Windows Analysis Report
https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe

Overview

General Information

Sample URL:	https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe
Analysis ID:	1447148
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

PE file overlay found

Stores files to the Windows start menu directory

Classification

Signatures

Source: chromecache_65.2.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cbf1ece3-7

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49722 version: TLS 1.2

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdbn" source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:50022 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /inst/recoverit_setup_full4159.exe HTTP/1.1Host: download-fr.wondershare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2ba92RhHB97oXKe&MD=rZhmw3r2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2ba92RhHB97oXKe&MD=rZhmw3r2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: download-fr.wondershare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://download-fr.wondershare.com/cbs_down/recoverit_64bit_full4159.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://download.wondershare.com/inst/NetFxLite.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://platform.wondershare.cc
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://pop.wondershare.fr/license.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.5.5.5
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.5.5.5Mzc4Miop0xjZfMjQzNzgwOTYzOTcyMTg4MTY=&uid=/resolve?type=1&short=1&name=&ak=&key=&ts
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.6.6.6
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.300624.com:8106/sa?project=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=https://analytics.300624.com:8106/sa?project=downlo
Source: manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://download-fr.wondershare.com/cbs_down/recoverit_full4159.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://pc-api.300624.com
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://pc-api.wondershare.cc
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://prod-web.wondershare.cc/api/v1/prodweb/trk&os=Windows
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://recoverit.wondershare.fr/thankyou/install-recoverit.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://wae.tmp
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://www.wondershare.fr/confidentialite.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://www.wondershare.fr/entreprise/contrat-licence-utilisateur-final.html

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49722 version: TLS 1.2

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.fingerprint	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6300_94301119

Jump to behavior

PE file contains executable resources (Code or Archives)

Source: Unconfirmed 348044.crdownload.0.dr	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Unconfirmed 348044.crdownload.0.dr	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: chromecache_65.2.dr	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: chromecache_65.2.dr	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate

PE file does not import any functions

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: clean5.win@19/13@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdbn" source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr

PE file contains an invalid checksum

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: real checksum: 0x204076 should be: 0x5ab6

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 348044.crdownload	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
47.246.2.217	download-fr.wondershare.com.w.cdngslb.com	United States	24429	TAOBAOZhejiangTaobaoNetworkCoLtdCN	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
download-fr.wondershare.com.w.cdngslb.com	47.246.2.217	true
www.google.com	216.58.206.68	true
download-fr.wondershare.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 11:33:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	49C2458C4B51BAF64C63F145D28183FC	CB3D643C88D379D158775A7D41F3FD1A70D4F644	E9A8B7C875A0FD81BD802C8D43F2485350870E0B394441C613296E8CCEA32CF1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 11:33:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	7667359353E4F438443038E78AA33C74	57F0172FBA927A5D13981038D0B1C2B44FFEC782	B7ADAEC10E839B8E205DFDAF2505D1B9B21002B3B2211BBE4DA38A2AC0E44F2D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	31E2A654A014BED48F85121BA3DBB732	3FE44DA05EF26A310E695CABF894949CC4EBF17C	15B48A4CD48C58C9AEADE8407BB20E517474281D1DDD97CBD0CA36A06C123C4F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 11:33:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	D1222DDDA65FA3928943767B6FD31B53	C4B789AC4FB3F8FB9BA50118316144DF3AAAF881	7A59456AEAB2A2B6BC4D26FB9AE71D14008E20D97EDD9EE8824CB87656F9313C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 11:33:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	D29E640E41B0428B1D8D593F0A04AB12	A4D6A5C830597572ED22E061FF9F42BFD5ADDAFE	C5490A6336CC380FB42987D97719111FC3A4A7DAEFFC207B531ACE6F50D5C9A4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 11:33:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	7A0BC27483B0B9485EC5E3200C71FCC5	38ADD2C0A181DCA35804C14F1045CC1A2077709B	DACA85490831E5415FDF7B43746A8C4E95713367160C22F5260745DEE8F40716
C:\Users\user\Downloads\67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	7C2A89DE8B96830C64E316C9487F602A	49AF703CD49233C66A8A9B9B4DF4BBC6BED8276D	F81FE6091E6FADDF5AD33AFB693EE1FCFD15B29909C0E6FF1556BB0739272469
C:\Users\user\Downloads\Unconfirmed 348044.crdownload	PE32 executable (GUI) Intel 80386, for MS Windows	07CEC815360C35994A17263082F3194A	5FC02DA692EE2956A2AEDDE95A5F9F28BA63E82D	E255B545ECFA17279048341362160269A73152D1934CE884630DDBE74537EF30
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\_metadata\verified_contents.json	JSON data	1B902651165F365CE171967091E325DA	D564887A167C8C588BC8FDF1259C94A377967DB8	36C438E32D79F8AF43D6CD90A9FEAEF423674AE78852557F716271C007D6028C
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.fingerprint	ASCII text, with no line terminators	D8ADF922B4F26B8D100BED213F3EABEB	F91139716E99F0374B1610EBE9F5B7A8827A84CC	4EE4858DA2C7E49D3630CB497FA0BB3EF0602E4C0CA732DB7A25811099144E4F
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.json	JSON data	DB7EB7E54EED7C7A94FABEF1FF06FFCE	59EC7C4812B8281EEDEE765E052D280EF6D14BE1	DD43B3AFEAC53C5756B53B5A987FEB96CA78D2016C5513A971B2D570A959C0D0
Chrome Cache Entry: 65	PE32 executable (GUI) Intel 80386, for MS Windows	07CEC815360C35994A17263082F3194A	5FC02DA692EE2956A2AEDDE95A5F9F28BA63E82D	E255B545ECFA17279048341362160269A73152D1934CE884630DDBE74537EF30

Source: chromecache_65.2.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cbf1ece3-7

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49722 version: TLS 1.2

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdbn" source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:50022 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /inst/recoverit_setup_full4159.exe HTTP/1.1Host: download-fr.wondershare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2ba92RhHB97oXKe&MD=rZhmw3r2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2ba92RhHB97oXKe&MD=rZhmw3r2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: download-fr.wondershare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://download-fr.wondershare.com/cbs_down/recoverit_64bit_full4159.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://download.wondershare.com/inst/NetFxLite.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://platform.wondershare.cc
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://pop.wondershare.fr/license.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.5.5.5
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.5.5.5Mzc4Miop0xjZfMjQzNzgwOTYzOTcyMTg4MTY=&uid=/resolve?type=1&short=1&name=&ak=&key=&ts
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://223.6.6.6
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.300624.com:8106/sa?project=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://analytics.wondershare.cc:8106/sa?project=https://analytics.300624.com:8106/sa?project=downlo
Source: manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://download-fr.wondershare.com/cbs_down/recoverit_full4159.exe
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://pc-api.300624.com
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://pc-api.wondershare.cc
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://prod-web.wondershare.cc/api/v1/prodweb/trk&os=Windows
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://recoverit.wondershare.fr/thankyou/install-recoverit.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://wae.tmp
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://www.wondershare.fr/confidentialite.html
Source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr	String found in binary or memory: https://www.wondershare.fr/entreprise/contrat-licence-utilisateur-final.html

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49722 version: TLS 1.2

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6300_1622294751\manifest.fingerprint	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6300_94301119

Jump to behavior

PE file contains executable resources (Code or Archives)

Source: Unconfirmed 348044.crdownload.0.dr	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Unconfirmed 348044.crdownload.0.dr	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: chromecache_65.2.dr	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: chromecache_65.2.dr	Static PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate

PE file does not import any functions

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: clean5.win@19/13@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1992,i,3492399105809674664,8299892537161207021,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdbn" source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: G:\devops_yanfa\workspace\p-4663c901377d457795e7a5c44ce670aa\src\bin\WAE_FRA.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr
Source:	Binary string: E:\MobileGo\Trunk\PC\Setup\Framework_Lite\DotNetChecker\obj\x86\Release\NFWCHK.pdb source: chromecache_65.2.dr, Unconfirmed 348044.crdownload.0.dr

PE file contains an invalid checksum

Source: 67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp.0.dr

Static PE information: real checksum: 0x204076 should be: 0x5ab6

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\67a7c9fc-c1fe-4938-b1ab-4830dfeb19ee.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 348044.crdownload	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 65			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

ID:	1447148
Product:	CloudBasic
Start time:	14:32:35
Start date:	24.05.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://download-fr.wondershare.com/inst/recoverit_setup_full4159.exe