File name:

utweb_installer.exe

Full analysis: https://app.any.run/tasks/bb2100c5-3ed3-4e8c-95b8-f4cfea82ec16
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 03:57:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
innosetup
delphi
inno
installer
arch-exec
loader
arch-scr
arch-doc
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

BB5378F74928158E966188B3B47C2B41

SHA1:

B73CD3D23FC9A9F8A75D76808789962C6AB7AA26

SHA256:

33C3AE03412EF16798002DF8622118B268DA620856B930BF2409B32976BDB5AB

SSDEEP:

49152:Q7HecD4dnbibBlS1F3HdlPMv7jflIgp1UEL4BBU5vezfIbaZm81j1gG6Bg+gFlex:c+cD4dnlN91M/tIW/35vezfiaZmij1gz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7092)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • utweb_installer.exe (PID: 3860)
      • utweb_installer.exe (PID: 3028)
      • utweb_installer.tmp (PID: 1296)
      • utweb_installer.exe (PID: 6780)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 4312)
      • installer.exe (PID: 6700)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 8992)

    • Reads security settings of Internet Explorer

      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.exe (PID: 6780)
      • utweb_installer.tmp (PID: 1296)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • uihost.exe (PID: 8392)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 8992)

    • Reads the Windows owner or organization settings

      • utweb_installer.tmp (PID: 1296)

    • Mutex name with non-standard characters

      • utweb_installer.tmp (PID: 1296)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • utweb_installer.exe (PID: 6780)

    • Process drops legitimate windows executable

      • utweb_installer.exe (PID: 6780)
      • installer.exe (PID: 6700)

    • There is functionality for taking screenshot (YARA)

      • utweb_installer.tmp (PID: 1296)

    • The process creates files with name similar to system file names

      • utweb_installer.exe (PID: 6780)
      • installer.exe (PID: 6700)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 2704)
      • servicehost.exe (PID: 760)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 4312)
      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)
      • uihost.exe (PID: 8392)
      • updater.exe (PID: 9052)
      • cmd.exe (PID: 9104)
      • saBSI.exe (PID: 8992)
      • cmd.exe (PID: 9172)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7092)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 7092)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7092)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 6700)

    • Creates a software uninstall entry

      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)

    • Executes as Windows Service

      • servicehost.exe (PID: 760)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 760)
      • uihost.exe (PID: 8392)

    • Searches for installed software

      • updater.exe (PID: 9052)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 9052)

  • INFO

    • Create files in a temporary directory

      • utweb_installer.exe (PID: 3860)
      • utweb_installer.exe (PID: 3028)
      • utweb_installer.tmp (PID: 1296)
      • utweb_installer.exe (PID: 6780)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • saBSI.exe (PID: 8992)

    • Checks supported languages

      • utweb_installer.exe (PID: 3860)
      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.exe (PID: 3028)
      • utweb_installer.tmp (PID: 1296)
      • saBSI.exe (PID: 2704)
      • utweb_installer.exe (PID: 6780)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 4312)
      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)
      • identity_helper.exe (PID: 7228)
      • uihost.exe (PID: 8392)
      • updater.exe (PID: 9052)
      • saBSI.exe (PID: 8992)

    • Reads the computer name

      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.tmp (PID: 1296)
      • utweb_installer.exe (PID: 6780)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)
      • identity_helper.exe (PID: 7228)
      • saBSI.exe (PID: 8992)
      • uihost.exe (PID: 8392)
      • updater.exe (PID: 9052)

    • Process checks computer location settings

      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.tmp (PID: 1296)
      • servicehost.exe (PID: 760)

    • Compiled with Borland Delphi (YARA)

      • utweb_installer.exe (PID: 3860)
      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.exe (PID: 3028)
      • utweb_installer.tmp (PID: 1296)

    • Detects InnoSetup installer (YARA)

      • utweb_installer.tmp (PID: 5960)
      • utweb_installer.exe (PID: 3028)
      • utweb_installer.exe (PID: 3860)
      • utweb_installer.tmp (PID: 1296)

    • The sample compiled with russian language support

      • utweb_installer.tmp (PID: 1296)

    • Checks proxy server information

      • utweb_installer.tmp (PID: 1296)
      • utweb_installer.exe (PID: 6780)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 8992)
      • slui.exe (PID: 7956)

    • Reads the machine GUID from the registry

      • utweb_installer.tmp (PID: 1296)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)
      • saBSI.exe (PID: 3488)
      • saBSI.exe (PID: 8992)
      • uihost.exe (PID: 8392)
      • updater.exe (PID: 9052)

    • Reads the software policy settings

      • utweb_installer.tmp (PID: 1296)
      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • servicehost.exe (PID: 760)
      • saBSI.exe (PID: 3488)
      • uihost.exe (PID: 8392)
      • updater.exe (PID: 9052)
      • slui.exe (PID: 7956)
      • saBSI.exe (PID: 8992)

    • Creates files or folders in the user directory

      • utweb_installer.exe (PID: 6780)

    • The sample compiled with english language support

      • utweb_installer.exe (PID: 6780)
      • utweb_installer.tmp (PID: 1296)
      • saBSI.exe (PID: 2704)
      • installer.exe (PID: 4312)
      • installer.exe (PID: 6700)
      • saBSI.exe (PID: 3488)

    • Creates a software uninstall entry

      • utweb_installer.exe (PID: 6780)

    • Manual execution by a user

      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 2388)
      • wscript.exe (PID: 304)
      • wscript.exe (PID: 7092)
      • wscript.exe (PID: 4960)
      • iexplore.exe (PID: 6512)
      • wscript.exe (PID: 6320)
      • iexplore.exe (PID: 4400)
      • iexplore.exe (PID: 4372)
      • iexplore.exe (PID: 4540)
      • notepad.exe (PID: 7876)
      • iexplore.exe (PID: 7344)

    • Creates files in the program directory

      • saBSI.exe (PID: 2704)
      • saBSI.exe (PID: 6260)
      • installer.exe (PID: 6700)
      • installer.exe (PID: 4312)
      • servicehost.exe (PID: 760)
      • uihost.exe (PID: 8392)
      • saBSI.exe (PID: 3488)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 304)
      • wscript.exe (PID: 4960)

    • Application launched itself

      • msedge.exe (PID: 5436)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7876)

    • Reads Environment values

      • identity_helper.exe (PID: 7228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 80384
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: uTorrent Web®
FileVersion: 1.3
LegalCopyright: ©2022 RainBerry Inc. All Rights Reserved
OriginalFileName:
ProductName: uTorrent Web®
ProductVersion: 1.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
204
Monitored processes
63
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start utweb_installer.exe utweb_installer.tmp no specs utweb_installer.exe utweb_installer.tmp utweb_installer.exe sabsi.exe no specs sabsi.exe sabsi.exe sabsi.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs iexplore.exe no specs msedge.exe no specs iexplore.exe no specs installer.exe msedge.exe no specs installer.exe iexplore.exe no specs msedge.exe iexplore.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs iexplore.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs servicehost.exe uihost.exe no specs sabsi.exe updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\base64.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
760"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\servicehost.exe
services.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor(service)
Version:
4,1,1,1054
Modules
Images
c:\program files\mcafee\webadvisor\servicehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1296"C:\Users\admin\AppData\Local\Temp\is-G6HR5.tmp\utweb_installer.tmp" /SL5="$702BE,902222,823296,C:\Users\admin\Desktop\utweb_installer.exe" /SPAWNWND=$60374 /NOTIFYWND=$50252 C:\Users\admin\AppData\Local\Temp\is-G6HR5.tmp\utweb_installer.tmp
utweb_installer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-g6hr5.tmp\utweb_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=8 -- "file:///C:/Users/admin/Desktop/old-version.html"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6912,i,17393308138996989195,10452043834005945935,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2228"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2624,i,17393308138996989195,10452043834005945935,262144 --variations-seed-version --mojo-platform-channel-handle=2620 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2292"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=1500,i,17393308138996989195,10452043834005945935,262144 --variations-seed-version --mojo-platform-channel-handle=7660 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2388"C:\Users\admin\Desktop\saBSI.exe" C:\Users\admin\Desktop\saBSI.exeexplorer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
MEDIUM
Description:
McAfee WebAdvisor(bootstrap installer)
Exit code:
3221226540
Version:
4,1,1,865
Modules
Images
c:\users\admin\desktop\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4360,i,17393308138996989195,10452043834005945935,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2704"C:\Users\admin\Desktop\saBSI.exe" C:\Users\admin\Desktop\saBSI.exe
explorer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(bootstrap installer)
Exit code:
0
Version:
4,1,1,865
Modules
Images
c:\users\admin\desktop\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
53 173
Read events
52 852
Write events
310
Delete events
11

Modification events

(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe"
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe" /S
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\uTorrent Web\uninstall.ico
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayName
Value:
uTorrent Web
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:Publisher
Value:
BitTorrent Limited
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayVersion
Value:
1.4.0
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:NoModify
Value:
1
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:NoRepair
Value:
1
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6780) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
55
Suspicious files
469
Text files
740
Unknown types
0

Dropped files

PID
Process
Filename
Type
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6780utweb_installer.exeC:\Users\admin\AppData\Local\Temp\nsbB71C.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\Logo.pngimage
MD5:A00CFE887E254C462AD0C6A6D3FB25B6
SHA256:BCA0271F56F7384942FF3AFFB79FA78CCDCEABF7DDA89AD3C138226DA324CDB1
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\is-1BCDL.tmpexecutable
MD5:F90AC5C11AA97726788246A120FD2550
SHA256:CAD49B1006DA8A23994531B755BEB3833542ED73CDE2C0A4882887EF8A1588E5
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\license.rtftext
MD5:CA9C80605FF244AE36C584FFFFA09435
SHA256:81C21179CB42FA44D8B7AA07925081B899F0EF5F18AC00FFB75B303309078634
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\utweb_installer.exeexecutable
MD5:F90AC5C11AA97726788246A120FD2550
SHA256:CAD49B1006DA8A23994531B755BEB3833542ED73CDE2C0A4882887EF8A1588E5
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\is-QUQC6.tmpcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\WebAdvisor.pngimage
MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24
SHA256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
6780utweb_installer.exeC:\Users\admin\AppData\Local\Temp\nsbB71C.tmp\FindProcDLL.dllexecutable
MD5:B4FAF654DE4284A89EAF7D073E4E1E63
SHA256:C0948B2EC36A69F82C08935FAC4B212238B6792694F009B93B4BDB478C4F26E3
1296utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-TN59H.tmp\component0compressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
132
TCP/UDP connections
105
DNS requests
71
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2512
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2512
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
18.66.121.169:443
https://d1kksgyrnjjtx0.cloudfront.net/zbd
unknown
binary
15 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
18.66.121.90:443
https://d1kksgyrnjjtx0.cloudfront.net/zbd
unknown
whitelisted
POST
200
18.66.121.169:443
https://d1kksgyrnjjtx0.cloudfront.net/o
unknown
whitelisted
GET
200
18.66.121.124:443
https://d1kksgyrnjjtx0.cloudfront.net/f/WebAdvisor/images/943/EN.png
unknown
image
47.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2512
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2512
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2512
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
d1kksgyrnjjtx0.cloudfront.net
  • 18.66.121.169
  • 18.66.121.124
  • 18.66.121.208
  • 18.66.121.90
whitelisted
download-lb.utorrent.com
  • 18.244.18.50
  • 18.244.18.72
  • 18.244.18.57
  • 18.244.18.73
whitelisted
i-4101.b-6042.utweb.bench.utorrent.com
  • 3.208.248.181
  • 52.21.102.38
  • 3.217.227.205
  • 3.211.27.184
  • 52.5.21.92
  • 35.153.34.213
whitelisted
analytics.apis.mcafee.com
  • 54.149.65.226
  • 54.187.17.202
  • 35.81.180.77
  • 52.36.154.235
  • 35.83.129.133
  • 54.69.148.160
  • 54.189.124.226
  • 54.190.3.86
  • 44.239.129.214
  • 44.225.226.91
  • 35.80.132.251
unknown
sadownload.mcafee.com
  • 23.48.23.40
  • 23.48.23.26
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M2
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M1
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M2
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\Desktop\saBSI.exe loading C:\Users\admin\Desktop\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\Desktop\saBSI.exe loading C:\Users\admin\Desktop\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\Desktop\saBSI.exe loading C:\Users\admin\Desktop\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
utweb_installer.exe