File name:

btweb_installer.exe

Full analysis: https://app.any.run/tasks/8a779886-d7a8-4109-9d98-410e6eefbfd4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 21:33:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
arch-html
bittorrent
loader
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

99752B8510DDEA1E0401E3BBBDA61B16

SHA1:

CC445A95D96BE2F1E21855A1DA2C68C432470435

SHA256:

13F00A9FBEEE586DAC4D30F30BA2874C6AEFDEECD398DA7C5BCB9A48E2995070

SSDEEP:

98304:GtQmBXjM/pFJW9RXY7FdLtfdTeWIH2PXbce/Unba+O+CB3jD954:eV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • btweb.exe (PID: 1796)

    • BITTORRENT has been detected (SURICATA)

      • btweb.exe (PID: 1796)

    • Actions looks like stealing of personal data

      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6620)
      • installer.exe (PID: 6416)

    • Starts application with an unusual extension

      • btweb_installer.exe (PID: 6056)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • beta (PID: 628)

    • The process creates files with name similar to system file names

      • beta (PID: 628)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)

    • Process drops legitimate windows executable

      • beta (PID: 628)
      • installer.exe (PID: 6416)

    • Creates a software uninstall entry

      • beta (PID: 628)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)

    • Reads security settings of Internet Explorer

      • beta (PID: 628)
      • saBSI.exe (PID: 4320)
      • btweb_installer.exe (PID: 6056)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6416)
      • uihost.exe (PID: 7016)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)
      • updater.exe (PID: 7460)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 4320)
      • installer.exe (PID: 6620)
      • installer.exe (PID: 6416)
      • uihost.exe (PID: 7016)
      • updater.exe (PID: 7460)
      • servicehost.exe (PID: 7796)
      • cmd.exe (PID: 7176)
      • cmd.exe (PID: 2084)
      • cmd.exe (PID: 7172)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • servicehost.exe (PID: 7796)

    • Potential Corporate Privacy Violation

      • btweb.exe (PID: 1796)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 6416)

    • Executes as Windows Service

      • servicehost.exe (PID: 7796)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)

    • Hides command output

      • cmd.exe (PID: 7172)

    • Searches for installed software

      • updater.exe (PID: 7460)

    • Starts CMD.EXE for commands execution

      • servicehost.exe (PID: 7796)
      • updater.exe (PID: 7460)

  • INFO

    • Checks supported languages

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6620)
      • identity_helper.exe (PID: 3836)
      • helper.exe (PID: 7116)
      • installer.exe (PID: 6416)
      • btweb.exe (PID: 6824)
      • btweb.exe (PID: 8112)
      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)
      • btweb.exe (PID: 6944)
      • updater.exe (PID: 7460)
      • btweb.exe (PID: 4764)
      • btweb.exe (PID: 8084)
      • btweb.exe (PID: 6724)
      • btweb.exe (PID: 7244)
      • btweb.exe (PID: 7948)

    • The sample compiled with english language support

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • installer.exe (PID: 6620)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6416)

    • Reads the computer name

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • helper.exe (PID: 7116)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)
      • identity_helper.exe (PID: 3836)
      • uihost.exe (PID: 7016)
      • updater.exe (PID: 7460)

    • Reads the machine GUID from the registry

      • btweb_installer.exe (PID: 6056)
      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)
      • updater.exe (PID: 7460)

    • Sends debugging messages

      • btweb_installer.exe (PID: 6056)
      • saBSI.exe (PID: 4320)
      • installer.exe (PID: 6416)

    • Checks proxy server information

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)

    • Create files in a temporary directory

      • btweb_installer.exe (PID: 6056)
      • beta (PID: 628)
      • saBSI.exe (PID: 4320)
      • installer.exe (PID: 6416)

    • Reads the software policy settings

      • btweb_installer.exe (PID: 6056)
      • saBSI.exe (PID: 4320)
      • btweb.exe (PID: 1796)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)
      • updater.exe (PID: 7460)

    • Creates files or folders in the user directory

      • beta (PID: 628)
      • btweb.exe (PID: 1796)
      • helper.exe (PID: 7116)

    • The process uses the downloaded file

      • btweb_installer.exe (PID: 6056)

    • Creates files in the program directory

      • saBSI.exe (PID: 4320)
      • installer.exe (PID: 6620)
      • installer.exe (PID: 6416)
      • servicehost.exe (PID: 7796)
      • uihost.exe (PID: 7016)

    • Process checks computer location settings

      • btweb_installer.exe (PID: 6056)
      • servicehost.exe (PID: 7796)

    • Application launched itself

      • msedge.exe (PID: 6372)
      • msedge.exe (PID: 6632)
      • msedge.exe (PID: 7304)

    • Manual execution by a user

      • msedge.exe (PID: 6632)
      • btweb.exe (PID: 8112)
      • btweb.exe (PID: 6824)
      • btweb.exe (PID: 4764)
      • btweb.exe (PID: 7244)
      • btweb.exe (PID: 6944)
      • btweb.exe (PID: 6724)
      • btweb.exe (PID: 8084)
      • btweb.exe (PID: 7948)

    • Reads Environment values

      • identity_helper.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 08:53:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2194432
InitializedDataSize: 2393600
UninitializedDataSize: -
EntryPoint: 0x1cc6c8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.2.0.11262
ProductVersionNumber: 3.2.0.11262
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Bit Torrent Web
FileDescription: Bit Torrent Web
FileVersion: 3.2.0.11262
LegalCopyright: (c) Bit Torrent Web
ProductName: Bit Torrent Web
ProductVersion: 3.2.0.11262
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
216
Monitored processes
79
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start btweb_installer.exe beta sabsi.exe #BITTORRENT btweb.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helper.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs btweb.exe no specs servicehost.exe btweb.exe no specs uihost.exe btweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs btweb.exe no specs btweb.exe no specs btweb.exe no specs msedge.exe no specs btweb.exe no specs btweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs btweb_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\beta" /SC:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\beta
btweb_installer.exe
User:
admin
Company:
BitTorrent Limited
Integrity Level:
HIGH
Description:
BitTorrent Web
Exit code:
0
Version:
1.4.0.6042
Modules
Images
c:\users\admin\appdata\local\temp\isv6b5f.tmp\beta
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1220"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5588 --field-trial-handle=2404,i,9020097508987941138,8619118836915769399,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1796"C:\Users\admin\AppData\Roaming\BitTorrent Web\btweb.exe" /RUNONSTARTUPC:\Users\admin\AppData\Roaming\BitTorrent Web\btweb.exe
btweb_installer.exe
User:
admin
Company:
BitTorrent Limited
Integrity Level:
HIGH
Description:
BitTorrent Web
Version:
1.4.0.6042
Modules
Images
c:\users\admin\appdata\roaming\bittorrent web\btweb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
2084C:\WINDOWS\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp" C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4056 --field-trial-handle=2336,i,7408277425239676372,1863012987370225651,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2956\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2956"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://btweb.rainberrytv.com/gui/index.html?v=1.4.0.6042&localauth=localapif1cc5c0b3034c00:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exebtweb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3032"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5252 --field-trial-handle=2404,i,9020097508987941138,8619118836915769399,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3816"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4076 --field-trial-handle=2404,i,9020097508987941138,8619118836915769399,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3836"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4904 --field-trial-handle=2404,i,9020097508987941138,8619118836915769399,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcp_win.dll
Total events
39 065
Read events
38 759
Write events
291
Delete events
15

Modification events

(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\BitTorrent Web\Uninstall.exe"
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\BitTorrent Web\Uninstall.exe" /S
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\BitTorrent Web\uninstall.ico
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:DisplayName
Value:
BitTorrent Web
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:Publisher
Value:
BitTorrent Limited
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:DisplayVersion
Value:
1.4.0
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:NoModify
Value:
1
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\btweb
Operation:writeName:NoRepair
Value:
1
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(628) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
43
Suspicious files
662
Text files
1 086
Unknown types
13

Dropped files

PID
Process
Filename
Type
628betaC:\Users\admin\AppData\Local\Temp\nsmB615.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
628betaC:\Users\admin\AppData\Local\Temp\nsmB615.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6056btweb_installer.exeC:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\betaexecutable
MD5:C93201E44A7776FDDFD818DAB97B6B5E
SHA256:9A3C155AA5BEBD489FFFDEFDFA4C38EDEE7F92F9D778E841105920A5ADD236EE
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\pt.langtext
MD5:05D4FF65054267991CDD36FBA52E4568
SHA256:C69916FA2B4ABC31BEC44675AFD695644B23D8A33C16521873F186AE4DBDA899
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\webui\version.txttext
MD5:646301F56A97AABEE83F521011A15A97
SHA256:5EA8BEFF4EB03A1AEAE8E4645FBE1536171BA059EDF48D05ABBD90D6B4FE33FE
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\fr.langtext
MD5:11A3F9F9D7F238D2B1E8D7699DBAFF02
SHA256:53656932C41719FCD2B809CC3FB84F40EC39DB344E527450D8A830E271E49A28
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\es-la.langtext
MD5:3205881F5139242227F5513E80091461
SHA256:80A398E4A040FC95F40167FF18E8866625F74FF2230C5C181E8DA985641D0C95
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\de.langtext
MD5:3ABF457A7FD0E7AB549062003EAF5E5F
SHA256:2773849568EFFA2BA7FFBF628E89C75F7887FC779C2434AEF22FBA3F88A84082
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\ja.langtext
MD5:DFEB12CE9BC026EE96FB3B8EF0BACA52
SHA256:B5F2D311F859E1403189EE0CC18F6B45D0EA474CE6AD17F5368D9A4EBF624748
628betaC:\Users\admin\AppData\Roaming\BitTorrent Web\localization\it.langtext
MD5:8174C1F56BF731097B872A9FDF499EDF
SHA256:EC1E9FA1CD24181AEB7695BFFEF8AB782CE89962782A8E48169E1BA364D0F82F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
343
DNS requests
175
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
628
beta
POST
200
44.194.12.79:80
http://i-4102.b-6042.btweb.bench.utorrent.com/e?i=4102
unknown
whitelisted
628
beta
POST
200
44.194.12.79:80
http://i-4102.b-6042.btweb.bench.utorrent.com/e?i=4102
unknown
whitelisted
2132
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2132
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4224
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1796
btweb.exe
GET
200
41.63.96.2:80
http://btinstall-artifacts.bittorrent.com/helper_ui/helper_web_ui.btinstall
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3464
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
6056
btweb_installer.exe
3.160.40.19:443
dpzkelc2ktvzi.cloudfront.net
US
unknown
3464
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
unknown
1176
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
dpzkelc2ktvzi.cloudfront.net
  • 3.160.40.19
  • 3.160.40.156
  • 3.160.40.40
  • 3.160.40.163
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.161
  • 104.126.37.136
  • 104.126.37.162
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.189
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.177
  • 2.23.209.149
  • 2.23.209.148
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.71
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.30.17.189
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Misc activity
INFO [ANY.RUN] P2P BitTorrent Protocol
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
Process
Message
btweb_installer.exe
LoadingPage
btweb_installer.exe
LicensePage
btweb_installer.exe
ProductPage
btweb_installer.exe
DownloadPageISV
btweb_installer.exe
FinishPageISV
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV6B5F.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
btweb_installer.exe