Malware analysis TRANSFER.EXE Malicious activity | ANY.RUN

Add for printing

File name:	TRANSFER.EXE
Full analysis:	https://app.any.run/tasks/2b5061ff-0923-4264-86ec-002cc79978c5
Verdict:	Malicious activity
Analysis date:	July 16, 2024, 12:26:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	E12879DEBDCCA74CAFC2EA315FC9C67F
SHA1:	F6F838F06BFC88FD4C3C72D5707986A4E6004CEA
SHA256:	AEA48D054D3C5D517A680E92DEA37A34B84543C343EC9227B6B637A1DCC74E91
SSDEEP:	24576:WwHeBPwakitMvlMam53l1a8xmNXxEBx2k2zeeTlxuo/+b:VHeBPwakitMvlMam53l1a8xmJxEBx2kR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - TRANSFER.EXE.exe (PID: 6272)
  - NPE.exe (PID: 6380)
- Creates a writable file in the system directory
  - NPE.exe (PID: 6380)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - NPE.exe (PID: 6380)
- Creates files in the driver directory
  - NPE.exe (PID: 6380)
- Drops a system driver (possible attempt to evade defenses)
  - NPE.exe (PID: 6380)
- Executable content was dropped or overwritten
  - NPE.exe (PID: 6380)
- Checks for external IP
  - InstallUtil.exe (PID: 2060)
INFO
- Manual execution by a user
  - NPE.exe (PID: 6380)
  - NPE.exe (PID: 2708)
- Reads the machine GUID from the registry
  - TRANSFER.EXE.exe (PID: 6272)
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Checks supported languages
  - TRANSFER.EXE.exe (PID: 6272)
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Reads the computer name
  - TRANSFER.EXE.exe (PID: 6272)
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Creates files in the program directory
  - NPE.exe (PID: 6380)
- Creates files or folders in the user directory
  - NPE.exe (PID: 6380)
- Reads the software policy settings
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Reads Environment values
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Reads product name
  - NPE.exe (PID: 6380)
- Checks proxy server information
  - NPE.exe (PID: 6380)
  - InstallUtil.exe (PID: 2060)
- Disables trace logs
  - InstallUtil.exe (PID: 2060)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1978:09:03 00:51:17+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	949248
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xe99fe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	9.13.18.22
ProductVersionNumber:	9.13.18.22
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	9FI83;>G7EF8H2:BB?I<
CompanyName:	>56875A?4=7H6<3C47IBEDH
FileDescription:	FE>FJ5H32;BI5HJ6@G?2
FileVersion:	9.13.18.22
InternalName:	Transfer Copy.exe
LegalCopyright:	Copyright © 2016 >56875A?4=7H6<3C47IBEDH
OriginalFileName:	Transfer Copy.exe
ProductName:	FE>FJ5H32;BI5HJ6@G?2
ProductVersion:	9.13.18.22
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

142

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2060

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

TRANSFER.EXE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

.NET Framework installation utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2708

"C:\Users\admin\Desktop\NPE.exe"

C:\Users\admin\Desktop\NPE.exe

—

explorer.exe

User:

admin

Company:

NortonLifeLock Inc.

Integrity Level:

MEDIUM

Description:

Norton Power Eraser

Exit code:

3221226540

Version:

6.6.0.2153

Modules

Images
c:\users\admin\desktop\npe.exe
c:\windows\system32\ntdll.dll

4448

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6272

"C:\Users\admin\Downloads\TRANSFER.EXE.exe"

C:\Users\admin\Downloads\TRANSFER.EXE.exe

—

explorer.exe

User:

admin

Company:

>56875A?4=7H6<3C47IBEDH

Integrity Level:

MEDIUM

Description:

FE>FJ5H32;BI5HJ6@G?2

Version:

9.13.18.22

Modules

Images
c:\users\admin\downloads\transfer.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6380

"C:\Users\admin\Desktop\NPE.exe"

C:\Users\admin\Desktop\NPE.exe

explorer.exe

User:

admin

Company:

NortonLifeLock Inc.

Integrity Level:

HIGH

Description:

Norton Power Eraser

Version:

6.6.0.2153

Modules

Images
c:\users\admin\desktop\npe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

6680

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

6704

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

11 085

Read events

10 982

Write events

Delete events

Modification events


(PID) Process:	(6380) NPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NPE.exe
Operation:	write	Name:	DumpType
Value: 0
(PID) Process:	(6380) NPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NPE.exe
Operation:	write	Name:	DumpCount
Value: 4
(PID) Process:	(6380) NPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NPE.exe
Operation:	write	Name:	DumpFlags
Value: 0
(PID) Process:	(6380) NPE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NPE.exe
Operation:	write	Name:	DumpFolder
Value: C:\Users\admin\AppData\Local\NPE\LocalDumps
(PID) Process:	(6380) NPE.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\NPETraceSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6380) NPE.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(6380) NPE.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000E000000000000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(6380) NPE.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:	write	Name:	MRUListEx
Value: 040000000500000000000000020000000100000003000000FFFFFFFF
(PID) Process:	(6380) NPE.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:	write	Name:	SniffedFolderType
Value: Documents
(PID) Process:	(6380) NPE.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6380	NPE.exe	C:\ProgramData\Norton\NPE\NPEsettings.dat		binary
		MD5:FC37525B224BCB336F39926D2356FE1D	SHA256:1ADAC96ABE6BD4141934F3EB98F89B01724804038B57BAE926C34F4B085C38B7
6380	NPE.exe	C:\WINDOWS\System32\drivers\SMR540.SYS		executable
		MD5:836BF59E8E3F6BBA0BD958B63FC3A6A2	SHA256:48C18955D0BB46AAF2F95B31CD5F34478DB9E3A25B7600BC3F1DDC43241C0A5E
6380	NPE.exe	C:\WINDOWS\TEMP\FB7A7A2B.tmp		binary
		MD5:DC4EE428EB6DC11F0955C66E92F85779	SHA256:7BBF1547FA62E5B93F0F0F1F172FBC1BC2804EAAC81E2F486FDCF2F22B2E1B70
6380	NPE.exe	C:\Users\admin\AppData\Local\NPE\ErrMgmt\SQCLIENT.dat		binary
		MD5:CC2B0E03038DE107ACC56A9A1880B4BE	SHA256:BDB39C942686F84584CF1764A05480DE47CE50B867436095EF12155A5412A0F8
6380	NPE.exe	C:\ProgramData\Norton\NPE\NPEsettings.dat.log		binary
		MD5:E93F257844761964F1B5EAA6B1655A5C	SHA256:FE0049308C49BD527521EF3083F1885E219F187ABACEFC797B7735660F1EC0F8
6380	NPE.exe	C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI		text
		MD5:1028F278A81D9795DA3C6A70463730FD	SHA256:302B4E7C6A73838E1BDDAE580CA0491A8E8AC5FC51D69E960BF8C4C8986C9D7F
6380	NPE.exe	C:\Users\admin\AppData\Local\NPE\ErrMgmt\SQCLIENT.dat.log		abr
		MD5:6D83F9A8767590553954972293ABBD5B	SHA256:236581906522EF2FC12370E585A49B8716F2A736ED3B9F5C82D5B1F1A83ABB41

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2052	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2052	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2848	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2848	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2212	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5988	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3596	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2060	InstallUtil.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
5084	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.23.209.171:443	—	Akamai International B.V.	GB	unknown
2064	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
900	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4656	SearchApp.exe	2.23.209.171:443	—	Akamai International B.V.	GB	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2052	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2052	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	40.126.31.67 20.190.159.0 20.190.159.64 40.126.31.69 20.190.159.71 20.190.159.75 20.190.159.73 20.190.159.4	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
arc.msn.com	20.223.36.55	whitelisted

Threats

PID	Process	Class	Message
2168	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2060	InstallUtil.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2168	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2168	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2060	InstallUtil.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2060	InstallUtil.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com

Add for printing

Process	Message
NPE.exe	Information at updateCurrentLangCode (res:main_frame.tis(714)) main_frame.tis : 'updateCurrentLangCode' called
NPE.exe	Information at updatePageDirection (res:main_frame.tis(753)) main_frame.tis : 'updatePageDirection' called
NPE.exe	Information at updateProductName (res:main_frame.tis(761)) main_frame.tis : 'updateProductName' called
NPE.exe	Information at self.ready (res:main_frame.tis(13)) 'main_frame.tis' loaded
NPE.exe	Information at showEulaPage (res:main_frame.tis(146)) 'showEulaPage()' called
NPE.exe	Information at loadFrameContent (res:main_frame.tis(33)) 'loadFrameContent(eula)' called
NPE.exe	Information at self.ready (res:eula.tis(8)) 'eula.tis' loaded
NPE.exe	Information at setup (res:eula.tis(16)) 'eula.tis: setup()' called
NPE.exe	Information at setup (res:eula.tis(22)) Initial Language ID: 1033
NPE.exe	Information at assignEULA (res:eula.tis(79)) Assigning Language ID: 1033

General Info

TRANSFER.EXE

E12879DEBDCCA74CAFC2EA315FC9C67F

F6F838F06BFC88FD4C3C72D5707986A4E6004CEA

AEA48D054D3C5D517A680E92DEA37A34B84543C343EC9227B6B637A1DCC74E91

24576:WwHeBPwakitMvlMam53l1a8xmNXxEBx2k2zeeTlxuo/+b:VHeBPwakitMvlMam53l1a8xmJxEBx2kR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

SUSPICIOUS

Reads security settings of Internet Explorer

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Checks for external IP

INFO

Manual execution by a user

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Creates files in the program directory

Creates files or folders in the user directory

Reads the software policy settings

Reads Environment values

Reads product name

Checks proxy server information

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings