| File name: | utorrent_installer.exe |
| Full analysis: | https://app.any.run/tasks/d78754dd-1951-4caf-b2d4-c488367a0a54 |
| Verdict: | Malicious activity |
| Analysis date: | April 24, 2025, 18:27:34 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | DFC260AE851E48D6A012AE545CA4BB58 |
| SHA1: | 5C81201A0354D1CAD1A04CDCA255D6D1C29E99F9 |
| SHA256: | 401409E8DA7321FB94A1A8AC6217D2DD067007D29547257575C26A39F31E8931 |
| SSDEEP: | 98304:+GNMS/n45nef0Bw4paDYBsEL9yCBP9DGC+V0GBujawXkXCOBYVfWR8agAwBc3VsD:8V7hug |
MALICIOUS
No malicious indicators.SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- utorrent_installer.exe (PID: 7300)
The process creates files with name similar to system file names
- utorrent_installer.exe (PID: 7300)
Reads security settings of Internet Explorer
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
Executable content was dropped or overwritten
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
Mutex name with non-standard characters
- utorrent.exe (PID: 7436)
Application launched itself
- utorrent.exe (PID: 7436)
There is functionality for taking screenshot (YARA)
- utorrent.exe (PID: 7436)
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7556)
Potential Corporate Privacy Violation
- utorrent.exe (PID: 7556)
INFO
The sample compiled with english language support
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- msedge.exe (PID: 4452)
Checks supported languages
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
- identity_helper.exe (PID: 7940)
Reads the computer name
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
- identity_helper.exe (PID: 7940)
Creates files or folders in the user directory
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
Process checks computer location settings
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
Checks proxy server information
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
- slui.exe (PID: 7520)
Create files in a temporary directory
- utorrent_installer.exe (PID: 7300)
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
Reads the machine GUID from the registry
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
Application launched itself
- msedge.exe (PID: 7852)
- msedge.exe (PID: 8128)
UPX packer has been detected
- utorrent.exe (PID: 7436)
- utorrent.exe (PID: 7556)
Manual execution by a user
- msedge.exe (PID: 8128)
- msedge.exe (PID: 6132)
Reads the software policy settings
- slui.exe (PID: 7520)
Executable content was dropped or overwritten
- msedge.exe (PID: 4452)
Reads Environment values
- identity_helper.exe (PID: 7940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:25 21:55:49+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26112 |
| InitializedDataSize: | 141824 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x34f7 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.6.0.47142 |
| ProductVersionNumber: | 3.6.0.47142 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | BitTorrent Limited |
| FileDescription: | utorrent |
| FileVersion: | 3.6.0.47142 |
| InternalName: | utorrent |
| LegalCopyright: | (c) 2023 BitTorrent Limited All Rights Reserved. |
| ProductName: | utorrent |
| ProductVersion: | 3.6.0.47142 |
Total processes
181
Monitored processes
51
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 668 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5584 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 736 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 856 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5384 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 904 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3732 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1240 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4860 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1388 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5224 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1660 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2040 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2236 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2736 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2340 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1488 --field-trial-handle=2256,i,17609831137579969687,2372729280543108135,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
10 756
Read events
10 719
Write events
37
Delete events
0
Modification events
| (PID) Process: | (7436) utorrent.exe | Key: | HKEY_CLASSES_ROOT\FalconBetaAccount |
| Operation: | write | Name: | remote_access_client_id |
Value: 6360918805 | |||
| (PID) Process: | (7300) utorrent_installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7300) utorrent_installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7300) utorrent_installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7556) utorrent.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\BitTorrent |
| Operation: | write | Name: | computerID |
Value: 288D2D6268CF3363C0124DAE4ECA6FDDEE47E1815AE382FF | |||
| (PID) Process: | (7556) utorrent.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (7556) utorrent.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7556) utorrent.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7556) utorrent.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7852) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
Executable files
20
Suspicious files
364
Text files
55
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7436 | utorrent.exe | C:\Users\admin\AppData\Local\Temp\uttCB60.tmp | — | |
MD5:— | SHA256:— | |||
| 7556 | utorrent.exe | C:\Users\admin\AppData\Local\Temp\uttCF29.tmp | — | |
MD5:— | SHA256:— | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\nszC1CC.tmp\nsisFirewall.dll | executable | |
MD5:F5BF81A102DE52A4ADD21B8A367E54E0 | SHA256:53BE5716AD80945CB99681D5DBDA60492F5DFB206FBFDB776B769B3EEB18D2C2 | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\nszC1CC.tmp\System.dll | executable | |
MD5:CFF85C549D536F651D4FB8387F1976F2 | SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8 | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\nszC1CC.tmp\INetC.dll | executable | |
MD5:640BFF73A5F8E37B202D911E4749B2E9 | SHA256:C1E568E25EC111184DEB1B87CFDA4BFEC529B1ABEAB39B66539D998012F33502 | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\nszC1CC.tmp\bt_datachannel.dll | executable | |
MD5:DFCA05BEB0D6A31913C04B1314CA8B4A | SHA256:D4C4E05FADE7E76F4A2D0C9C58A6B9B82B761D9951FFDDD838C381549368E153 | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Roaming\utorrent\bt_datachannel.dll | executable | |
MD5:DFCA05BEB0D6A31913C04B1314CA8B4A | SHA256:D4C4E05FADE7E76F4A2D0C9C58A6B9B82B761D9951FFDDD838C381549368E153 | |||
| 7436 | utorrent.exe | C:\Users\admin\AppData\Roaming\utorrent\settings.dat.old | binary | |
MD5:E2A4D971CC95361CD51334921E604D57 | SHA256:4E18E35886A2485C917182B35F960A5300B43428CFE3AADE6FAC0690ABC8CDCE | |||
| 7300 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\nszC1CC.tmp\utwin_install.log | binary | |
MD5:BA38B9F417707A68B53F2D393099CDD8 | SHA256:31F0DB7B07CB2DA344004F2943662A3026F9FF71B5B320221C3D370562EBA746 | |||
| 7436 | utorrent.exe | C:\Users\admin\AppData\Roaming\utorrent\settings.dat | binary | |
MD5:E2A4D971CC95361CD51334921E604D57 | SHA256:4E18E35886A2485C917182B35F960A5300B43428CFE3AADE6FAC0690ABC8CDCE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
120
TCP/UDP connections
92
DNS requests
74
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7436 | utorrent.exe | POST | 200 | 44.209.208.153:80 | http://i-21.b-47142.ut.bench.utorrent.com/e?i=21 | unknown | — | — | whitelisted |
7556 | utorrent.exe | GET | 200 | 82.221.103.246:80 | http://update.utorrent.com/installoffer.php?h=aM8zY8ASTa5Oym_d&v=113358886&w=4A65000A&l=en&c=US&w64=1&db=other&cl=uTorrent&tsub=1&svp=4 | unknown | — | — | whitelisted |
7556 | utorrent.exe | GET | 200 | 82.221.103.245:80 | http://update.utorrent.li/installstats.php?cl=uTorrent&v=113358886&h=aM8zY8ASTa5Oym_d&w=4A65000A&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=7556&cau=0&lunv=0&tbe=0&view=win32 | unknown | — | — | whitelisted |
7436 | utorrent.exe | POST | 200 | 54.85.44.192:80 | http://i-50.b-47142.ut.bench.utorrent.com/e?i=50 | unknown | — | — | whitelisted |
7556 | utorrent.exe | GET | 200 | 82.221.103.245:80 | http://update.utorrent.li/installstats.php?cl=uTorrent&v=113358886&h=aM8zY8ASTa5Oym_d&w=4A65000A&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=7556&cau=0&lunv=0&view=win32 | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.222.236.61:443 | https://p.typekit.net/p.css?s=1&k=qne4zsu&ht=tk&f=39494.39495.39500.39501.39504.39505.39508.39509&a=17239514&app=typekit&e=css | unknown | — | — | unknown |
— | — | GET | 200 | 13.32.24.174:443 | https://www.bittorrent.com/qne4zsu.css | unknown | text | 6.06 Kb | shared |
— | — | POST | 200 | 23.50.131.78:443 | https://bzib.nelreports.net/api/report?cat=bingbusiness | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7300 | utorrent_installer.exe | 54.85.44.192:80 | i-6000.b-47142.ut.bench.utorrent.com | AMAZON-AES | US | whitelisted |
2104 | svchost.exe | 2.19.11.105:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
2104 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
7436 | utorrent.exe | 44.209.208.153:80 | i-6000.b-47142.ut.bench.utorrent.com | AMAZON-AES | US | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7556 | utorrent.exe | 82.221.103.246:80 | update.utorrent.com | Advania Island ehf | IS | whitelisted |
7436 | utorrent.exe | 54.85.44.192:80 | i-6000.b-47142.ut.bench.utorrent.com | AMAZON-AES | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
i-6000.b-47142.ut.bench.utorrent.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
router.bittorrent.com |
| whitelisted |
router.utorrent.com |
| whitelisted |
i-21.b-47142.ut.bench.utorrent.com |
| whitelisted |
update.utorrent.com |
| whitelisted |
i-50.b-47142.ut.bench.utorrent.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7300 | utorrent_installer.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
7556 | utorrent.exe | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) |
7556 | utorrent.exe | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) |
7556 | utorrent.exe | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |