File name: | drfone_unlock_setup_full3372.exe |
Full analysis: | https://app.any.run/tasks/a4080a0f-4c7b-4635-8405-e9b1eab0737f |
Verdict: | Malicious activity |
Analysis date: | April 24, 2019, 03:55:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1F81B7B803327DC172690C5C5DA1E5FC |
SHA1: | EB7C8DF1819538646EDA7D33507F4ED61A5C165D |
SHA256: | 96EDD981C62CCFEFE17CB47DFF8B73058DD3BD34F5A525E13F1AD6172425645A |
SSDEEP: | 12288:SMRfauvtHMxljmQ5rX+XbKNDkS8mWlWYwU0fClaLMkUtfvHB1+j1:lEmQ5ubKNDkS8m9Yw0WVUFvv+p |
.exe | | | Win32 Executable MS Visual C++ (generic) (16.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (14.5) |
.dll | | | Win32 Dynamic Link Library (generic) (3.4) |
.exe | | | Win32 Executable (generic) (2.3) |
ProductVersion: | 9.6.3 |
---|---|
ProductName: | drfone |
LegalCopyright: | Copyright©2017 Wondershare. All rights reserved. |
FileVersion: | 2.0.10.2 |
FileDescription: | drfone_setup_full3372.exe |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 2.0.10.2 |
FileVersionNumber: | 2.0.10.2 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x51205 |
UninitializedDataSize: | - |
InitializedDataSize: | 534528 |
CodeSize: | 451072 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2018:07:05 11:49:09+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3056 | "C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe" | C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: drfone_setup_full3372.exe Exit code: 3221226540 Version: 2.0.10.2 | ||||
3840 | "C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe" | C:\Users\admin\AppData\Local\Temp\drfone_unlock_setup_full3372.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: drfone_setup_full3372.exe Version: 2.0.10.2 | ||||
3680 | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | — | drfone_unlock_setup_full3372.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3872 | "C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files\Wondershare\drfone\" /DIR="C:\Program Files\Wondershare\drfone\" | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe | drfone_unlock_setup_full3372.exe | |
User: admin Company: Wondershare Integrity Level: HIGH Description: dr.fone Version: 9.9.8.41 | ||||
2644 | "C:\Users\admin\AppData\Local\Temp\is-4CLAQ.tmp\drfone_unlock_full3372.tmp" /SL5="$8011C,57896865,134144,C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files\Wondershare\drfone\" /DIR="C:\Program Files\Wondershare\drfone\" | C:\Users\admin\AppData\Local\Temp\is-4CLAQ.tmp\drfone_unlock_full3372.tmp | drfone_unlock_full3372.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
2320 | "C:\Users\admin\AppData\Local\Temp\is-89S86.tmp\NetFxLite.exe" /verysilent /NORESTART | C:\Users\admin\AppData\Local\Temp\is-89S86.tmp\NetFxLite.exe | — | drfone_unlock_full3372.tmp |
User: admin Company: © Wondershare Corporation. All rights reserved. Integrity Level: HIGH Description: Microsoft .NET Framework 2.0 Client Profile Basic SP2 Exit code: 1 Version: 2.0.0.29 | ||||
2992 | "C:\Users\admin\AppData\Local\Temp\is-OV99F.tmp\NetFxLite.tmp" /SL5="$20176,9653206,121344,C:\Users\admin\AppData\Local\Temp\is-89S86.tmp\NetFxLite.exe" /verysilent /NORESTART | C:\Users\admin\AppData\Local\Temp\is-OV99F.tmp\NetFxLite.tmp | — | NetFxLite.exe |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 | ||||
3924 | C:\Users\admin\AppData\Local\Temp\is-T06G4.tmp\NFWCHk.exe | C:\Users\admin\AppData\Local\Temp\is-T06G4.tmp\NFWCHk.exe | NetFxLite.tmp | |
User: admin Company: Wondershare Integrity Level: HIGH Description: .NET Framework Checker Exit code: 0 Version: 1.0.0.0 | ||||
3300 | "C:\Program Files\Wondershare\drfone\WAFSetup.exe" /SP- /silent /VERYSILENT /CanUpdate | C:\Program Files\Wondershare\drfone\WAFSetup.exe | — | drfone_unlock_full3372.tmp |
User: admin Company: Wondershare Integrity Level: HIGH Description: Wondershare Passport Exit code: 0 Version: 2.4.3.237 | ||||
3760 | "C:\Users\admin\AppData\Local\Temp\is-9GV3Q.tmp\WAFSetup.tmp" /SL5="$30176,7547099,140288,C:\Program Files\Wondershare\drfone\WAFSetup.exe" /SP- /silent /VERYSILENT /CanUpdate | C:\Users\admin\AppData\Local\Temp\is-9GV3Q.tmp\WAFSetup.tmp | — | WAFSetup.exe |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3840 | drfone_unlock_setup_full3372.exe | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe.~P2S | — | |
MD5:— | SHA256:— | |||
3840 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\3372-20181030143622[1].htm | — | |
MD5:— | SHA256:— | |||
3840 | drfone_unlock_setup_full3372.exe | C:\Users\Public\Documents\Wondershare\drfone_unlock_full3372.exe | — | |
MD5:— | SHA256:— | |||
2644 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\is-QODBC.tmp | — | |
MD5:— | SHA256:— | |||
2644 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\is-7FNDK.tmp | — | |
MD5:— | SHA256:— | |||
2644 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\Library\CBS\is-47OK2.tmp | — | |
MD5:— | SHA256:— | |||
3840 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042420190425\index.dat | dat | |
MD5:FAE47758DFE6B6EC4D7248B21FF7A219 | SHA256:F4BAFF0B1E88ED4674CCDEA4A423496A7DE5E5B07B5A620AE09F959835C9103A | |||
2644 | drfone_unlock_full3372.tmp | C:\Program Files\Wondershare\drfone\Library\ADB\is-3KGSG.tmp | — | |
MD5:— | SHA256:— | |||
3840 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\2[1].png | image | |
MD5:06FABB594A39343A71EB6ED318C04E59 | SHA256:3CAAC7FF1CDD9A9CB1F1BB46A6FE36505C38416C5E4100ABFA0E3BCCCA148BE2 | |||
3840 | drfone_unlock_setup_full3372.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3372-20181030143622[1].htm | html | |
MD5:37D72454364E45C0ED026FFF120BF789 | SHA256:290DB7BD605DE251FFED2EDB2A224FAA4A8656BDBE9DDF41D3F632072E7FD2F1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.83:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.83:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.83:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.83:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | HEAD | 200 | 2.16.186.83:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 63.159.217.165:80 | http://dlinst.wondershare.com/player/style/orbit-1.3.0.css | US | — | — | suspicious |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | — | 2.16.186.90:80 | http://download.wondershare.com/cbs_down/drfone_unlock_full3372.exe | unknown | — | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | GET | 200 | 47.91.67.36:80 | http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={C4BA3647-0000-0QM0-0001-5254004A04AF}&product_id=3372 | US | xml | 1.54 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 47.91.67.36:80 | platform.wondershare.com | Alibaba (China) Technology Co., Ltd. | US | suspicious |
3840 | drfone_unlock_setup_full3372.exe | 2.16.186.83:80 | download.wondershare.com | Akamai International B.V. | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | 2.16.186.90:80 | download.wondershare.com | Akamai International B.V. | — | whitelisted |
3840 | drfone_unlock_setup_full3372.exe | 63.159.217.165:80 | dlinst.wondershare.com | QUANTIL, INC | US | unknown |
3924 | NFWCHk.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
3096 | RegAsm.exe | 203.130.48.150:80 | was.wondershare.com | QUANTIL, INC | CN | unknown |
2968 | WsAppService.exe | 63.159.217.174:80 | was-stats.wondershare.com | QUANTIL, INC | US | suspicious |
3096 | RegAsm.exe | 63.159.217.174:80 | was-stats.wondershare.com | QUANTIL, INC | US | suspicious |
2968 | WsAppService.exe | 203.130.48.150:80 | was.wondershare.com | QUANTIL, INC | CN | unknown |
2968 | WsAppService.exe | 208.67.222.222:53 | — | OpenDNS, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
platform.wondershare.com |
| suspicious |
download.wondershare.com |
| whitelisted |
dlinst.wondershare.com |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |
us.wondershare.com |
| unknown |
was.wondershare.com |
| unknown |
was-stats.wondershare.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3840 | drfone_unlock_setup_full3372.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3840 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3840 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3840 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3840 | drfone_unlock_setup_full3372.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
Process | Message |
---|---|
RegAsm.exe | Program.InitApp 2.4.3.237: Start
|
RegAsm.exe | Load ClientSign:
|
RegAsm.exe | HttpRequestTask.OnWork URL: http://us.wondershare.com/interface.php?api_version=v3&appid=com.wondershare.waf&cs=%7BC4BA3647-0000-0QM0-0001-5254004A04AF%7D&id=245791cd-3d2c-44b9-89da-4376055e75be&iver=2.4.3.237&m=download&pid=1833&pver=2.4.3.237&start=1556078215×tamp=1556078216&type=init&tz=1&key=47342D1BEE153385294760BDDB8A7F49&vc=2a9f5a435703dba0f6fe4fbe26c8338d
|
RegAsm.exe | Http Request Error: : System.Net.WebException: The remote name could not be resolved: 'us.wondershare.com'
at System.Net.HttpWebRequest.GetResponse()
at b0.a(Object A_0)
|
RegAsm.exe | NewClientSign: {C4BA3647-FBFF-0005-06E3-5254004A04AF}
|
RegAsm.exe | NewClientSign: {C4BA3647-FBFF-0005-06E3-5254004A04AF}
|
RegAsm.exe | Save ClientSign:{C4BA3647-FBFF-0005-06E3-5254004A04AF}
|
RegAsm.exe | Save ClientSign:{C4BA3647-FBFF-0005-06E3-5254004A04AF}
|
RegAsm.exe | HttpRequestTask.OnWork URL: http://us.wondershare.com/interface.php?api_version=v2&client_sign=%7BC4BA3647-FBFF-0005-06E3-5254004A04AF%7D&info=%5B%0D%0A%20%20%5B%0D%0A%20%20%20%201833%2C%0D%0A%20%20%20%20%222.4.3.237%22%0D%0A%20%20%5D%0D%0A%5D&m=download&type=DataPrivTotal&key=47342D1BEE153385294760BDDB8A7F49&vc=8003b0c9e05fc044916957279ed3f595
|
RegAsm.exe | Http Request Error: : System.Net.WebException: The remote name could not be resolved: 'us.wondershare.com'
at System.Net.HttpWebRequest.GetResponse()
at b0.a(Object A_0)
|