Malware analysis 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe Malicious activity

Add for printing

File name:	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
Full analysis:	https://app.any.run/tasks/a86c1093-d9c2-4351-be7b-31de9ef05cd6
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 03, 2024, 17:59:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion upx loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	600F20ABCC1FA9F5BDA0965D07B6855D
SHA1:	38F079CE6B51508A9E62BD7B24ED792CDE38D33B
SHA256:	7D89A16FC0D3AFA3CD78CC51E7AE6A81343CB14DE6FDCA9325142DECA5133515
SSDEEP:	49152:v+3z044n1IndbRV+IL2Ql/HsCakLF5vbzI:v+3z41CSyltFzI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - WebCompanionInstaller.exe (PID: 5656)
  - net.exe (PID: 6412)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- The process executes JS scripts
  - mshta.exe (PID: 6188)
- Potential Corporate Privacy Violation
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 3396)
  - cscript.exe (PID: 6168)
  - uTorrent.exe (PID: 3832)
  - svchost.exe (PID: 6380)
- Checks for external IP
  - mshta.exe (PID: 6188)
  - svchost.exe (PID: 2256)
- Runs PING.EXE to delay simulation
  - mshta.exe (PID: 6188)
- Executable content was dropped or overwritten
  - cscript.exe (PID: 6168)
  - mshta.exe (PID: 6188)
  - offer-6A6AD7B6-8448-470C-9C74-FE57FE6FC8CA.exe (PID: 5084)
  - uTorrent.exe (PID: 3832)
  - MicrosoftEdgeWebView2Setup.exe (PID: 7248)
  - MicrosoftEdgeUpdate.exe (PID: 7880)
  - rundll32.exe (PID: 4196)
  - WebCompanionInstaller.exe (PID: 5656)
- Process drops legitimate windows executable
  - MicrosoftEdgeWebView2Setup.exe (PID: 7248)
  - MicrosoftEdgeUpdate.exe (PID: 7880)
  - uTorrent.exe (PID: 3832)
  - WebCompanionInstaller.exe (PID: 5656)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 7880)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 7880)
- Drops 7-zip archiver for unpacking
  - WebCompanionInstaller.exe (PID: 5656)
- Drops a system driver (possible attempt to evade defenses)
  - WebCompanionInstaller.exe (PID: 5656)
  - rundll32.exe (PID: 4196)
- Uses RUNDLL32.EXE to load library
  - WebCompanionInstaller.exe (PID: 5656)
- The process drops C-runtime libraries
  - WebCompanionInstaller.exe (PID: 5656)
- Checks Windows Trust Settings
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Mutex name with non-standard characters
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Process requests binary or script from the Internet
  - uTorrent.exe (PID: 3832)
- Application launched itself
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
INFO
- Checks supported languages
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Process checks computer location settings
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- UPX packer has been detected
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 3396)
- Create files in a temporary directory
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Manual execution by a user
  - uTorrent.exe (PID: 3832)
- Application launched itself
  - msedge.exe (PID: 6376)
- Reads the computer name
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Creates files or folders in the user directory
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Reads the machine GUID from the registry
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
- Checks proxy server information
  - 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (43.5)
.exe	\|	Win32 EXE Yoda's Crypter (42.7)
.exe	\|	Win32 Executable (generic) (7.2)
.exe	\|	Generic Win/DOS Executable (3.2)
.exe	\|	DOS Executable Generic (3.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:06:30 20:15:41+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	1867776
InitializedDataSize:	126976
UninitializedDataSize:	3813376
EntryPoint:	0x56b240
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	3.5.5.46348
ProductVersionNumber:	3.5.5.46348
FileFlagsMask:	0x002b
FileFlags:	Special build
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	BitTorrent Inc.
FileDescription:	µTorrent
FileVersion:	3.5.5.46348
InternalName:	uTorrent.exe
OriginalFileName:	uTorrent.exe
LegalCopyright:	©2020 BitTorrent, Inc. All Rights Reserved.
ProductName:	µTorrent
ProductVersion:	3.5.5.46348
SpecialBuild:	stable34 stable

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

208

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

368

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2428 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

400

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7148 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

440

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

488

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7032 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

