Malware analysis mobiletrans_setup_full5793.exe Malicious activity

Add for printing

File name:	mobiletrans_setup_full5793.exe
Full analysis:	https://app.any.run/tasks/48162675-1830-49f5-85d1-84dadb7aad85
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 31, 2020, 12:21:00
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	010D4F2DDAA7CBF9DCE29D65A346D472
SHA1:	B5F2AA238C7A150E67A694DFEFB617BE51E76461
SHA256:	DD30CFF29DE8C9F2FE9CEE868828E5C179AC71C2E2100A468FC734881BA91973
SSDEEP:	24576:yvFVRM3bG8CvRf/X3Yw0WDmpUFv8XlGAMDG:gFVRM3bG8ORf/nY0aUNi8AMi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - NFWCHK.exe (PID: 2220)
  - MobileTrans.exe (PID: 2212)
  - ElevationService.exe (PID: 3536)
  - WAFSetup.exe (PID: 3088)
  - MobileTrans.exe (PID: 2496)
  - WsAppService3.exe (PID: 2812)
- Drops executable file immediately after starts
  - mobiletrans_full5793.tmp (PID: 2916)
  - mobiletrans_full5793.exe (PID: 1092)
  - WAFSetup.tmp (PID: 3944)
  - WAFSetup.exe (PID: 3088)
- Writes to a start menu file
  - mobiletrans_full5793.tmp (PID: 2916)
- Changes settings of System certificates
  - mobiletrans_full5793.tmp (PID: 2916)
  - MobileTrans.exe (PID: 2212)
  - CertUtil.exe (PID: 1972)
- Loads dropped or rewritten executable
  - MobileTrans.exe (PID: 2212)
  - MobileTrans.exe (PID: 2496)
SUSPICIOUS
- Reads internet explorer settings
  - mobiletrans_setup_full5793.exe (PID: 3312)
  - MobileTrans.exe (PID: 2212)
- Executable content was dropped or overwritten
  - mobiletrans_full5793.exe (PID: 1092)
  - mobiletrans_setup_full5793.exe (PID: 3312)
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
  - MobileTrans.exe (PID: 2212)
  - WAFSetup.exe (PID: 3088)
- Reads Windows owner or organization settings
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
- Reads the Windows organization settings
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
- Low-level read access rights to disk partition
  - mobiletrans_setup_full5793.exe (PID: 3312)
- Drops a file that was compiled in debug mode
  - mobiletrans_setup_full5793.exe (PID: 3312)
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
  - MobileTrans.exe (PID: 2212)
- Creates files in the Windows directory
  - mobiletrans_full5793.tmp (PID: 2916)
  - CertUtil.exe (PID: 3572)
  - CertUtil.exe (PID: 1972)
  - InstallUtil.exe (PID: 1352)
- Drops a file with too old compile date
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
- Creates files in the user directory
  - mobiletrans_full5793.tmp (PID: 2916)
  - MobileTrans.exe (PID: 2212)
- Drops a file with a compile date too recent
  - mobiletrans_full5793.tmp (PID: 2916)
- Starts SC.EXE for service management
  - mobiletrans_full5793.tmp (PID: 2916)
- Removes files from Windows directory
  - CertUtil.exe (PID: 3572)
  - CertUtil.exe (PID: 1972)
- Creates a directory in Program Files
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
- Creates/Modifies COM task schedule object
  - RegAsm.exe (PID: 3732)
- Creates files in the program directory
  - RegAsm.exe (PID: 3732)
  - InstallUtil.exe (PID: 1352)
  - WsAppService3.exe (PID: 2812)
  - MobileTrans.exe (PID: 2212)
- Executed as Windows Service
  - WsAppService3.exe (PID: 2812)
  - ElevationService.exe (PID: 3536)
- Adds / modifies Windows certificates
  - mobiletrans_full5793.tmp (PID: 2916)
  - MobileTrans.exe (PID: 2212)
- Starts Internet Explorer
  - mobiletrans_setup_full5793.exe (PID: 3312)
- Reads Environment values
  - MobileTrans.exe (PID: 2212)
- Executed via COM
  - rundll32.exe (PID: 888)
  - rundll32.exe (PID: 2452)
  - DrvInst.exe (PID: 2148)
- Changes IE settings (feature browser emulation)
  - MobileTrans.exe (PID: 2212)
- Searches for installed software
  - MobileTrans.exe (PID: 2212)
INFO
- Application was dropped or rewritten from another process
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
  - WsAppUpdateHelper.exe (PID: 3292)
  - ProcessKiller.exe (PID: 2780)
- Loads dropped or rewritten executable
  - mobiletrans_full5793.tmp (PID: 2916)
  - WAFSetup.tmp (PID: 3944)
- Creates a software uninstall entry
  - mobiletrans_full5793.tmp (PID: 2916)
- Creates files in the program directory
  - WAFSetup.tmp (PID: 3944)
  - mobiletrans_full5793.tmp (PID: 2916)
- Application launched itself
  - iexplore.exe (PID: 2820)
- Changes internet zones settings
  - iexplore.exe (PID: 2820)
- Creates files in the user directory
  - iexplore.exe (PID: 3440)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3440)
  - MobileTrans.exe (PID: 2212)
  - iexplore.exe (PID: 2820)
- Reads internet explorer settings
  - iexplore.exe (PID: 3440)
- Changes settings of System certificates
  - iexplore.exe (PID: 3440)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3440)
- Manual execution by user
  - MobileTrans.exe (PID: 2496)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (16.3)
.exe	\|	Win64 Executable (generic) (14.5)
.dll	\|	Win32 Dynamic Link Library (generic) (3.4)
.exe	\|	Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:04 13:29:54+01:00
PEType:	PE32
LinkerVersion:	10
CodeSize:	470016
InitializedDataSize:	973824
UninitializedDataSize:	-
EntryPoint:	0x56206
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.1.3.2
ProductVersionNumber:	2.1.3.2
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	mobiletranspro_setup_full5793.exe
FileVersion:	2.1.3.2
LegalCopyright:	Copyright©2017 Wondershare. All rights reserved.
ProductName:	MobileTransPro
ProductVersion:	1.0.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

888

rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{cd152a99-6fde-41bd-8945-3c55c37eb483} "(null)"

C:\Windows\system32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1092

"C:\Users\Public\Documents\Wondershare\mobiletrans_full5793.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-MobileTransPro.log" /installpath: "C:\Program Files\Wondershare\MobileTransPro\" /DIR="C:\Program Files\Wondershare\MobileTransPro\"

C:\Users\Public\Documents\Wondershare\mobiletrans_full5793.exe

mobiletrans_setup_full5793.exe

User:

admin

Company:

Wondershare

Integrity Level:

HIGH

Description:

MobileTrans

Exit code:

Version:

2.1.0.129

Modules

Images
c:\users\public\documents\wondershare\mobiletrans_full5793.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1252

"C:\Windows\system32\sc.exe" create "ElevationService" start= auto DisplayName= "Wondershare Driver Install Service help" binPath= "C:\Program Files\Wondershare\MobileTransPro\ElevationService.exe"

C:\Windows\system32\sc.exe

—

mobiletrans_full5793.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1352

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" "C:\Program Files\Wondershare\WAF3\3.0.0.308\WsAppService3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

—

WAFSetup.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Framework installation utility

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1972

"CertUtil.exe" -addstore TrustedPublisher "C:\Program Files\Wondershare\MobileTransPro\WsInfoTech.cer"

C:\Windows\system32\CertUtil.exe

—

mobiletrans_full5793.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\user32.dll

2148

DrvInst.exe "1" "200" "PCI\VEN_1AF4&DEV_1002&SUBSYS_00051AF4&REV_00\3&13c0b0c5&0&28" "" "" "6db87dc0b" "000005B4" "000003CC" "0000054C"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

3758096899

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2212

"C:\Program Files\Wondershare\MobileTransPro\MobileTrans.exe"

C:\Program Files\Wondershare\MobileTransPro\MobileTrans.exe

mobiletrans_setup_full5793.exe

User:

admin

Company:

Wondershare

Integrity Level:

HIGH

Description:

Wondershare MobileTrans

Exit code:

Version:

2.1.0.129

Modules

Images
c:\program files\wondershare\mobiletranspro\mobiletrans.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2220

C:\Users\Public\Documents\Wondershare\NFWCHK.exe

—

mobiletrans_setup_full5793.exe

User:

admin

Company:

Wondershare

Integrity Level:

HIGH

Description:

.NET Framework Checker

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\public\documents\wondershare\nfwchk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2220

"C:\Windows\System32\dinotify.exe" pnpui.dll,SimplifiedDINotification

C:\Windows\System32\dinotify.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Device Installation

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll

2452

rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{76ab2c72-8833-41f8-9e6f-2a18f02506f8} "(null)"

C:\Windows\system32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

2 975

Read events

2 581

Write events

378

Delete events

Modification events


(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:	write	Name:	(default)
Value: sku-ween
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WafCX
Operation:	write	Name:	5793
Value: sku-ween
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\Wondershare Helper Compact
Operation:	write	Name:	ClientSign
Value: {C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wondershare\WAF
Operation:	write	Name:	ClientSign
Value: {C4BA3647-0000-0QM0-0001-12A9866C77DE}
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3312) mobiletrans_setup_full5793.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0

Add for printing

Executable files

190

Suspicious files

Text files

2 825

Unknown types

Dropped files

PID	Process	Filename		Type
3312	mobiletrans_setup_full5793.exe	C:\Users\admin\AppData\Local\Temp\wsWAE.log		text
		MD5:—	SHA256:—
3312	mobiletrans_setup_full5793.exe	C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config		xml
		MD5:AD0967A0AB95AA7D71B3DC92B71B8F7A	SHA256:9C1212BC648A2533B53A2D0AFCEC518846D97630AFB013742A9622F0DF7B04FC
3312	mobiletrans_setup_full5793.exe	C:\Users\Public\Documents\Wondershare\NFWCHK.exe		executable
		MD5:27CFB3990872CAA5930FA69D57AEFE7B	SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
3312	mobiletrans_setup_full5793.exe	C:\Users\Public\Documents\Wondershare\mobiletrans_full5793.exe.~P2S		—
		MD5:—	SHA256:—
3312	mobiletrans_setup_full5793.exe	C:\Users\Public\Documents\Wondershare\mobiletrans_full5793.exe		—
		MD5:—	SHA256:—
2916	mobiletrans_full5793.tmp	C:\Users\admin\AppData\Local\Temp\is-COEV8.tmp\RCXBFD8.tmp		—
		MD5:—	SHA256:—
2916	mobiletrans_full5793.tmp	C:\Program Files\Wondershare\MobileTransPro\is-1QJCP.tmp		—
		MD5:—	SHA256:—
3312	mobiletrans_setup_full5793.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\3[1].png		image
		MD5:—	SHA256:—
2916	mobiletrans_full5793.tmp	C:\Users\admin\AppData\Local\Temp\is-CJ15Q.tmp\is-HM0MS.tmp		—
		MD5:—	SHA256:—
3312	mobiletrans_setup_full5793.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\5793-20191206163329[1].htm		html
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

165

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3312	mobiletrans_setup_full5793.exe	GET	—	47.91.67.36:80	http://dlinst.wondershare.com/player/style/jquery.orbit.min.js	US	—	—	suspicious
3312	mobiletrans_setup_full5793.exe	HEAD	200	47.246.43.209:80	http://download.wondershare.com/cbs_down/mobiletrans_full5793.exe	US	—	—	whitelisted
3312	mobiletrans_setup_full5793.exe	GET	—	47.91.67.36:80	http://dlinst.wondershare.com/player/style/jquery-1.4.4.min.js	US	—	—	suspicious
3312	mobiletrans_setup_full5793.exe	GET	304	47.91.67.36:80	http://dlinst.wondershare.com/player/style/fit-style1.0.1.css	US	—	—	suspicious
3312	mobiletrans_setup_full5793.exe	GET	—	47.246.43.209:80	http://download.wondershare.com/cbs_down/mobiletrans_full5793.exe	US	—	—	whitelisted
3312	mobiletrans_setup_full5793.exe	GET	206	47.246.43.209:80	http://download.wondershare.com/cbs_down/mobiletrans_full5793.exe	US	binary	18.8 Mb	whitelisted
3312	mobiletrans_setup_full5793.exe	GET	200	47.91.67.36:80	http://dlinst.wondershare.com/player/5793-20191206163329.html	US	html	881 b	suspicious
3312	mobiletrans_setup_full5793.exe	GET	206	47.246.43.209:80	http://download.wondershare.com/cbs_down/mobiletrans_full5793.exe	US	binary	18.8 Mb	whitelisted
3312	mobiletrans_setup_full5793.exe	GET	200	47.91.67.36:80	http://dlinst.wondershare.com/player/5793-20191206163329.html	US	html	881 b	suspicious
3312	mobiletrans_setup_full5793.exe	GET	200	47.91.67.36:80	http://dlinst.wondershare.com/player/5793-20191206163329/3.png?t=20191206163329	US	image	163 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3312	mobiletrans_setup_full5793.exe	47.91.67.36:80	platform.wondershare.com	Alibaba (China) Technology Co., Ltd.	US	suspicious
3312	mobiletrans_setup_full5793.exe	47.246.43.209:80	download.wondershare.com	—	US	malicious
—	—	47.246.43.209:80	download.wondershare.com	—	US	malicious
2916	mobiletrans_full5793.tmp	47.91.89.199:80	cbs.wondershare.com	Alibaba (China) Technology Co., Ltd.	US	malicious
2916	mobiletrans_full5793.tmp	104.109.78.157:443	mobiletrans.wondershare.com	Akamai International B.V.	NL	unknown
3440	iexplore.exe	47.91.89.199:80	cbs.wondershare.com	Alibaba (China) Technology Co., Ltd.	US	malicious
3440	iexplore.exe	104.109.78.157:443	mobiletrans.wondershare.com	Akamai International B.V.	NL	unknown
2212	MobileTrans.exe	64.233.180.101:443	www.google-analytics.com	Google Inc.	US	whitelisted
3440	iexplore.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3440	iexplore.exe	104.108.40.45:443	neveragain.allstatics.com	Akamai Technologies, Inc.	NL	unknown

