URL:

http://download.wondershare.com/drfone_full3360.exe

Full analysis: https://app.any.run/tasks/e879c864-47af-4113-abce-d24becbda42d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2019, 13:45:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

9BDAA6254ED57E00420A065A555B972D

SHA1:

69FF1E3513601359FC4F5FE78079DA744C26CCF2

SHA256:

C6E6F511366881D72285744DC9655BA51CA5607E6C80789DC251F098C10A844A

SSDEEP:

3:N1KaKElIQLGKxX9ZkA:Ca5IQLGKJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • drfone_setup_full3360[1].exe (PID: 1140)
      • drfone_full3360.exe (PID: 3492)
      • drfone_setup_full3360[1].exe (PID: 3060)
      • WsAppService3.exe (PID: 3416)
      • devcon_x86.exe (PID: 1360)
      • devcon_x86.exe (PID: 2684)
      • DrFoneToolKit.exe (PID: 3928)
      • WAFSetup.exe (PID: 1660)
      • CrashService.exe (PID: 2536)
      • com.wondershare.drfonewin.backup_sku-ween_196.exe (PID: 2076)
      • DrFoneBackup.exe (PID: 2560)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3696)
      • drfone_setup_full3360[1].exe (PID: 3060)
      • DrFoneToolKit.exe (PID: 3928)

    • Changes settings of System certificates

      • NFWCHk.exe (PID: 3232)
      • CertUtil.exe (PID: 3748)
      • CertUtil.exe (PID: 3952)

    • Loads dropped or rewritten executable

      • RegAsm.exe (PID: 2956)
      • RegAsm.exe (PID: 2892)
      • DrFoneToolKit.exe (PID: 3928)
      • CrashService.exe (PID: 2536)
      • WsAppService3.exe (PID: 3416)
      • DrFoneBackup.exe (PID: 2560)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2796)
      • iexplore.exe (PID: 3696)
      • drfone_full3360.exe (PID: 3492)
      • NetFxLite.exe (PID: 1100)
      • NetFxLite.tmp (PID: 4064)
      • drfone_full3360.tmp (PID: 1040)
      • WAFSetup.exe (PID: 1660)
      • WAFSetup.tmp (PID: 3316)
      • DrvInst.exe (PID: 2376)
      • devcon_x86.exe (PID: 2684)
      • DrvInst.exe (PID: 2904)
      • DrFoneToolKit.exe (PID: 3672)
      • devcon_x86.exe (PID: 1360)
      • DrFoneToolKit.tmp (PID: 1348)
      • DrFoneRecovery.exe (PID: 2860)
      • DrFoneRecovery.tmp (PID: 2140)
      • DrFoneToolKit.exe (PID: 3928)
      • com.wondershare.drfonewin.backup_sku-ween_196.exe (PID: 2076)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)

    • Reads internet explorer settings

      • drfone_setup_full3360[1].exe (PID: 3060)
      • DrFoneBackup.exe (PID: 2560)

    • Low-level read access rights to disk partition

      • drfone_setup_full3360[1].exe (PID: 3060)

    • Reads Windows owner or organization settings

      • drfone_full3360.tmp (PID: 1040)
      • NetFxLite.tmp (PID: 4064)
      • WAFSetup.tmp (PID: 3316)
      • DrFoneToolKit.tmp (PID: 1348)
      • DrFoneRecovery.tmp (PID: 2140)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)

    • Reads the Windows organization settings

      • drfone_full3360.tmp (PID: 1040)
      • NetFxLite.tmp (PID: 4064)
      • WAFSetup.tmp (PID: 3316)
      • DrFoneToolKit.tmp (PID: 1348)
      • DrFoneRecovery.tmp (PID: 2140)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)

    • Adds / modifies Windows certificates

      • NFWCHk.exe (PID: 3232)

    • Creates files in the Windows directory

      • drfone_full3360.tmp (PID: 1040)
      • NetFxLite.tmp (PID: 4064)
      • InstallUtil.exe (PID: 292)
      • devcon_x86.exe (PID: 1360)
      • DrvInst.exe (PID: 2376)
      • DrvInst.exe (PID: 2904)
      • CertUtil.exe (PID: 3748)
      • CertUtil.exe (PID: 3952)

    • Creates files in the program directory

      • RegAsm.exe (PID: 880)
      • InstallUtil.exe (PID: 292)
      • WsAppService3.exe (PID: 3416)
      • RegAsm.exe (PID: 1096)
      • InstallUtil.exe (PID: 2812)
      • DrFoneToolKit.exe (PID: 3928)
      • DrFoneBackup.exe (PID: 2560)

    • Creates COM task schedule object

      • RegAsm.exe (PID: 880)
      • RegAsm.exe (PID: 1096)

    • Executed as Windows Service

      • WsAppService3.exe (PID: 3416)

    • Executed via COM

      • DrvInst.exe (PID: 2376)
      • DrvInst.exe (PID: 2904)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2376)
      • DrvInst.exe (PID: 2904)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2904)
      • DrvInst.exe (PID: 2376)
      • CertUtil.exe (PID: 3748)
      • CertUtil.exe (PID: 3952)

    • Searches for installed software

      • DrFoneToolKit.tmp (PID: 1348)
      • DrFoneRecovery.tmp (PID: 2140)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)
      • DrFoneToolKit.exe (PID: 3928)

    • Creates files in the user directory

      • DrFoneRecovery.tmp (PID: 2140)
      • drfone_full3360.tmp (PID: 1040)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)
      • DrFoneBackup.exe (PID: 2560)

    • Starts Internet Explorer

      • drfone_setup_full3360[1].exe (PID: 3060)

    • Reads Environment values

      • DrFoneToolKit.exe (PID: 3928)
      • DrFoneBackup.exe (PID: 2560)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2796)

    • Creates files in the user directory

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 3460)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2796)
      • iexplore.exe (PID: 3460)

    • Changes internet zones settings

      • iexplore.exe (PID: 2796)
      • iexplore.exe (PID: 3656)

    • Application was dropped or rewritten from another process

      • drfone_full3360.tmp (PID: 1040)
      • NFWCHk.exe (PID: 3232)
      • WAFSetup.tmp (PID: 3316)
      • NetFxLite.tmp (PID: 4064)
      • DrFoneRecovery.tmp (PID: 2140)
      • DrFoneToolKit.tmp (PID: 1348)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)
      • DrFoneToolKit.exe (PID: 3672)
      • NetFxLite.exe (PID: 1100)
      • DrFoneRecovery.exe (PID: 2860)

    • Dropped object may contain Bitcoin addresses

      • drfone_full3360.tmp (PID: 1040)

    • Loads dropped or rewritten executable

      • drfone_full3360.tmp (PID: 1040)
      • WAFSetup.tmp (PID: 3316)

    • Creates a software uninstall entry

      • drfone_full3360.tmp (PID: 1040)

    • Creates files in the program directory

      • drfone_full3360.tmp (PID: 1040)
      • WAFSetup.tmp (PID: 3316)
      • DrFoneToolKit.tmp (PID: 1348)
      • DrFoneRecovery.tmp (PID: 2140)
      • com.wondershare.drfonewin.backup_sku-ween_196.tmp (PID: 2532)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3460)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3460)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
37
Malicious processes
18
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start download and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start download and start drop and start iexplore.exe iexplore.exe drfone_setup_full3360[1].exe no specs drfone_setup_full3360[1].exe nfwchk.exe no specs drfone_full3360.exe drfone_full3360.tmp netfxlite.exe netfxlite.tmp nfwchk.exe wafsetup.exe wafsetup.tmp regasm.exe no specs regasm.exe regasm.exe no specs regasm.exe no specs installutil.exe no specs wsappservice3.exe devcon_x86.exe drvinst.exe devcon_x86.exe drvinst.exe drfonetoolkit.exe drfonetoolkit.tmp regasm.exe no specs installutil.exe no specs certutil.exe no specs certutil.exe no specs drfonerecovery.exe drfonerecovery.tmp drfonetoolkit.exe iexplore.exe iexplore.exe crashservice.exe no specs com.wondershare.drfonewin.backup_sku-ween_196.exe com.wondershare.drfonewin.backup_sku-ween_196.tmp drfonebackup.exe

Process information

PID
CMD
Path
Indicators
Parent process
292"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" "C:\Program Files\Wondershare\WAF3\3.0.0.306\WsAppService3.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWAFSetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Framework installation utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
880"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Program Files\Wondershare\WAF3\3.0.0.306\WsAppService3.exe" /codebase /tlb:"C:\Program Files\Wondershare\WAF3\3.0.0.306\WsAppService.tlb" /nologoC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWAFSetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Users\admin\AppData\Local\Temp\is-AAQC4.tmp\drfone_full3360.tmp" /SL5="$50130,75258769,134144,C:\Users\Public\Documents\Wondershare\drfone_full3360.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files\Wondershare\drfone\" /DIR="C:\Program Files\Wondershare\drfone\"C:\Users\admin\AppData\Local\Temp\is-AAQC4.tmp\drfone_full3360.tmp
drfone_full3360.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-aaqc4.tmp\drfone_full3360.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1096"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Program Files\Wondershare\drfone\Library\DriverInstaller\DriverInstall.exe" /codebase /tlbC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeDrFoneToolKit.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1100"C:\Users\admin\AppData\Local\Temp\is-HE5ON.tmp\NetFxLite.exe" /verysilent /NORESTARTC:\Users\admin\AppData\Local\Temp\is-HE5ON.tmp\NetFxLite.exe
drfone_full3360.tmp
User:
admin
Company:
© Wondershare Corporation. All rights reserved.
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 2.0 Client Profile Basic SP2
Exit code:
1
Version:
2.0.0.29
Modules
Images
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\local\temp\is-he5on.tmp\netfxlite.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1140"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\drfone_setup_full3360[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\drfone_setup_full3360[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
drfone_setup_full3360.exe
Exit code:
3221226540
Version:
2.0.10.2
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\h6qnmhe9\drfone_setup_full3360[1].exe
c:\systemroot\system32\ntdll.dll
1348"C:\Users\admin\AppData\Local\Temp\is-6R21H.tmp\DrFoneToolKit.tmp" /SL5="$801D4,2279332,121344,C:\Users\admin\AppData\Local\Temp\is-HE5ON.tmp\DrFoneToolKit.exe" /SP- /silent /VERYSILENT /NoCustomize /LANG=ENG /Dir="C:\Program Files\Wondershare\drfone" /CreateDesktopIcon /CreateQuickLaunchIconC:\Users\admin\AppData\Local\Temp\is-6R21H.tmp\DrFoneToolKit.tmp
DrFoneToolKit.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-6r21h.tmp\drfonetoolkit.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1360"C:\Program Files\Wondershare\drfone\Library\RootRecovery\1.0.0\tools\devcon_x86.exe" dp_add "C:\Program Files\Wondershare\drfone\Library\RootRecovery\1.0.0\tools\driver\ssudmdm.inf"C:\Program Files\Wondershare\drfone\Library\RootRecovery\1.0.0\tools\devcon_x86.exe
drfone_full3360.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 (win7_wdk.100208-1538)
Modules
Images
c:\program files\wondershare\drfone\library\rootrecovery\1.0.0\tools\devcon_x86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1660"C:\Program Files\Wondershare\drfone\WAFSetup.exe" /SP- /silent /VERYSILENT /CanUpdateC:\Program Files\Wondershare\drfone\WAFSetup.exe
drfone_full3360.tmp
User:
admin
Company:
Wondershare
Integrity Level:
HIGH
Description:
Wondershare Passport 3.0
Exit code:
0
Version:
3.0.0.306
Modules
Images
c:\program files\wondershare\drfone\wafsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2076"C:\ProgramData\Wondershare\WAF\Download\com.wondershare.drfonewin.backup_sku-ween_196.exe" /SP- /VERYSILENT /LiveUpdate /UpdateByWAF /DIR="C:\Program Files\Wondershare\drfone"C:\ProgramData\Wondershare\WAF\Download\com.wondershare.drfonewin.backup_sku-ween_196.exe
DrFoneToolKit.exe
User:
admin
Company:
Wondershare Technology Co.,Ltd.
Integrity Level:
HIGH
Description:
dr.fone Setup
Exit code:
0
Version:
9.9.7.196
Modules
Images
c:\programdata\wondershare\waf\download\com.wondershare.drfonewin.backup_sku-ween_196.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
2 799
Read events
2 065
Write events
694
Delete events
40

Modification events

(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{0EB82641-8B86-11E9-B63D-5254004A04AF}
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307060001000A000D002D0033003B01
Executable files
319
Suspicious files
69
Text files
1 623
Unknown types
59

Dropped files

PID
Process
Filename
Type
2796iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF282421B8D5042C42.TMP
MD5:
SHA256:
3060drfone_setup_full3360[1].exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe
MD5:
SHA256:
3060drfone_setup_full3360[1].exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
MD5:
SHA256:
2796iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8F55D5D539166EC5.TMP
MD5:
SHA256:
2796iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0EB82641-8B86-11E9-B63D-5254004A04AF}.dat
MD5:
SHA256:
3696iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
3060drfone_setup_full3360[1].exeC:\Users\Public\Documents\Wondershare\drfone_full3360.exe.~P2S
MD5:
SHA256:
3696iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:
SHA256:
2796iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0EB82642-8B86-11E9-B63D-5254004A04AF}.datbinary
MD5:
SHA256:
3696iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
95
TCP/UDP connections
111
DNS requests
28
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3696
iexplore.exe
GET
302
2.16.186.90:80
http://download.wondershare.com/drfone_full3360.exe
unknown
whitelisted
3060
drfone_setup_full3360[1].exe
GET
2.16.186.90:80
http://download.wondershare.com/cbs_down/drfone_full3360.exe
unknown
whitelisted
3060
drfone_setup_full3360[1].exe
GET
63.159.217.165:80
http://dlinst.wondershare.com/player/style/orbit-1.3.0.css
US
suspicious
3696
iexplore.exe
GET
200
2.16.186.90:80
http://download.wondershare.com/inst/drfone_setup_full3360.exe
unknown
executable
976 Kb
whitelisted
3060
drfone_setup_full3360[1].exe
GET
200
63.159.217.165:80
http://dlinst.wondershare.com/player/3360-20181030115130.html
US
html
882 b
suspicious
3060
drfone_setup_full3360[1].exe
GET
206
2.16.186.90:80
http://download.wondershare.com/cbs_down/drfone_full3360.exe
unknown
binary
12.0 Mb
whitelisted
3060
drfone_setup_full3360[1].exe
GET
200
47.91.67.36:80
http://platform.wondershare.com/rest/v2/downloader/runtime/?client_sign={C4BA3647-0000-0QM0-0001-5254004A04AF}&product_id=3360
US
xml
1.51 Kb
suspicious
3060
drfone_setup_full3360[1].exe
GET
206
2.16.186.90:80
http://download.wondershare.com/cbs_down/drfone_full3360.exe
unknown
binary
12.0 Mb
whitelisted
3060
drfone_setup_full3360[1].exe
GET
206
2.16.186.90:80
http://download.wondershare.com/cbs_down/drfone_full3360.exe
unknown
executable
12.0 Mb
whitelisted
3060
drfone_setup_full3360[1].exe
GET
200
63.159.217.165:80
http://dlinst.wondershare.com/player/3360-20181030115130.html
US
html
882 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3060
drfone_setup_full3360[1].exe
63.159.217.165:80
dlinst.wondershare.com
QUANTIL, INC
US
unknown
63.159.217.165:80
dlinst.wondershare.com
QUANTIL, INC
US
unknown
3696
iexplore.exe
2.16.186.90:80
download.wondershare.com
Akamai International B.V.
whitelisted
2796
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3696
iexplore.exe
47.91.89.199:80
cbs.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
malicious
3232
NFWCHk.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3460
iexplore.exe
47.91.89.199:80
cbs.wondershare.com
Alibaba (China) Technology Co., Ltd.
US
malicious
1040
drfone_full3360.tmp
2.19.40.184:443
drfone.wondershare.com
Akamai International B.V.
whitelisted
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3460
iexplore.exe
2.19.40.184:443
drfone.wondershare.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
download.wondershare.com
  • 2.16.186.90
  • 104.103.72.129
  • 104.103.72.11
whitelisted
cbs.wondershare.com
  • 47.91.89.199
  • 47.91.76.37
  • 47.91.89.20
  • 47.91.91.66
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
platform.wondershare.com
  • 47.91.67.36
suspicious
dlinst.wondershare.com
  • 63.159.217.165
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
drfone.wondershare.com
  • 2.19.40.184
suspicious
images.wondershare.com
  • 2.19.40.184
whitelisted
www.googletagmanager.com
  • 172.217.16.136
whitelisted

Threats

PID
Process
Class
Message
3696
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3060
drfone_setup_full3360[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3060
drfone_setup_full3360[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3928
DrFoneToolKit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3928
DrFoneToolKit.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Process
Message
RegAsm.exe
Cannot delete a subkey tree because the subkey does not exist.
WsAppService3.exe
Program.InitApp 3.0.0.306: Start
DrFoneToolKit.exe
Program.Start Product=dr.fone, Version=9.9.10.10
DrFoneToolKit.exe
Program.InitLog
DrFoneToolKit.exe
Program.InitWAF...
DrFoneToolKit.exe
Program.InitApp 3.0.0.306: Start
DrFoneToolKit.exe
WAF.OnStart WAF.pid:com.wondershare.drfonewin
DrFoneToolKit.exe
SaveToXml(C:\ProgramData\Wondershare\WAF\ProductionStore.dat)
DrFoneToolKit.exe
App com.wondershare.drfonewin, Start
DrFoneToolKit.exe
Load ClientSign:
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.wondershare.com/drfone_full3360.exe