16.107.8:80
http://pop.wondershare.com/filmora-8.6-test/images/1.png
unknown
image
15.8 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3692
free_ram_installer.exe
47.91.67.36:80
platform.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
3692
free_ram_installer.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
1056
svchost.exe
172.217.22.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1056
svchost.exe
104.18.25.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared
1056
svchost.exe
2.18.233.62:80
www.microsoft.com
Akamai International B.V.
whitelisted
1056
svchost.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3692
free_ram_installer.exe
2.16.107.8:80
pop.wondershare.com
Akamai International B.V.
suspicious
47.246.43.209:80
download.wondershare.com
US
malicious

DNS requests

Domain
IP
Reputation
platform.wondershare.com
  • 47.91.67.36
suspicious
download.wondershare.com
  • 47.246.43.209
whitelisted
pop.wondershare.com
  • 2.16.107.8
  • 2.16.107.106
malicious
dlinst.wondershare.com
  • 47.91.67.36
suspicious
images.wondershare.com
  • 104.111.228.73
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
ocsp.pki.goog
  • 172.217.22.35
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted

Threats

PID
Process
Class
Message
3692
free_ram_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
free_ram_installer.exe