DNS requests

Domain	IP	Reputation
platform.wondershare.com	47.91.67.36	suspicious
download.wondershare.com	47.246.43.209	whitelisted
dlinst.wondershare.com	47.91.67.36	suspicious
cbs.wondershare.com	47.91.89.199 47.91.91.66 47.91.76.37 47.91.89.20	whitelisted
mobiletrans.wondershare.com	104.109.78.157	suspicious
www.google-analytics.com	64.233.180.101 64.233.180.102 64.233.180.139 64.233.180.113 64.233.180.100 64.233.180.138	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
neveragain.allstatics.com	104.108.40.45	whitelisted
dc.wondershare.cc	63.159.217.174 70.39.188.24 70.39.189.43	suspicious
images.wondershare.com	23.66.22.104	whitelisted

Threats

PID	Process	Class	Message
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
3312	mobiletrans_setup_full5793.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3312	mobiletrans_setup_full5793.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
RegAsm.exe	Cannot delete a subkey tree because the subkey does not exist.
WsAppService3.exe	Program.InitApp 3.0.0.308: Start
ProcessKiller.exe	Plan A, 2s
ProcessKiller.exe	Plan A, start...
MobileTrans.exe	Program.InitApp
MobileTrans.exe	WsAppFoundation.InitApp 3.0.0.309: Start
MobileTrans.exe	SaveToXml(C:\ProgramData\Wondershare\WAF\ProductionStore.dat)
MobileTrans.exe	App com.wondershare.mobiletranswin, Start
MobileTrans.exe	Load ClientSign:
MobileTrans.exe	NewClientSign: {C4BA3647-FBFF-0005-06E3-12A9866C77DE}

General Info

mobiletrans_setup_full5793.exe

010D4F2DDAA7CBF9DCE29D65A346D472

B5F2AA238C7A150E67A694DFEFB617BE51E76461

DD30CFF29DE8C9F2FE9CEE868828E5C179AC71C2E2100A468FC734881BA91973

24576:yvFVRM3bG8CvRf/X3Yw0WDmpUFv8XlGAMDG:gFVRM3bG8ORf/nY0aUNi8AMi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Drops executable file immediately after starts

Writes to a start menu file

Changes settings of System certificates

Loads dropped or rewritten executable

SUSPICIOUS

Reads internet explorer settings

Executable content was dropped or overwritten

Reads Windows owner or organization settings

Reads the Windows organization settings

Low-level read access rights to disk partition

Drops a file that was compiled in debug mode

Creates files in the Windows directory

Drops a file with too old compile date

Creates files in the user directory

Drops a file with a compile date too recent

Starts SC.EXE for service management

Removes files from Windows directory

Creates a directory in Program Files

Creates/Modifies COM task schedule object

Creates files in the program directory

Executed as Windows Service

Adds / modifies Windows certificates

Starts Internet Explorer

Reads Environment values

Executed via COM

Changes IE settings (feature browser emulation)

Searches for installed software

INFO

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Creates a software uninstall entry

Creates files in the program directory

Application launched itself

Changes internet zones settings

Creates files in the user directory

Reads settings of System Certificates

Reads internet explorer settings

Changes settings of System certificates

Adds / modifies Windows certificates

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information