File name: | drfone_unlock_setup_full3372.exe |
Full analysis: | https://app.any.run/tasks/2f12c1f5-03d3-4ee6-bd2e-545108ac3810 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 11:49:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1F81B7B803327DC172690C5C5DA1E5FC |
SHA1: | EB7C8DF1819538646EDA7D33507F4ED61A5C165D |
SHA256: | 96EDD981C62CCFEFE17CB47DFF8B73058DD3BD34F5A525E13F1AD6172425645A |
SSDEEP: | 12288:SMRfauvtHMxljmQ5rX+XbKNDkS8mWlWYwU0fClaLMkUtfvHB1+j1:lEmQ5ubKNDkS8m9Yw0WVUFvv+p |
.exe | | | Win32 Executable MS Visual C++ (generic) (16.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (14.5) |
.dll | | | Win32 Dynamic Link Library (generic) (3.4) |
.exe | | | Win32 Executable (generic) (2.3) |
ProductVersion: | 9.6.3 |
---|---|
ProductName: | drfone |
LegalCopyright: | Copyright©2017 Wondershare. All rights reserved. |
FileVersion: | 2.0.10.2 |
FileDescription: | drfone_setup_full3372.exe |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 2.0.10.2 |
FileVersionNumber: | 2.0.10.2 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x51205 |
UninitializedDataSize: | - |
InitializedDataSize: | 534528 |
CodeSize: | 451072 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2018:07:05 11:49:09+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe" | C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: drfone_setup_full3372.exe Exit code: 3221226540 Version: 2.0.10.2 | ||||
3864 | "C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe" | C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: drfone_setup_full3372.exe Exit code: 0 Version: 2.0.10.2 | ||||
2144 | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | — | drfone_unlock_setup_full3372.exe |
User: admin Company: Wondershare Integrity Level: HIGH Description: .NET Framework Checker Exit code: 0 Version: 1.0.0.0 | ||||
1944 | "C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files\Wondershare\drfone\" /DIR="C:\Program Files\Wondershare\drfone\" | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe | drfone_unlock_setup_full3372.exe | |
User: admin Company: Wondershare Integrity Level: HIGH Description: dr.fone Exit code: 0 Version: 9.9.8.41 | ||||
2572 | "C:\Users\admin\AppData\Local\Temp\is-ELVMB.tmp\drfone_unlock_full3372.tmp" /SL5="$40114,57896865,134144,C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files\Wondershare\drfone\" /DIR="C:\Program Files\Wondershare\drfone\" | C:\Users\admin\AppData\Local\Temp\is-ELVMB.tmp\drfone_unlock_full3372.tmp | drfone_unlock_full3372.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
3144 | "C:\Users\admin\AppData\Local\Temp\is-LJEBN.tmp\NetFxLite.exe" /verysilent /NORESTART | C:\Users\admin\AppData\Local\Temp\is-LJEBN.tmp\NetFxLite.exe | drfone_unlock_full3372.tmp | |
User: admin Company: © Wondershare Corporation. All rights reserved. Integrity Level: HIGH Description: Microsoft .NET Framework 2.0 Client Profile Basic SP2 Exit code: 1 Version: 2.0.0.29 | ||||
3332 | "C:\Users\admin\AppData\Local\Temp\is-07VVT.tmp\NetFxLite.tmp" /SL5="$10174,9653206,121344,C:\Users\admin\AppData\Local\Temp\is-LJEBN.tmp\NetFxLite.exe" /verysilent /NORESTART | C:\Users\admin\AppData\Local\Temp\is-07VVT.tmp\NetFxLite.tmp | NetFxLite.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 | ||||
2368 | C:\Users\admin\AppData\Local\Temp\is-MQRTM.tmp\NFWCHk.exe | C:\Users\admin\AppData\Local\Temp\is-MQRTM.tmp\NFWCHk.exe | NetFxLite.tmp | |
User: admin Company: Wondershare Integrity Level: HIGH Description: .NET Framework Checker Exit code: 0 Version: 1.0.0.0 | ||||
3444 | "C:\Program Files\Wondershare\drfone\WAFSetup.exe" /SP- /silent /VERYSILENT /CanUpdate | C:\Program Files\Wondershare\drfone\WAFSetup.exe | drfone_unlock_full3372.tmp | |
User: admin Company: Wondershare Integrity Level: HIGH Description: Wondershare Passport Exit code: 0 Version: 2.4.3.237 | ||||
2620 | "C:\Users\admin\AppData\Local\Temp\is-MIUQU.tmp\WAFSetup.tmp" /SL5="$20174,7547099,140288,C:\Program Files\Wondershare\drfone\WAFSetup.exe" /SP- /silent /VERYSILENT /CanUpdate | C:\Users\admin\AppData\Local\Temp\is-MIUQU.tmp\WAFSetup.tmp | WAFSetup.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | drfone_unlock_setup_full3372.exe | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe.~P2S | — | |
MD5:— | SHA256:— | |||
3864 | drfone_unlock_setup_full3372.exe | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe | — | |
MD5:— | SHA256:— | |||
2572 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\is-DH9LJ.tmp | — | |
MD5:— | SHA256:— | |||
2572 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\is-P1TR4.tmp | — | |
MD5:— | SHA256:— | |||
2572 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\Library\CBS\is-PQ4S0.tmp | — | |
MD5:— | SHA256:— | |||
3864 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].png | image | |
MD5:BC2B0CBBCBA5847981D3D8B07F654073 | SHA256:E30B20FE57EB59ADD7D4150CD85FF58E57A0AD2937D71EB89793B1DC2F0E25C3 | |||
3864 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\3372-20181030143622[1].htm | html | |
MD5:37D72454364E45C0ED026FFF120BF789 | SHA256:290DB7BD605DE251FFED2EDB2A224FAA4A8656BDBE9DDF41D3F632072E7FD2F1 | |||
3864 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3372-20181030143622[1].htm | html | |
MD5:37D72454364E45C0ED026FFF120BF789 | SHA256:290DB7BD605DE251FFED2EDB2A224FAA4A8656BDBE9DDF41D3F632072E7FD2F1 | |||
2572 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\Library\ADB\is-SPQQN.tmp | — | |
MD5:— | SHA256:— | |||
2572 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\Library\ADB\is-ORENH.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | HEAD | 200 | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 63.159.217.165:80 | http://dlinst.wondershare.com/player/style/orbit-1.3.0.css | US | — | — | suspicious |
3864 | drfone_unlock_setup_full3372.exe | GET | 200 | 47.91.67.36:80 | http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={C4BA3647-0000-0QM0-0001-5254004A04AF}&product_id=3372 | US | xml | 1.54 Kb | suspicious |
3864 | drfone_unlock_setup_full3372.exe | GET | 200 | 63.159.217.165:80 | http://dlinst.wondershare.com/player/3372-20181030143622.html | US | html | 882 b | suspicious |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3864 | drfone_unlock_setup_full3372.exe | 47.91.67.36:80 | platform.wondershare.com | Alibaba (China) Technology Co., Ltd. | US | suspicious |
3864 | drfone_unlock_setup_full3372.exe | 2.16.186.83:80 | download.wondershare.com | Akamai International B.V. | — | whitelisted |
3864 | drfone_unlock_setup_full3372.exe | 63.159.217.165:80 | dlinst.wondershare.com | QUANTIL, INC | US | unknown |
3864 | drfone_unlock_setup_full3372.exe | 2.16.186.90:80 | download.wondershare.com | Akamai International B.V. | — | whitelisted |
2404 | WsAppService.exe | 2.16.186.64:80 | download.wondershare.com | Akamai International B.V. | — | whitelisted |
2240 | RegAsm.exe | 63.159.217.174:80 | was-stats.wondershare.com | QUANTIL, INC | US | suspicious |
2240 | RegAsm.exe | 203.130.48.150:80 | was.wondershare.com | QUANTIL, INC | CN | unknown |
2368 | NFWCHk.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2404 | WsAppService.exe | 63.159.217.174:80 | was-stats.wondershare.com | QUANTIL, INC | US | suspicious |
2404 | WsAppService.exe | 203.130.48.150:80 | was.wondershare.com | QUANTIL, INC | CN | unknown |
Domain | IP | Reputation |
---|---|---|
platform.wondershare.com |
| suspicious |
download.wondershare.com |
| whitelisted |
dlinst.wondershare.com |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |
us.wondershare.com |
| unknown |
was.wondershare.com |
| unknown |
was-stats.wondershare.com |
| suspicious |
cbs.wondershare.com |
| whitelisted |
drfone.wondershare.com |
| suspicious |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3864 | drfone_unlock_setup_full3372.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3864 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3864 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3864 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3864 | drfone_unlock_setup_full3372.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|
RegAsm.exe | Cannot delete a subkey tree because the subkey does not exist.
|