URL:

https://download.tenorshare.com/downloads/whatsapp-transfer_2231.exe

Full analysis: https://app.any.run/tasks/1f1651c3-e679-4fa1-9c92-7fab2e4216a3
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 19, 2024, 09:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
adware
Indicators:
MD5:

620AE2DDA712BF7F4054A291B3F19E63

SHA1:

5D6AFCD6CA4972865767AB62CD59F93EADA3A61C

SHA256:

D5CA8FBB1EEAB16B77F6A1A8ABE6DE5A222BF8E01C1F29BAF7992FCB85F280C0

SSDEEP:

3:N8SElzILGKxKXK+gAIe9:2SKELGNa+ee9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • whatsapp-transfer.exe (PID: 1164)

    • Drops the executable file immediately after the start

      • icarefonewhatsapptransfer_ts_5.5.15.exe (PID: 3920)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

  • SUSPICIOUS

    • Reads the Internet Settings

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • NetFrameCheck.exe (PID: 3988)
      • iCareFone Transfer.exe (PID: 2536)
      • launch32.exe (PID: 3772)

    • Reads security settings of Internet Explorer

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • NetFrameCheck.exe (PID: 3988)
      • iCareFone Transfer.exe (PID: 2536)
      • launch32.exe (PID: 3772)

    • Reads settings of System Certificates

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)
      • rundll32.exe (PID: 3688)

    • Checks Windows Trust Settings

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)
      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Checks for external IP

      • whatsapp-transfer.exe (PID: 1164)

    • Potential Corporate Privacy Violation

      • whatsapp-transfer.exe (PID: 1164)
      • msedge.exe (PID: 3740)
      • iCareFone Transfer.exe (PID: 2536)

    • Reads the Windows owner or organization settings

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Executable content was dropped or overwritten

      • icarefonewhatsapptransfer_ts_5.5.15.exe (PID: 3920)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • PnPutil.exe (PID: 2120)
      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 3304)

    • The process drops C-runtime libraries

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Starts CMD.EXE for commands execution

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • launch32.exe (PID: 3772)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2544)

    • Process drops legitimate windows executable

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)

    • Process drops SQLite DLL files

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Access to an unwanted program domain was detected

      • whatsapp-transfer.exe (PID: 1164)

    • Drops 7-zip archiver for unpacking

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Process drops legitimate windows executable (CertUtil.exe)

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Drops a system driver (possible attempt to evade defenses)

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • PnPutil.exe (PID: 2120)
      • drvinst.exe (PID: 3120)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Creates a software uninstall entry

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)
      • DPInst32.exe (PID: 2760)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Searches for installed software

      • iCareFone Transfer.exe (PID: 2536)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 288)
      • iCareFone Transfer.exe (PID: 2536)

    • Changes Internet Explorer settings (feature browser emulation)

      • iCareFone Transfer.exe (PID: 2536)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 3304)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3176)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 3416)
      • msedge.exe (PID: 2440)
      • msedge.exe (PID: 3632)

    • The process uses the downloaded file

      • chrome.exe (PID: 1620)
      • chrome.exe (PID: 3416)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3416)

    • Drops the executable file immediately after the start

      • chrome.exe (PID: 3416)
      • PnPutil.exe (PID: 2120)

    • Reads the computer name

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • NetFrameCheck.exe (PID: 3988)
      • iCareFone Transfer.exe (PID: 2536)
      • Monitor.exe (PID: 1412)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 288)
      • AppleMobileDeviceProcess.exe (PID: 2464)
      • launch32.exe (PID: 3772)
      • drvinst.exe (PID: 3120)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Checks supported languages

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.exe (PID: 3920)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • NetFrameCheck.exe (PID: 3988)
      • iCareFone Transfer.exe (PID: 2536)
      • Monitor.exe (PID: 1412)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 288)
      • InstallAndDriver.exe (PID: 3168)
      • launch32.exe (PID: 3772)
      • AppleMobileDeviceProcess.exe (PID: 2464)
      • drvinst.exe (PID: 3120)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Reads Environment values

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)

    • Checks proxy server information

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)

    • Reads the machine GUID from the registry

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 288)
      • drvinst.exe (PID: 3120)
      • DPInst32.exe (PID: 2760)
      • drvinst.exe (PID: 3092)
      • drvinst.exe (PID: 2676)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 3304)

    • Creates files or folders in the user directory

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)

    • Reads the software policy settings

      • whatsapp-transfer.exe (PID: 1164)
      • iCareFone Transfer.exe (PID: 2536)
      • drvinst.exe (PID: 3120)
      • drvinst.exe (PID: 3092)
      • rundll32.exe (PID: 3688)
      • drvinst.exe (PID: 2596)
      • drvinst.exe (PID: 2500)
      • drvinst.exe (PID: 3304)

    • Creates files in the program directory

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • iCareFone Transfer.exe (PID: 2536)
      • NetFrameCheck.exe (PID: 3988)
      • AppleMobileDeviceProcess.exe (PID: 2464)

    • Create files in a temporary directory

      • whatsapp-transfer.exe (PID: 1164)
      • icarefonewhatsapptransfer_ts_5.5.15.exe (PID: 3920)
      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)
      • iCareFone Transfer.exe (PID: 2536)
      • PnPutil.exe (PID: 2120)
      • DPInst32.exe (PID: 2760)

    • Creates a software uninstall entry

      • icarefonewhatsapptransfer_ts_5.5.15.tmp (PID: 1264)

    • Reads product name

      • iCareFone Transfer.exe (PID: 2536)

    • Manual execution by a user

      • msedge.exe (PID: 3632)

    • Disables trace logs

      • iCareFone Transfer.exe (PID: 2536)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
63
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs whatsapp-transfer.exe no specs whatsapp-transfer.exe icarefonewhatsapptransfer_ts_5.5.15.exe icarefonewhatsapptransfer_ts_5.5.15.tmp cmd.exe no specs taskkill.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netframecheck.exe no specs icarefone transfer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs monitor.exe msedge.exe no specs certutil.exe no specs certutil.exe no specs installanddriver.exe no specs applemobiledeviceprocess.exe launch32.exe no specs msedge.exe no specs cmd.exe no specs pnputil.exe drvinst.exe dpinst32.exe msedge.exe no specs drvinst.exe msedge.exe no specs rundll32.exe no specs vssvc.exe no specs drvinst.exe rundll32.exe no specs drvinst.exe drvinst.exe drvinst.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
288"C:\Program Files\Tenorshare\iCareFone Transfer\TS_Android\cert\certutil.exe" -addstore root TenorshareKey.cerC:\Program Files\Tenorshare\iCareFone Transfer\TS_Android\cert\certutil.exeiCareFone Transfer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
5.2.3790.0 (srv03_rtm.030324-2048)
Modules
Images
c:\program files\tenorshare\icarefone transfer\ts_android\cert\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\tenorshare\icarefone transfer\ts_android\cert\certadm.dll
c:\windows\system32\atl.dll
324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --mojo-platform-channel-handle=3864 --field-trial-handle=1108,i,9358728747086728186,2994088257027342763,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1504 --field-trial-handle=1108,i,9358728747086728186,2994088257027342763,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
936"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3828 --field-trial-handle=1312,i,7322293084150966785,11439451948975528420,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
940"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3420 --field-trial-handle=1312,i,7322293084150966785,11439451948975528420,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1312,i,7322293084150966785,11439451948975528420,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Users\admin\Downloads\whatsapp-transfer.exe" C:\Users\admin\Downloads\whatsapp-transfer.exe
chrome.exe
User:
admin
Company:
Tenorshare Co., Ltd.
Integrity Level:
HIGH
Description:
iCareFone Transfer
Exit code:
0
Version:
2.7.11.0
Modules
Images
c:\users\admin\downloads\whatsapp-transfer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1264"C:\Users\admin\AppData\Local\Temp\is-79HBA.tmp\icarefonewhatsapptransfer_ts_5.5.15.tmp" /SL5="$150156,123687462,487424,C:\Users\admin\AppData\Local\Temp\icarefonewhatsapptransfer_ts\icarefonewhatsapptransfer_ts_5.5.15.exe" /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files\Tenorshare\iCareFone Transfer\" /LANG=en /LOG="C:\Users\admin\AppData\Local\Temp\iCareFone Transfer_Setup_20240619101117.log" /sptrack nullC:\Users\admin\AppData\Local\Temp\is-79HBA.tmp\icarefonewhatsapptransfer_ts_5.5.15.tmp
icarefonewhatsapptransfer_ts_5.5.15.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-79hba.tmp\icarefonewhatsapptransfer_ts_5.5.15.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1384"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x5f10f598,0x5f10f5a8,0x5f10f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1388"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3260 --field-trial-handle=1312,i,7322293084150966785,11439451948975528420,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
67 646
Read events
66 675
Write events
934
Delete events
37

Modification events

(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(3416) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3416) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
677
Suspicious files
338
Text files
259
Unknown types
11

Dropped files

PID
Process
Filename
Type
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF4e9df.TMP
MD5:
SHA256:
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:9F941EA08DBDCA2EB3CFA1DBBBA6F5DC
SHA256:127F71DF0D2AD895D4F293E62284D85971AE047CA15F90B87BF6335898B0B655
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old~RF4ecbe.TMP
MD5:
SHA256:
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old
MD5:
SHA256:
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\101256e7-7818-4cc3-b5fb-c72d436a498b.tmpbinary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF4e9df.TMPtext
MD5:358570F689377CE6838812643E03734B
SHA256:5B41FCC2E1A843AEAB9437B06E27B798870FF10D86A51B163BF48862BCD32590
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old~RF4eb66.TMPtext
MD5:65239F35CB63C76EA1F59EF64F7AAFF4
SHA256:252EF82CC03FDE4BEF13CF81CD1AC5CE45854212D1A7359035E7A5D6BEDBE229
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
3416chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.oldtext
MD5:6344721DA60A3CF7027C43288C8991C6
SHA256:DA3AD5C3641E42979DFB9D4178EDE8533F887C3ACF9C49BE9737D83CEDA55473
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
230
DNS requests
108
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1164
whatsapp-transfer.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?91f3d5e0ed3499c2
unknown
unknown
1164
whatsapp-transfer.exe
GET
301
104.17.207.155:80
http://www.tenorshare.com/downloads/service/softwarelog.txt
unknown
unknown
1164
whatsapp-transfer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D
unknown
unknown
1164
whatsapp-transfer.exe
GET
200
208.95.112.1:80
http://ip-api.com/csv
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
1164
whatsapp-transfer.exe
POST
200
142.250.184.206:80
http://www.google-analytics.com/collect
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3416
chrome.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2092
chrome.exe
142.250.110.84:443
accounts.google.com
GOOGLE
US
unknown
2092
chrome.exe
104.18.24.249:443
download.tenorshare.com
CLOUDFLARENET
unknown
3416
chrome.exe
224.0.0.251:5353
unknown
2092
chrome.exe
142.250.186.174:443
www.google-analytics.com
GOOGLE
US
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2092
chrome.exe
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
download.tenorshare.com
  • 104.18.24.249
  • 104.18.25.249
unknown
accounts.google.com
  • 142.250.110.84
shared
sb-ssl.google.com
  • 184.86.251.31
  • 184.86.251.13
  • 184.86.251.8
  • 184.86.251.4
  • 184.86.251.7
  • 184.86.251.5
  • 184.86.251.9
  • 184.86.251.11
  • 184.86.251.14
whitelisted
www.google.com
  • 142.250.186.132
whitelisted
www.tenorshare.com
  • 104.17.207.155
  • 104.17.192.141
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
update.tenorshare.com
  • 104.18.24.249
  • 104.18.25.249
unknown
ip-api.com
  • 208.95.112.1
shared
www.google-analytics.com
  • 142.250.184.206
  • 142.250.186.174
whitelisted

Threats

PID
Process
Class
Message
1164
whatsapp-transfer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1164
whatsapp-transfer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1164
whatsapp-transfer.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1164
whatsapp-transfer.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Tenorshare Google Analytics Checkin
2536
iCareFone Transfer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
3740
msedge.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] External IP Check (pro.ip-api.com)
3740
msedge.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] External IP Check (pro.ip-api.com)
3 ETPRO signatures available at the full report
Process
Message
iCareFone Transfer.exe
log4net:ERROR XmlHierarchyConfigurator: No appender named [ConsoleAppender] could be found.
iCareFone Transfer.exe
log4net:ERROR Appender named [ConsoleAppender] not found.
iCareFone Transfer.exe
2024-06-19 10:12:36:688 iCareFone Transfer<2520>:: TSClientContext::Init ios_manager version = 5.0.0.695
AppleMobileDeviceProcess.exe
ASL checking for logging parameters in environment variable "asl.log"
AppleMobileDeviceProcess.exe
ASL checking for logging parameters in environment variable "AppleMobileDeviceProcess.exe.log"
iCareFone Transfer.exe
2024-06-19 10:12:42:232 iCareFone Transfer<3604>:: TSDeviceStateManagerImpl::DetectUsbInsertion RegisterDeviceNotification
iCareFone Transfer.exe
2024-06-19 10:12:42:232 iCareFone Transfer<3604>:: TSDeviceStateManagerImpl::DetectUsbInsertion Enter
iCareFone Transfer.exe
Couldn't load our private device map. Device identification will be limited.
iCareFone Transfer.exe
iCareFone Transfer.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.tenorshare.com/downloads/whatsapp-transfer_2231.exe