812

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x324,0x328,0x32c,0x320,0x318,0x7fffd42b5fd8,0x7fffd42b5fe4,0x7fffd42b5ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1060

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{7411F74F-2257-4635-9B21-4AF1DB0B4831}" /silent

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update

Version:

1.3.195.19

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

1144

"C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMzM5NiIsImgiOiIxaG1XWkNLS09FYUEwM0ZFIiwidiI6IjExMTkxNjMwMCIsImIiOjQ2MzQ4LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiNjQiLCJzbG5nIjoiZW4iLCJkYiI6IiIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTIzLjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTEuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJtc2VkZ2UifV0sImlwIjoiMTM4LjE5OS4zNi4xOTgiLCJjbiI6Ikdlcm1hbnkiLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0="

C:\Windows\SysWOW64\cscript.exe

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

1344

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

PING.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1568

"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000

C:\Windows\SysWOW64\sc.exe

—

WebCompanionInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

1568

"C:\WINDOWS\system32\runonce.exe" -r

C:\Windows\System32\runonce.exe

—

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Run Once Wrapper

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

28 623

Read events

27 591

Write events

993

Delete events

Modification events


(PID) Process:	(6524) 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	Key:	HKEY_CLASSES_ROOT\FalconBetaAccount
Operation:	write	Name:	remote_access_client_id
Value: 7115093034
(PID) Process:	(5208) cscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\cscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 196E3F0000000000
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6188) mshta.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:	write	Name:	Name
Value: mshta.exe
(PID) Process:	(6188) mshta.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:	write	Name:	ID
Value:
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CLASSES_ROOT\Applications\uTorrent.exe
Operation:	write	Name:	shell
Value: open
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CLASSES_ROOT\Applications\uTorrent.exe\shell
Operation:	write	Name:	open
Value: "%APPDATA%\uTorrent\uTorrent.exe" "%1"
(PID) Process:	(6188) mshta.exe	Key:	HKEY_CLASSES_ROOT\Applications\uTorrent.exe\shell\open
Operation:	write	Name:	command
Value: "%APPDATA%\uTorrent\uTorrent.exe" "%1"

Add for printing

Executable files

432

Suspicious files

156

Text files

126

Unknown types

Dropped files

PID	Process	Filename		Type
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\utt56C8.tmp		—
		MD5:—	SHA256:—
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\1f91d2d17ea675d4c2c3192e241743f9_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:75398B4451F9ABF6BD5BC752B2694182	SHA256:8A327234B30B3CAF572D7D2DD134350257A5126AE17201D2D6C840A567CDCFDC
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\index.hta		html
		MD5:76903930C0ADE2285F1AB1BF54BE660D	SHA256:61ACD6E7405FAD348433F8DE4B12ED97B42CACCBCF28FE0E4BA4B4A5D2EA707E
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Roaming\uTorrent\settings.dat		binary
		MD5:ED539BFF16274133C3F3E7B476BE19BA	SHA256:A19FB5A04B8BC61A01CFEAC1A05BE0B990EB51A972A41528DEDF468A48F6358E
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\br.json		binary
		MD5:F12764DFC1ADE6DB8FBAC38762A53911	SHA256:968738E0C8C5413C4CD516E04D2FC43F9FB6449C1BF44B2010E84176E462514A
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\en.json		binary
		MD5:4417DBFA9FCE94752A5A2DFDC823CB92	SHA256:2381252B689D7EF2A8E1DCEA6B7366C0436E70FF29E9B63F3AE34BCC5C60AAF5
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\ko.json		binary
		MD5:F9FEB32431F5064F711B87C31CCC8AC0	SHA256:6CCE352F8426A6CB2D41D5D108658CFA1244F0142D6F60BC96E3C4C2904913C3
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Roaming\uTorrent\settings.dat.new		binary
		MD5:ED539BFF16274133C3F3E7B476BE19BA	SHA256:A19FB5A04B8BC61A01CFEAC1A05BE0B990EB51A972A41528DEDF468A48F6358E
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\index.hta.log		text
		MD5:2B632A88AF93F552846FDBF6890E8613	SHA256:2B1D8F74B6B7EF3811B62E9320953577A736ED64AB9DD5C3E2390D994A10D234
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	C:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\fr.json		binary
		MD5:D126F1776772BE7164691F18B9FCB041	SHA256:0416441F460D82C68525EB15CB72E6B260433E509AEDCD4ABDB1326C6D242A7D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

172

DNS requests

118

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	GET	200	67.215.238.66:80	http://download-lb.utorrent.com/endpoint/hydra-ut/os/win10/track/stable/browser/other/os-region/US/os-lang/en/os-ver/10.0/enc-ver/111916300/	unknown	—	—	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
6168	cscript.exe	GET	200	104.19.208.152:80	http://webcompanion.com/nano_download.php?partner=BT170902	unknown	—	—	malicious
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	POST	200	44.212.231.148:80	http://i-50.b-000.xyz.bench.utorrent.com/e?i=50	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5000	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	44.212.231.148:80	i-50.b-000.xyz.bench.utorrent.com	AMAZON-AES	US	whitelisted
6524	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	67.215.238.66:80	download-lb.utorrent.com	ASN-QUADRANET-GLOBAL	US	whitelisted
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	44.212.231.148:80	i-50.b-000.xyz.bench.utorrent.com	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
router.bittorrent.com	67.215.246.10	whitelisted
router.utorrent.com	82.221.103.244	whitelisted
i-50.b-000.xyz.bench.utorrent.com	44.212.231.148 52.70.195.186 44.195.254.175 52.200.151.22 52.202.30.183 52.45.191.231 52.2.97.28 52.22.74.205	whitelisted
download-lb.utorrent.com	67.215.238.66	whitelisted
ip-api.com	208.95.112.1	shared
login.live.com	20.190.159.0 40.126.31.69 20.190.159.23 20.190.159.68 40.126.31.71 20.190.159.73 20.190.159.75 40.126.31.73	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
6188	mshta.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6168	cscript.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6168	cscript.exe	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension
6168	cscript.exe	Misc activity	ET INFO WinHttpRequest Downloading EXE
6168	cscript.exe	Misc activity	ET INFO EXE - Served Attached HTTP
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	Potential Corporate Privacy Violation	ET P2P BTWebClient UA uTorrent in use
3396	7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe	Potential Corporate Privacy Violation	ET P2P BTWebClient UA uTorrent in use
3832	uTorrent.exe	Potential Corporate Privacy Violation	ET P2P BTWebClient UA uTorrent in use

15 ETPRO signatures available at the full report

Add for printing

Process	Message
WebCompanionInstaller.exe	Detecting windows culture
WebCompanionInstaller.exe	10/3/2024 5:59:36 PM :-> Starting installer 8.9.0.992 with: .\WebCompanionInstaller.exe --partner=BT170902 --version=8.9.0.992 --silent --partner=BT170902 --homepage=1 --search=1, Run as admin: True
WebCompanionInstaller.exe	Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe	SecurityProtocol set to 4032
WebCompanionInstaller.exe	Preparing for installing Web Companion
WebCompanionInstaller.exe	Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe	10/3/2024 5:59:37 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe	10/3/2024 5:59:37 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe	Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe	10/3/2024 5:59:37 PM :-> Checking prerequisites ...

General Info

7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe

600F20ABCC1FA9F5BDA0965D07B6855D

38F079CE6B51508A9E62BD7B24ED792CDE38D33B

7D89A16FC0D3AFA3CD78CC51E7AE6A81343CB14DE6FDCA9325142DECA5133515

49152:v+3z044n1IndbRV+IL2Ql/HsCakLF5vbzI:v+3z41CSyltFzI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

SUSPICIOUS

Reads security settings of Internet Explorer

The process executes JS scripts

Potential Corporate Privacy Violation

Checks for external IP

Runs PING.EXE to delay simulation

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Starts itself from another location

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

Uses RUNDLL32.EXE to load library

The process drops C-runtime libraries

Checks Windows Trust Settings

Mutex name with non-standard characters

Process requests binary or script from the Internet

Application launched itself

INFO

Checks supported languages

Process checks computer location settings

UPX packer has been detected

Create files in a temporary directory

Manual execution by a user

Application launched itself

Reads the computer name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests