File name: | free_ram_installer.exe |
Full analysis: | https://app.any.run/tasks/6c030beb-4976-4865-8c34-411a7e6e6b62 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 00:09:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 3954FE1A189C9DD3D1717C74C1060E8F |
SHA1: | 99652D5EE4DFF54CC7708721471D43B6D3734EB1 |
SHA256: | CEC6D1FEC3EE71FA5304AF51B9F2E3BD2F93D3DEC69D3369C362C4CBD8E1D414 |
SSDEEP: | 24576:40YPMCcEsGRpTss0915fPHG04BgCz96ZzlwwZw4YYw0WDmqUFvv+523:40YPMCcEsspQcY0JUNm58 |
.exe | | | Win32 Executable MS Visual C++ (generic) (16.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (14.5) |
.dll | | | Win32 Dynamic Link Library (generic) (3.4) |
.exe | | | Win32 Executable (generic) (2.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:03:18 10:50:20+01:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 432640 |
InitializedDataSize: | 576512 |
UninitializedDataSize: | - |
EntryPoint: | 0x4ea68 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.0.15.2 |
ProductVersionNumber: | 2.0.15.2 |
FileFlagsMask: | 0x0017 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
FileDescription: | wondershare-filmora(2019)_setup_full5869.exe |
FileVersion: | 2.0.15.2 |
LegalCopyright: | Copyright©2017 Wondershare. All rights reserved. |
ProductName: | Wondershare Filmora(2019) |
ProductVersion: | 9.3.0 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3148 | "C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" | C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: wondershare-filmora(2019)_setup_full5869.exe Version: 2.0.15.2 | ||||
3692 | "C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe" | C:\Users\admin\AppData\Local\Temp\free_ram_installer.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: wondershare-filmora(2019)_setup_full5869.exe Version: 2.0.15.2 | ||||
2108 | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | — | free_ram_installer.exe |
User: admin Company: Wondershare Integrity Level: HIGH Description: .NET Framework Checker Exit code: 0 Version: 1.0.0.0 |
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WafCX |
Operation: | write | Name: | (default) |
Value: sku-ween | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WafCX |
Operation: | write | Name: | 5869 |
Value: sku-ween | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact |
Operation: | write | Name: | ClientSign |
Value: {C4BA3647-0000-0QM0-0001-12A9866C77DE} | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF |
Operation: | write | Name: | ClientSign |
Value: {C4BA3647-0000-0QM0-0001-12A9866C77DE} | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3692) free_ram_installer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | free_ram_installer.exe | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\filmora-installer-win[1].htm | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\Public\Documents\Wondershare\filmora_full5869.exe.~P2S | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Temp\Cab929C.tmp | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Temp\Tar929D.tmp | — | |
MD5:— | SHA256:— | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\3[1].png | image | |
MD5:A932801371F407496086187B87B9D788 | SHA256:2A153075C9E151351BEF978CE58CC0EA66AA02016C3581FA894690619DFC2285 | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\create-a-hollywood-video-installer[1].png | image | |
MD5:A5D75560F6FEEF896992388A8C86DCCA | SHA256:10BD1151EF836F7D7E308443798A06FC67B09346D35A6DEBFFB6F6C9814003F6 | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1].png | image | |
MD5:AC80DEA7CA74A1E79DA445252E3FEE16 | SHA256:84CA1146D1A23EC0BC13C0F024CBA2E551658023BCA7B3C22B0D8070174ECACA | |||
3692 | free_ram_installer.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C | der | |
MD5:66AAF0048B2524635CA68601CDAA63E6 | SHA256:877BA88C1B9E925BA503FF95D36908903DEF8BB301763E6D3779DD867B3638A5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3692 | free_ram_installer.exe | GET | — | 2.16.107.8:80 | http://pop.wondershare.com/filmora-8.6-test/images/1.png | unknown | — | — | malicious |
3692 | free_ram_installer.exe | HEAD | 200 | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | — | 47.246.43.209:80 | http://download.wondershare.com/cbs_down/filmora_full5869.exe | US | — | — | whitelisted |
3692 | free_ram_installer.exe | GET | 200 | 2.16.107.8:80 | http://pop.wondershare.com/filmora-8.6-test/images/3.png | unknown | image | 17.4 Kb | malicious |
3692 | free_ram_installer.exe | GET | 200 | 2.16.107.8:80 | http://pop.wondershare.com/filmora-8.6-test/filmora-installer-win.html | unknown | html | 1.13 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3692 | free_ram_installer.exe | 47.91.67.36:80 | platform.wondershare.com | Alibaba (China) Technology Co., Ltd. | US | suspicious |
3692 | free_ram_installer.exe | 2.16.107.8:80 | pop.wondershare.com | Akamai International B.V. | — | suspicious |
3692 | free_ram_installer.exe | 104.111.228.73:443 | images.wondershare.com | Akamai International B.V. | NL | unknown |
3692 | free_ram_installer.exe | 47.246.43.209:80 | download.wondershare.com | — | US | malicious |
— | — | 47.246.43.209:80 | download.wondershare.com | — | US | malicious |
3692 | free_ram_installer.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1056 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1056 | svchost.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
1056 | svchost.exe | 2.18.233.62:80 | www.microsoft.com | Akamai International B.V. | — | whitelisted |
1056 | svchost.exe | 104.18.25.243:80 | ocsp.msocsp.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
platform.wondershare.com |
| suspicious |
download.wondershare.com |
| whitelisted |
pop.wondershare.com |
| malicious |
dlinst.wondershare.com |
| suspicious |
images.wondershare.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.msocsp.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3692 | free_ram_installer.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |