File name:

whatsapp-transfer.exe

Full analysis: https://app.any.run/tasks/d436955f-271d-4d9f-95f9-12a02c48e239
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 22, 2024, 00:18:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

1CC9D35BDAC3F7ACED889D2A937DEF51

SHA1:

E6B3D31147036EDA3F858A668E4866AD90ABCB74

SHA256:

0B007F2AC5D46356553509D53D4954FE03A8D27AA20C85782A27B048C7260599

SSDEEP:

49152:350ZsURAlnmObDnDP2YBW3dty7R74NNeCUO171LtRprh:3isUupDnb2YB+ry7R8NNexO19/prh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • whatsapp-transfer.exe (PID: 4092)

    • Connects to the CnC server

      • whatsapp-transfer.exe (PID: 4092)

  • SUSPICIOUS

    • Reads the Internet Settings

      • whatsapp-transfer.exe (PID: 4092)

    • Reads security settings of Internet Explorer

      • whatsapp-transfer.exe (PID: 4092)

    • Checks Windows Trust Settings

      • whatsapp-transfer.exe (PID: 4092)

    • Reads settings of System Certificates

      • whatsapp-transfer.exe (PID: 4092)

    • Potential Corporate Privacy Violation

      • whatsapp-transfer.exe (PID: 4092)

    • Checks for external IP

      • whatsapp-transfer.exe (PID: 4092)

    • Device Retrieving External IP Address Detected

      • whatsapp-transfer.exe (PID: 4092)

    • Access to an unwanted program domain was detected

      • whatsapp-transfer.exe (PID: 4092)

  • INFO

    • Checks supported languages

      • whatsapp-transfer.exe (PID: 4092)
      • wmpnscfg.exe (PID: 2304)

    • Reads the computer name

      • whatsapp-transfer.exe (PID: 4092)
      • wmpnscfg.exe (PID: 2304)

    • Create files in a temporary directory

      • whatsapp-transfer.exe (PID: 4092)

    • Reads Environment values

      • whatsapp-transfer.exe (PID: 4092)

    • Checks proxy server information

      • whatsapp-transfer.exe (PID: 4092)

    • Reads the machine GUID from the registry

      • whatsapp-transfer.exe (PID: 4092)

    • Creates files or folders in the user directory

      • whatsapp-transfer.exe (PID: 4092)

    • Reads the software policy settings

      • whatsapp-transfer.exe (PID: 4092)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:05 04:05:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1736704
InitializedDataSize: 376832
UninitializedDataSize: 2347008
EntryPoint: 0x3e5890
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.7.11.0
ProductVersionNumber: 2.7.11.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tenorshare Co., Ltd.
FileDescription: iCareFone Transfer
FileVersion: 2.7.11.0
LegalCopyright: Copyright © 2007-2023 Tenorshare Co.,Ltd.
ProductName: 20230605120340
ProductVersion: 2.7.11.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start whatsapp-transfer.exe wmpnscfg.exe no specs whatsapp-transfer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Users\admin\AppData\Local\Temp\whatsapp-transfer.exe" C:\Users\admin\AppData\Local\Temp\whatsapp-transfer.exeexplorer.exe
User:
admin
Company:
Tenorshare Co., Ltd.
Integrity Level:
MEDIUM
Description:
iCareFone Transfer
Exit code:
3221226540
Version:
2.7.11.0
Modules
Images
c:\users\admin\appdata\local\temp\whatsapp-transfer.exe
c:\windows\system32\ntdll.dll
4092"C:\Users\admin\AppData\Local\Temp\whatsapp-transfer.exe" C:\Users\admin\AppData\Local\Temp\whatsapp-transfer.exe
explorer.exe
User:
admin
Company:
Tenorshare Co., Ltd.
Integrity Level:
HIGH
Description:
iCareFone Transfer
Version:
2.7.11.0
Modules
Images
c:\users\admin\appdata\local\temp\whatsapp-transfer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
6 029
Read events
5 980
Write events
40
Delete events
9

Modification events

(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Tenorshare\Downloader2.5.0
Operation:writeName:GA_PC
Value:
1
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4092) whatsapp-transfer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4092whatsapp-transfer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\I8RDGA05.txttext
MD5:3FF1FD8D74D7724551321F9004826F03
SHA256:8C7012B7F523ED4AC343626115B6C75983DE028EAD59DBF4BF47C1BC02B2494C
4092whatsapp-transfer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1VLQ07NR.txttext
MD5:938FE6DBC142CE791B027B2EA07B471E
SHA256:2CFC4BC9F9D9476AA79499C6F31E1C0BC017012A0BA386ED6E302964C919F3FE
4092whatsapp-transfer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:6B2A7F8334AFA122BBA269A28120FCFB
SHA256:2471F491E10C8DE70A712D722DACAE9CA561BDE52FB336DDB3FFCF6667D10544
4092whatsapp-transfer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cbinary
MD5:B505793E8E2CDBB9E25065EA80118D2B
SHA256:2A2DCB22E888845BB792F141CC72B5547236F2E310085CE6246EF9E5801A4041
4092whatsapp-transfer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cbinary
MD5:74BC6993431AE7633C9A453FC6A5010A
SHA256:3023B9DBC7F5AB6242F13172865BB854A4FB56118C08C94EDF00CF5752681BDF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
11
DNS requests
6
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4092
whatsapp-transfer.exe
GET
304
2.19.11.136:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0fd705b4979870b9
unknown
unknown
4092
whatsapp-transfer.exe
GET
301
104.17.207.155:80
http://www.tenorshare.com/downloads/service/softwarelog.txt
unknown
unknown
4092
whatsapp-transfer.exe
GET
200
208.95.112.1:80
http://ip-api.com/csv
unknown
unknown
4092
whatsapp-transfer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
4092
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4092
whatsapp-transfer.exe
104.17.207.155:80
www.tenorshare.com
CLOUDFLARENET
unknown
4092
whatsapp-transfer.exe
104.17.207.155:443
www.tenorshare.com
CLOUDFLARENET
unknown
4092
whatsapp-transfer.exe
2.19.11.136:80
ctldl.windowsupdate.com
Elisa Oyj
NL
unknown
4092
whatsapp-transfer.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4092
whatsapp-transfer.exe
104.18.25.249:443
update.tenorshare.com
CLOUDFLARENET
unknown
4092
whatsapp-transfer.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
4092
whatsapp-transfer.exe
142.250.184.206:443
www.google-analytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.tenorshare.com
  • 104.17.207.155
  • 104.17.192.141
whitelisted
ctldl.windowsupdate.com
  • 2.19.11.136
  • 2.19.11.178
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
update.tenorshare.com
  • 104.18.25.249
  • 104.18.24.249
unknown
ip-api.com
  • 208.95.112.1
shared
www.google-analytics.com
  • 142.250.184.206
whitelisted

Threats

PID
Process
Class
Message
4092
whatsapp-transfer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
4092
whatsapp-transfer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
4092
whatsapp-transfer.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4092
whatsapp-transfer.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Tensorshare Google Analytics Checkin
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
whatsapp-transfer.exe