» office_free_2013_inst.exe
Overview
Analysis
File Details
Network (1)

office_free_2013_inst.exe

Well Known Media Ltd

The application office_free_2013_inst.exe by Well Known Media has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. While running, it connects to the Internet address fs13.filehippo.com on port 80 using the HTTP protocol.

File name:

Publisher:

Well Known Media Ltd (signed and verified)

MD5:

2519db419ae7fba3ee5951370501ebba

SHA-1:

0cd342c8e889abb091bc4ae566a992d5ab245e9e

SHA-256:

9a04887d1da094d9dd18ebc1e792b6242382b647597b8e50851fa14f6d3cbdcf

Scanner detections:

6 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:

4/25/2024 7:29:47 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Generic

2015.0.3328

ESET NOD32

Win32/InstallCore.QH (variant)

8.10527

K7 AntiVirus

Unwanted-Program

13.183.13611

Reason Heuristics

PUP.WellKnownMedia.V

14.10.7.18

Sophos

Install Core Click run software

4.98

VIPRE Antivirus

Threat.4786018

33706

File size:

747.8 KB (765,768 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\office_free_2013_inst.exe

Digital Signature

Signed by:

Well Known Media Ltd

Authority:

COMODO CA Limited

Valid from:

8/20/2014 12:00:00 AM

Valid to:

8/20/2015 11:59:59 PM

Subject:

CN=Well Known Media Ltd, O=Well Known Media Ltd, STREET=Kissack Court, STREET=29 Parliament Street, L=Ramsey, S=Isle of Man, PostalCode=IM8 1JA, C=IM

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

73CC925BC7B1EAFC96D9C9F2EAA55030

File PE Metadata

Compilation timestamp:

6/19/1992 10:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:1tFaXDoCPgGZHFkRw8ApEZdWe1QMeTscDlTbMAbCLEwwUWGEGgqurS6qutxQBV:1tFyECPHZHSRw8AiWeGjwc9GLEbUkJS1

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to fs13.filehippo.com (174.133.98.146:80)

Remove office_free_2013_inst.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.