analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

utorrent.45231.installer.exe

Full analysis: https://app.any.run/tasks/723ea532-2d31-4030-bf86-15dc71d1898b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 14:23:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

93BAF5FBCDF3B94E1084C0FAC6AEE7A0

SHA1:

4D930FD21CC1E57F6E9EC9F65BF8CFE957D5635A

SHA256:

66C6FCE626A40C758F6AAF2282474A38E95327BDD09F0D95B55100C6E6F167E9

SSDEEP:

24576:tHLR/jew2Xh6xHnTRS/c/hjscwnBoqbD0cFye5D2NuTlto4FdhnbABrqYC81z4:tFb2GY/c/hozbD0C5KNsnLFdkHC/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • mshta.exe (PID: 2176)
    • Application was dropped or rewritten from another process

      • WebCompanionInstaller.exe (PID: 2172)
      • offer-DA1AEBF9-0C32-4EA8-8AA3-49915DD2A3B0.exe (PID: 3600)
      • utorrentie.exe (PID: 3704)
      • utorrentie.exe (PID: 680)
      • WebCompanion.exe (PID: 2792)
      • Lavasoft.WCAssistant.WinService.exe (PID: 3132)
    • Changes the autorun value in the registry

      • mshta.exe (PID: 2176)
      • uTorrent.exe (PID: 2556)
      • WebCompanion.exe (PID: 2792)
    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 2172)
    • Loads dropped or rewritten executable

      • WebCompanionInstaller.exe (PID: 2172)
      • WebCompanion.exe (PID: 2792)
    • Downloads executable files from the Internet

      • cscript.exe (PID: 2068)
    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 2172)
  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 2176)
      • utorrent.45231.installer.exe (PID: 2552)
      • utorrent.45231.installer.exe (PID: 3632)
      • uTorrent.exe (PID: 2556)
      • WebCompanionInstaller.exe (PID: 2172)
    • Checks for external IP

      • mshta.exe (PID: 2176)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • utorrent.45231.installer.exe (PID: 2552)
    • Application launched itself

      • utorrent.45231.installer.exe (PID: 3632)
    • Executable content was dropped or overwritten

      • mshta.exe (PID: 2176)
      • cscript.exe (PID: 2068)
      • offer-DA1AEBF9-0C32-4EA8-8AA3-49915DD2A3B0.exe (PID: 3600)
      • uTorrent.exe (PID: 2556)
      • WebCompanionInstaller.exe (PID: 2172)
    • Executes scripts

      • mshta.exe (PID: 2176)
    • Modifies the open verb of a shell class

      • mshta.exe (PID: 2176)
      • uTorrent.exe (PID: 2556)
    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 2172)
    • Creates a software uninstall entry

      • mshta.exe (PID: 2176)
      • WebCompanionInstaller.exe (PID: 2172)
    • Reads internet explorer settings

      • utorrentie.exe (PID: 3704)
      • utorrentie.exe (PID: 680)
    • Changes IE settings (feature browser emulation)

      • uTorrent.exe (PID: 2556)
    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 2172)
      • WebCompanion.exe (PID: 2792)
    • Starts CMD.EXE for commands execution

      • WebCompanionInstaller.exe (PID: 2172)
    • Executed as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 3132)
    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 2172)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1344)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2176)
    • Manual execution by user

      • uTorrent.exe (PID: 2556)
    • Reads settings of System Certificates

      • utorrentie.exe (PID: 680)
    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 2172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

SpecialBuild: stable34 stable
ProductVersion: 3.5.5.45231
ProductName: µTorrent
LegalCopyright: ©2019 BitTorrent, Inc. All Rights Reserved.
OriginalFileName: uTorrent.exe
InternalName: uTorrent.exe
FileVersion: 3.5.5.45231
FileDescription: µTorrent
CompanyName: BitTorrent Inc.
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Unknown
FileOS: Unknown (0)
FileFlags: Special build
FileFlagsMask: 0x002b
ProductVersionNumber: 3.5.5.45231
FileVersionNumber: 3.5.5.45231
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5002b0
UninitializedDataSize: 3387392
InitializedDataSize: 126976
CodeSize: 1855488
LinkerVersion: 14
PEType: PE32
TimeStamp: 2019:05:08 23:26:28+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-May-2019 21:26:28
Detected languages:
  • English - United States
  • Swedish - Sweden
CompanyName: BitTorrent Inc.
FileDescription: µTorrent
FileVersion: 3.5.5.45231
InternalName: uTorrent.exe
OriginalFilename: uTorrent.exe
LegalCopyright: ©2019 BitTorrent, Inc. All Rights Reserved.
ProductName: µTorrent
ProductVersion: 3.5.5.45231
SpecialBuild: stable34 stable

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000140

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 08-May-2019 21:26:28
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0033B000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0033C000
0x001C5000
0x001C5000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99987
.rsrc
0x00501000
0x0001F000
0x0001EC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.01891

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.11079
1835
UNKNOWN
Swedish - Sweden
RT_MANIFEST
2
7.79992
1003
UNKNOWN
Swedish - Sweden
RT_HTML
3
5.79291
62
UNKNOWN
Swedish - Sweden
RT_GROUP_ICON
4
7.98271
9640
UNKNOWN
English - United States
RT_ICON
5
4.02193
20
UNKNOWN
Swedish - Sweden
RT_GROUP_ICON
6
7.98133
9640
UNKNOWN
English - United States
RT_ICON
7
7.98122
9640
UNKNOWN
English - United States
RT_ICON
8
7.97878
9640
UNKNOWN
English - United States
RT_ICON
9
7.98096
9640
UNKNOWN
English - United States
RT_ICON
10
6.4403
114
UNKNOWN
Swedish - Sweden
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
DNSAPI.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MSIMG32.dll
OLEAUT32.dll
PSAPI.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
21
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start utorrent.45231.installer.exe utorrent.45231.installer.exe mshta.exe cscript.exe no specs ping.exe no specs cscript.exe cscript.exe cscript.exe cscript.exe offer-da1aebf9-0c32-4ea8-8aa3-49915dd2a3b0.exe webcompanioninstaller.exe utorrent.exe utorrentie.exe utorrentie.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3632"C:\Users\admin\AppData\Local\Temp\utorrent.45231.installer.exe" C:\Users\admin\AppData\Local\Temp\utorrent.45231.installer.exe
explorer.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
MEDIUM
Description:
µTorrent
Exit code:
0
Version:
3.5.5.45231
2552"C:\Users\admin\AppData\Local\Temp\utorrent.45231.installer.exe" /HYDRA_PERMISSIONS_RESTART /HYDRA_LOG "C:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\index.hta.log" /HYDRA_HTADIR "C:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA"C:\Users\admin\AppData\Local\Temp\utorrent.45231.installer.exe
utorrent.45231.installer.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
HIGH
Description:
µTorrent
Exit code:
0
Version:
3.5.5.45231
2176"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA\index.hta?utorrent" "C:\Users\admin\AppData\Local\Temp\utorrent.45231.installer.exe" /LOG "C:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\index.hta.log" /PID "2552" /CID "3vqe1CDNv2PqS7x0" /VERSION "111915183" /BUCKET "0" /SSB "4" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files\Opera\Opera.exe\"" /ARCHITECTURE "32" /LANG "en" /USERNAME "admin" /SID "S-1-5-21-1302019708-1500728564-335382590-1000" /CLIENT "utorrent"C:\Windows\System32\mshta.exe
utorrent.45231.installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1020"C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"C:\Windows\System32\cscript.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
99
Version:
5.8.7600.16385
2156"C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500C:\Windows\System32\PING.EXEmshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4032"C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI1NTIiLCJoIjoiM3ZxZTFDRE52MlBxUzd4MCIsInYiOiIxMTE5MTUxODMiLCJiIjo0NTIzMSwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjMyIiwic2xuZyI6ImVuIiwiZGIiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwiZGJ2IjoiOC4wIiwiaWJyIjpbeyJuYW1lIjoiRmlyZWZveCIsInZlcnNpb24iOiI2NS4wIiwiZXhlTmFtZSI6ImZpcmVmb3gifSx7Im5hbWUiOiJHb29nbGUgQ2hyb21lIiwidmVyc2lvbiI6IjczLjAiLCJleGVOYW1lIjoiY2hyb21lIn0seyJuYW1lIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsInZlcnNpb24iOiI4LjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifSx7Im5hbWUiOiJPcGVyYSBJbnRlcm5ldCBCcm93c2VyIiwidmVyc2lvbiI6IjEyLjE1IiwiZXhlTmFtZSI6Im9wZXJhIn1dLCJpcCI6Ijg1LjIwMy4yMC4xMSIsImNuIjoiSXRhbHkiLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0=" C:\Windows\System32\cscript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2752"C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMjU1MiIsImgiOiIzdnFlMUNETnYyUHFTN3gwIiwidiI6IjExMTkxNTE4MyIsImIiOjQ1MjMxLCJjbCI6InVUb3JyZW50Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI4LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjY1LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNzMuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjguMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9LHsibmFtZSI6Ik9wZXJhIEludGVybmV0IEJyb3dzZXIiLCJ2ZXJzaW9uIjoiMTIuMTUiLCJleGVOYW1lIjoib3BlcmEifV0sImlwIjoiODUuMjAzLjIwLjExIiwiY24iOiJJdGFseSIsInBhY2tpZCI6ImxhdmFzb2Z0X2JpbmcifQ==" C:\Windows\System32\cscript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2524"C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjI1NTIiLCJoIjoiM3ZxZTFDRE52MlBxUzd4MCIsInYiOiIxMTE5MTUxODMiLCJiIjo0NTIzMSwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjMyIiwic2xuZyI6ImVuIiwiZGIiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwiZGJ2IjoiOC4wIiwiaWJyIjpbeyJuYW1lIjoiRmlyZWZveCIsInZlcnNpb24iOiI2NS4wIiwiZXhlTmFtZSI6ImZpcmVmb3gifSx7Im5hbWUiOiJHb29nbGUgQ2hyb21lIiwidmVyc2lvbiI6IjczLjAiLCJleGVOYW1lIjoiY2hyb21lIn0seyJuYW1lIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsInZlcnNpb24iOiI4LjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifSx7Im5hbWUiOiJPcGVyYSBJbnRlcm5ldCBCcm93c2VyIiwidmVyc2lvbiI6IjEyLjE1IiwiZXhlTmFtZSI6Im9wZXJhIn1dLCJpcCI6Ijg1LjIwMy4yMC4xMSIsImNuIjoiSXRhbHkiLCJvZmZlcnR5cGUiOiJwcmltYXJ5IiwicHJvdmlkZXIiOiJsYXZhc29mdF9iaW5nIiwib2ZmZXIiOiJsYXZhc29mdF9iaW5nIiwib2ZmZXJyZXN1bHQiOjF9" C:\Windows\System32\cscript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2068"C:\Windows\System32\cscript.exe" shell_scripts/shell_install_offer.js "C:/Users/admin/AppData/Local/Temp/HYD3A1F.tmp.1558707816/sideLog.log" "lavasoft_bing" "http://webcompanion.com/nano_download.php?partner=BT170902" "--silent%20--partner%3DBT170902%20--homepage%3D1%20--search%3D1" "0" "admin" "admin"C:\Windows\System32\cscript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3600"C:\Users\admin\AppData\Local\Temp\offer-DA1AEBF9-0C32-4EA8-8AA3-49915DD2A3B0.exe" --silent --partner=BT170902 --homepage=1 --search=1C:\Users\admin\AppData\Local\Temp\offer-DA1AEBF9-0C32-4EA8-8AA3-49915DD2A3B0.exe
cscript.exe
User:
admin
Company:
Lavasoft
Integrity Level:
HIGH
Description:
Web Companion Installer
Version:
4.7.1987.3881
Total events
2 246
Read events
1 976
Write events
0
Delete events
0

Modification events

No data
Executable files
78
Suspicious files
18
Text files
101
Unknown types
4

Dropped files

PID
Process
Filename
Type
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\utt38F5.tmp
MD5:
SHA256:
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Roaming\uTorrent\settings.dat.new
MD5:
SHA256:
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:354ED1BE88B782FC192F27E695921A2A
SHA256:D60199E98844AD53BADAAB84ED033FFBC40AFBA1F2967E973C32829D0AB7EC99
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@localhost[1].txttext
MD5:2349784957088622B3E58E227F710431
SHA256:68765A98C2DA4BE53D9597B271F7BA221CDA2553CB2CCFD728ECCCC087F4FF8D
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Roaming\uTorrent\settings.datbinary
MD5:BEBFFCACBBB56CD62966F3EF425E1747
SHA256:3981F0088321E63EC910816A04D04B920519EBAFA9BFB7EB726A3094B5E95FA4
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA\i18n\it.jsonhtml
MD5:985938F0DF5251B549A1B99DBAC1F69C
SHA256:ACA4F9BF79A3F84AE6A9D36680DF5D182AC93B1AA649775E1618B49FBD22A34B
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\index.hta.logtext
MD5:2B632A88AF93F552846FDBF6890E8613
SHA256:2B1D8F74B6B7EF3811B62E9320953577A736ED64AB9DD5C3E2390D994A10D234
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA\images\bt_icon_48px.pngimage
MD5:6B6BD42C4A13B48F45A9F278B23D6B2B
SHA256:7C5123103DC089C1912B1EAE0BBBE2B7C32E39ECF83649A53A8E9F3AEA960602
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA\i18n\pt.jsonhtml
MD5:FB63D52AC25CD3D272365FA75F74C279
SHA256:E39D6A57D2F16E60C4075D07741DADD6A2742A85ACEB250083D7AB103279F737
3632utorrent.45231.installer.exeC:\Users\admin\AppData\Local\Temp\HYD3A1F.tmp.1558707816\HTA\i18n\ru.jsonhtml
MD5:4F268BCA1F6AF01246F257A141CEC972
SHA256:28B880822283482194EA9B4B94552A94E35F659CF026F592173ED46FCF3A91F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
92
TCP/UDP connections
165
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3632
utorrent.45231.installer.exe
GET
200
67.215.238.66:80
http://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111915183/
US
compressed
761 Kb
whitelisted
2752
cscript.exe
GET
200
54.235.208.27:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMjU1MiIsImgiOiIzdnFlMUNETnYyUHFTN3gwIiwidiI6IjExMTkxNTE4MyIsImIiOjQ1MjMxLCJjbCI6InVUb3JyZW50Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI4LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjY1LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNzMuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjguMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9LHsibmFtZSI6Ik9wZXJhIEludGVybmV0IEJyb3dzZXIiLCJ2ZXJzaW9uIjoiMTIuMTUiLCJleGVOYW1lIjoib3BlcmEifV0sImlwIjoiODUuMjAzLjIwLjExIiwiY24iOiJJdGFseSIsInBhY2tpZCI6ImxhdmFzb2Z0X2JpbmcifQ==
US
text
21 b
whitelisted
2552
utorrent.45231.installer.exe
GET
98.143.146.7:80
http://utorrent.com/download/langpacks/dl.php?build=45231&ref=client&client=utorrent&sys_l=en&sel_l=-1&tk=stable34
US
whitelisted
2556
uTorrent.exe
GET
173.254.195.58:80
http://update.bittorrent.com/time.php
US
whitelisted
3632
utorrent.45231.installer.exe
POST
54.225.194.96:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
US
whitelisted
2068
cscript.exe
GET
200
104.17.178.102:80
http://webcompanion.com/nano_download.php?partner=BT170902
US
executable
347 Kb
malicious
3632
utorrent.45231.installer.exe
POST
200
54.225.194.96:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
US
text
21 b
whitelisted
2176
mshta.exe
GET
200
185.194.141.58:80
http://ip-api.com/json?callback=jQuery191038992254780308044_1558707820092&_=1558707820093
DE
text
329 b
shared
2552
utorrent.45231.installer.exe
POST
200
54.235.208.27:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
US
text
21 b
whitelisted
2556
uTorrent.exe
GET
200
87.248.202.1:80
http://cdn.ap.bittorrent.com/control/tags/ut.json
IT
text
8.72 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
utorrent.45231.installer.exe
54.225.194.96:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
2176
mshta.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
3632
utorrent.45231.installer.exe
67.215.238.66:80
download-lb.utorrent.com
QuadraNet, Inc
US
suspicious
2552
utorrent.45231.installer.exe
54.235.208.27:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
2752
cscript.exe
54.235.208.27:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
2552
utorrent.45231.installer.exe
54.225.194.96:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
4032
cscript.exe
54.225.194.96:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
3632
utorrent.45231.installer.exe
54.243.113.215:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
suspicious
2552
utorrent.45231.installer.exe
98.143.146.7:80
utorrent.com
QuadraNet, Inc
US
suspicious
2524
cscript.exe
54.235.208.27:80
i-50.b-000.xyz.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
router.bittorrent.com
  • 67.215.246.10
shared
router.utorrent.com
  • 82.221.103.244
whitelisted
i-50.b-000.xyz.bench.utorrent.com
  • 54.225.194.96
  • 23.21.43.186
  • 23.21.92.252
  • 50.17.220.153
  • 23.23.85.1
  • 54.235.208.27
  • 23.21.139.158
  • 54.197.251.114
  • 54.243.113.215
  • 174.129.255.167
  • 107.22.221.32
  • 107.20.217.71
whitelisted
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
ip-api.com
  • 185.194.141.58
shared
utorrent.com
  • 98.143.146.7
whitelisted
webcompanion.com
  • 104.17.178.102
  • 104.17.177.102
malicious
i-21.b-45231.ut.bench.utorrent.com
  • 23.21.139.158
  • 23.21.43.186
  • 54.225.194.96
  • 23.21.92.252
  • 54.235.208.27
  • 54.197.251.114
  • 23.23.85.1
  • 50.17.220.153
suspicious
apps.bittorrent.com
  • 178.79.208.1
  • 87.248.202.1
whitelisted
update.bittorrent.com
  • 173.254.195.58
whitelisted

Threats

PID
Process
Class
Message
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client POST JSON
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] P2P uTorrent Hydra Client
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client POST JSON
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] P2P uTorrent Hydra Client
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client POST JSON
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] P2P uTorrent Hydra Client
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client response_code
3632
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client response_code
2552
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] P2P uTorrent Hydra Client
2552
utorrent.45231.installer.exe
Misc activity
APP [PTsecurity] uTorrent Hydra Client POST JSON
7 ETPRO signatures available at the full report
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
5/24/2019 3:24:08 PM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --partner=BT170902 --version=4.7.1987.3881 --prod --silent --partner=BT170902 --homepage=1 --search=1, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
5/24/2019 3:24:09 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
5/24/2019 3:24:09 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
5/24/2019 3:24:09 PM :-> Checking prerequisites ...
WebCompanionInstaller.exe
5/24/2019 3:24:09 PM :-> Antivirus not detected
WebCompanionInstaller.exe
5/24/2019 3:24:09 PM :-> vm_check False
WebCompanionInstaller.exe
5/24/2019 3:24:10 PM :-> reg_check :False
WebCompanionInstaller.exe
5/24/2019 3:24:11 PM :-> Installed .Net framework is V40