File name:

utorrent.exe.malware

Full analysis: https://app.any.run/tasks/21b1ce90-e72f-4723-84b9-abb6af3b71d6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 02, 2024, 15:56:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AFCBEE0633928A7F3FD238028D7BBAC8

SHA1:

DB1279331D529BCDE5B39BB178A6B9F8C84FA6B0

SHA256:

66DF7DA160BC791E894F752C42B2055288FAF717D053E6A912CCAED971225E4F

SSDEEP:

49152:T7HecD4dnbibBl23/LS76R8+8xEYW37x7M/abjTlgNpBLCFBIji66rSE03s4MpP3:f+cD4dnFvY9C37xA/aZgXJ/2xX+sGPzS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • utorrent.exe.malware.exe (PID: 3700)
      • utorrent.exe.malware.exe (PID: 3228)
      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)

    • Changes the autorun value in the registry

      • utweb.exe (PID: 2240)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • utorrent.exe.malware.exe (PID: 3700)
      • utorrent.exe.malware.exe (PID: 3228)
      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • utweb.exe (PID: 2240)
      • ts360Setup.exe (PID: 3776)

    • Reads the Windows owner or organization settings

      • utorrent.exe.malware.tmp (PID: 3932)

    • Reads settings of System Certificates

      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb.exe (PID: 2240)
      • helper.exe (PID: 3692)

    • Reads the Internet Settings

      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • utweb.exe (PID: 2240)
      • ts360Setup.exe (PID: 3776)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • utweb_installer.exe (PID: 2580)

    • The process creates files with name similar to system file names

      • utweb_installer.exe (PID: 2580)

    • Process drops legitimate windows executable

      • utweb_installer.exe (PID: 2580)

    • Reads security settings of Internet Explorer

      • utweb_installer.exe (PID: 2580)
      • utorrent.exe.malware.tmp (PID: 3932)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)

    • Connects to the server without a host name

      • ts360Setup.exe (PID: 3776)

    • Process requests binary or script from the Internet

      • ts360Setup.exe (PID: 3776)

    • Checks Windows Trust Settings

      • utweb.exe (PID: 2240)

  • INFO

    • Checks supported languages

      • utorrent.exe.malware.tmp (PID: 3656)
      • utorrent.exe.malware.exe (PID: 3700)
      • utorrent.exe.malware.exe (PID: 3228)
      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)
      • utweb.exe (PID: 2632)
      • helper.exe (PID: 3692)
      • utweb.exe (PID: 2304)

    • Reads the computer name

      • utorrent.exe.malware.tmp (PID: 3656)
      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)
      • helper.exe (PID: 3692)

    • Create files in a temporary directory

      • utorrent.exe.malware.exe (PID: 3228)
      • utorrent.exe.malware.exe (PID: 3700)
      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)

    • Reads the machine GUID from the registry

      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)

    • Reads the software policy settings

      • utorrent.exe.malware.tmp (PID: 3932)
      • utweb.exe (PID: 2240)

    • Creates files or folders in the user directory

      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)
      • utweb.exe (PID: 2240)
      • helper.exe (PID: 3692)

    • Checks proxy server information

      • utweb_installer.exe (PID: 2580)
      • ts360Setup.exe (PID: 3776)

    • Creates a software uninstall entry

      • utweb_installer.exe (PID: 2580)

    • Manual execution by a user

      • utweb.exe (PID: 2632)
      • utweb.exe (PID: 2304)

    • Application launched itself

      • msedge.exe (PID: 1728)
      • msedge.exe (PID: 2668)
      • msedge.exe (PID: 844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 77824
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: սTorrent Web®
FileVersion: 1.3
LegalCopyright: ©2022 RainBerry Inc. All Rights Reserved
OriginalFileName:
ProductName: սTorrent Web®
ProductVersion: 1.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
43
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start utorrent.exe.malware.exe utorrent.exe.malware.tmp no specs utorrent.exe.malware.exe utorrent.exe.malware.tmp utweb_installer.exe ts360setup.exe utweb.exe utweb.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helper.exe msedge.exe no specs msedge.exe no specs utweb.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
752"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
844"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://utweb.rainberrytv.com/gui/index.html?v=1.4.0.5759&firstrun=1&localauth=localapia13cae1891f1dc08:C:\Program Files\Microsoft\Edge\Application\msedge.exe
utweb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3656 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1124"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=2284 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1368"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1368"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4104 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1596"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc4,0xc8,0xcc,0x98,0x124,0x69f3f598,0x69f3f5a8,0x69f3f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1644"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1696"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3948 --field-trial-handle=1236,i,1185667967185055683,10291099935638023738,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
30 841
Read events
30 529
Write events
278
Delete events
34

Modification events

(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
5C0F0000A8C4EA27BA6CDA01
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A7F5F71CB29165528325E1C447F51FD9E6453F3D3EEB205A04AF2963A6680A9A
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3932) utorrent.exe.malware.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2580) utweb_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe"
(PID) Process:(2580) utweb_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe" /S
Executable files
34
Suspicious files
191
Text files
111
Unknown types
224

Dropped files

PID
Process
Filename
Type
3932utorrent.exe.malware.tmpC:\Users\admin\AppData\Local\Temp\is-AT268.tmp\Logo.pngimage
MD5:A00CFE887E254C462AD0C6A6D3FB25B6
SHA256:BCA0271F56F7384942FF3AFFB79FA78CCDCEABF7DDA89AD3C138226DA324CDB1
3932utorrent.exe.malware.tmpC:\Users\admin\AppData\Local\Temp\is-AT268.tmp\license.rtftext
MD5:CA9C80605FF244AE36C584FFFFA09435
SHA256:81C21179CB42FA44D8B7AA07925081B899F0EF5F18AC00FFB75B303309078634
3700utorrent.exe.malware.exeC:\Users\admin\AppData\Local\Temp\is-300TQ.tmp\utorrent.exe.malware.tmpexecutable
MD5:68A5962ADC5171A34DAB74216F15589C
SHA256:DA33E2011C8BAA57E11E96A4CD1D928C20B8ED4F4F01AE4630EB5ACD984590D5
3228utorrent.exe.malware.exeC:\Users\admin\AppData\Local\Temp\is-GEBN1.tmp\utorrent.exe.malware.tmpexecutable
MD5:68A5962ADC5171A34DAB74216F15589C
SHA256:DA33E2011C8BAA57E11E96A4CD1D928C20B8ED4F4F01AE4630EB5ACD984590D5
3932utorrent.exe.malware.tmpC:\Users\admin\AppData\Local\Temp\is-AT268.tmp\is-ST1HS.tmpimage
MD5:0BF20300E6DD08C19E10850B7FCAAAB8
SHA256:F912C7CD1AB7F3C9994BCCA933E5D52A976433C93F31583574BD0C1917E50BDF
2580utweb_installer.exeC:\Users\admin\AppData\Roaming\uTorrent Web\localization\es-la.langtext
MD5:3205881F5139242227F5513E80091461
SHA256:80A398E4A040FC95F40167FF18E8866625F74FF2230C5C181E8DA985641D0C95
3932utorrent.exe.malware.tmpC:\Users\admin\AppData\Local\Temp\is-AT268.tmp\is-KHF7G.tmpexecutable
MD5:BF80F081A1BCA709768CD5CC821AFA69
SHA256:7DE806589101FC194605D1050550E1F0D68EC009BB08C34D933D365E60653BD8
3932utorrent.exe.malware.tmpC:\Users\admin\AppData\Local\Temp\is-AT268.tmp\component0compressed
MD5:CFD1E488ED32B24CE845B6D78A7814F5
SHA256:723FBECCE13E52F4D4053B954747F4F1131624537E292E303E27FED938538DB3
2580utweb_installer.exeC:\Users\admin\AppData\Roaming\uTorrent Web\localization\de.langtext
MD5:3ABF457A7FD0E7AB549062003EAF5E5F
SHA256:2773849568EFFA2BA7FFBF628E89C75F7887FC779C2434AEF22FBA3F88A84082
2580utweb_installer.exeC:\Users\admin\AppData\Roaming\uTorrent Web\webui\version.txttext
MD5:73F59E3F392224CEF63C8F8C0C1BA529
SHA256:F3786FFFA82C0BBC16F5B2FB2325D99417ADC6FB399EE63A98EF091648E95506
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
230
DNS requests
258
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3776
ts360Setup.exe
GET
200
18.184.178.29:80
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.NewDon.CPI20230201&os=6.1&mid=b8c075ec50c0ffb37ec9c97cc27794fb&state=153
unknown
2580
utweb_installer.exe
POST
200
52.3.133.236:80
http://i-4101.b-5759.utweb.bench.utorrent.com/e?i=4101
unknown
binary
21 b
2580
utweb_installer.exe
POST
200
52.3.133.236:80
http://i-4101.b-5759.utweb.bench.utorrent.com/e?i=4101
unknown
binary
21 b
3776
ts360Setup.exe
GET
200
151.236.118.173:80
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
unknown
compressed
656 b
3776
ts360Setup.exe
GET
200
18.184.178.29:80
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=b8c075ec50c0ffb37ec9c97cc27794fb&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=328&tdl=656&tds=328&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|656,P2PS|0,PDMode|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=2000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
unknown
3776
ts360Setup.exe
GET
200
18.184.178.29:80
http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIGL0ytQABAACrXWV%2F8JZrExL%2BDtmddx7ZcL6fw2fOtDrzBr%2FaHOW5UhwA781r%2FOrORN1nUErlc97Z%2FXwpn%2B9eUf7pcNOeF6JW6%2FhM4axI4ophaxPzttR4G8SDzTrgSH4GUfsvyh95YsNLyc8VGssVj8UFng9XSEB5A%2BXKaHAunvG1AUvKw80h6P03Tf2%2BxUJVRgrGaxg0ZDLawdPdm6hcVRhCvIpoH1Dl%2FRbZ2P%2FThQgEiAfQ%2FSyl6iexpwkW%2BvQT%2F%2BwN3jlE9ZjsmF%2FTbD65GEGQb2HDsT8ErFazLLB1IYnurApR57IV7c49g4ZV%2FEz%2FWsKlTTx0tvL774nZ2xzATA8akaEvXUlzmEmV0mpTfwdG%2B0OrEq2UgesomfAc1Jm8GO%2BDORwrssPDyUb4bKMZ4Qofzj%2FuuYo3w8lG%2BGyjGeEKH84%2F7rmKN5lH2QZWYpgVE%2Bj1EcrBBRnibYFfiNQkvk0xCbfZ7zWGoryecXjbb4i8mjQLG%2FG2mIsZqHAWcrmINqMaLV7ZldY%3D
unknown
3776
ts360Setup.exe
GET
220.181.141.113:80
http://220.181.141.113/index.html
unknown
3776
ts360Setup.exe
GET
220.181.141.113:80
http://220.181.141.113/index.html
unknown
3776
ts360Setup.exe
GET
220.181.141.113:80
http://220.181.141.113/index.html
unknown
3776
ts360Setup.exe
GET
220.181.141.113:80
http://220.181.141.113/index.html
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3932
utorrent.exe.malware.tmp
13.32.23.219:443
d2tsdwh3oa6ra2.cloudfront.net
AMAZON-02
US
unknown
3932
utorrent.exe.malware.tmp
108.138.2.52:443
d3clih0vw0mcb6.cloudfront.net
AMAZON-02
US
unknown
3932
utorrent.exe.malware.tmp
18.245.86.84:443
api.playanext.com
US
unknown
3932
utorrent.exe.malware.tmp
18.173.206.125:443
d3cdbtuni8ktf6.cloudfront.net
US
unknown
3932
utorrent.exe.malware.tmp
67.215.238.66:443
download-lb.utorrent.com
ASN-QUADRANET-GLOBAL
US
unknown
2580
utweb_installer.exe
52.3.133.236:80
i-4101.b-5759.utweb.bench.utorrent.com
AMAZON-AES
US
unknown
3776
ts360Setup.exe
151.236.118.173:80
iup.360safe.com
CDNetworks LLC
RU
unknown

DNS requests

Domain
IP
Reputation
d2tsdwh3oa6ra2.cloudfront.net
  • 13.32.23.219
unknown
d3clih0vw0mcb6.cloudfront.net
  • 108.138.2.52
unknown
api.playanext.com
  • 18.245.86.84
unknown
d3cdbtuni8ktf6.cloudfront.net
  • 18.173.206.125
unknown
download-lb.utorrent.com
  • 67.215.238.66
unknown
i-4101.b-5759.utweb.bench.utorrent.com
  • 52.3.133.236
unknown
st.p.360safe.com
unknown
s.360safe.com
  • 18.184.178.29
unknown
iup.360safe.com
  • 151.236.118.173
unknown
tr.p.360safe.com
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Process
Message
msedge.exe
[0302/155837.594:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
utorrent.exe.malware