File name:

7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe

Full analysis: https://app.any.run/tasks/a86c1093-d9c2-4351-be7b-31de9ef05cd6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 03, 2024, 17:59:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
upx
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

600F20ABCC1FA9F5BDA0965D07B6855D

SHA1:

38F079CE6B51508A9E62BD7B24ED792CDE38D33B

SHA256:

7D89A16FC0D3AFA3CD78CC51E7AE6A81343CB14DE6FDCA9325142DECA5133515

SSDEEP:

49152:v+3z044n1IndbRV+IL2Ql/HsCakLF5vbzI:v+3z41CSyltFzI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • WebCompanionInstaller.exe (PID: 5656)
      • net.exe (PID: 6412)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Checks Windows Trust Settings

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Mutex name with non-standard characters

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Application launched itself

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • The process executes JS scripts

      • mshta.exe (PID: 6188)

    • Runs PING.EXE to delay simulation

      • mshta.exe (PID: 6188)

    • Potential Corporate Privacy Violation

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)
      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 3396)
      • uTorrent.exe (PID: 3832)
      • svchost.exe (PID: 6380)
      • cscript.exe (PID: 6168)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • mshta.exe (PID: 6188)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 6188)
      • cscript.exe (PID: 6168)
      • offer-6A6AD7B6-8448-470C-9C74-FE57FE6FC8CA.exe (PID: 5084)
      • MicrosoftEdgeWebView2Setup.exe (PID: 7248)
      • MicrosoftEdgeUpdate.exe (PID: 7880)
      • WebCompanionInstaller.exe (PID: 5656)
      • rundll32.exe (PID: 4196)
      • uTorrent.exe (PID: 3832)

    • Process drops legitimate windows executable

      • uTorrent.exe (PID: 3832)
      • MicrosoftEdgeWebView2Setup.exe (PID: 7248)
      • MicrosoftEdgeUpdate.exe (PID: 7880)
      • WebCompanionInstaller.exe (PID: 5656)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 7880)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 7880)

    • Drops 7-zip archiver for unpacking

      • WebCompanionInstaller.exe (PID: 5656)

    • Drops a system driver (possible attempt to evade defenses)

      • WebCompanionInstaller.exe (PID: 5656)
      • rundll32.exe (PID: 4196)

    • The process drops C-runtime libraries

      • WebCompanionInstaller.exe (PID: 5656)

    • Uses RUNDLL32.EXE to load library

      • WebCompanionInstaller.exe (PID: 5656)

    • Process requests binary or script from the Internet

      • uTorrent.exe (PID: 3832)

  • INFO

    • Checks supported languages

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Reads the machine GUID from the registry

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Create files in a temporary directory

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Reads the computer name

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Creates files or folders in the user directory

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Checks proxy server information

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • Process checks computer location settings

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 6524)

    • UPX packer has been detected

      • 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe (PID: 3396)

    • Manual execution by a user

      • uTorrent.exe (PID: 3832)

    • Application launched itself

      • msedge.exe (PID: 6376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:30 20:15:41+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 1867776
InitializedDataSize: 126976
UninitializedDataSize: 3813376
EntryPoint: 0x56b240
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.5.5.46348
ProductVersionNumber: 3.5.5.46348
FileFlagsMask: 0x002b
FileFlags: Special build
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: BitTorrent Inc.
FileDescription: µTorrent
FileVersion: 3.5.5.46348
InternalName: uTorrent.exe
OriginalFileName: uTorrent.exe
LegalCopyright: ©2020 BitTorrent, Inc. All Rights Reserved.
ProductName: µTorrent
ProductVersion: 3.5.5.46348
SpecialBuild: stable34 stable
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
78
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe THREAT 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe mshta.exe cscript.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs cscript.exe conhost.exe no specs svchost.exe cscript.exe conhost.exe no specs cscript.exe conhost.exe no specs cscript.exe conhost.exe no specs offer-6a6ad7b6-8448-470c-9c74-fe57fe6fc8ca.exe webcompanioninstaller.exe utorrent.exe utorrentie.exe utorrentie.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs utorrentie.exe msedge.exe no specs msedge.exe no specs microsoftedgewebview2setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs utorrentie.exe rundll32.exe runonce.exe no specs grpconv.exe no specs net.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs net1.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
368"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2428 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7148 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7032 --field-trial-handle=2340,i,8322758128169251261,6034182130335980695,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x324,0x328,0x32c,0x320,0x318,0x7fffd42b5fd8,0x7fffd42b5fe4,0x7fffd42b5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1060"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{7411F74F-2257-4635-9B21-4AF1DB0B4831}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.19
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1144"C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMzM5NiIsImgiOiIxaG1XWkNLS09FYUEwM0ZFIiwidiI6IjExMTkxNjMwMCIsImIiOjQ2MzQ4LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiNjQiLCJzbG5nIjoiZW4iLCJkYiI6IiIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTIzLjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTEuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJtc2VkZ2UifV0sImlwIjoiMTM4LjE5OS4zNi4xOTgiLCJjbiI6Ikdlcm1hbnkiLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0=" C:\Windows\SysWOW64\cscript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePING.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\SysWOW64\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
1568"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
Total events
28 623
Read events
27 591
Write events
993
Delete events
39

Modification events

(PID) Process:(6524) 7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeKey:HKEY_CLASSES_ROOT\FalconBetaAccount
Operation:writeName:remote_access_client_id
Value:
7115093034
(PID) Process:(5208) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\cscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
196E3F0000000000
(PID) Process:(6188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6188) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
mshta.exe
(PID) Process:(6188) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:ID
Value:
(PID) Process:(6188) mshta.exeKey:HKEY_CLASSES_ROOT\Applications\uTorrent.exe
Operation:writeName:shell
Value:
open
(PID) Process:(6188) mshta.exeKey:HKEY_CLASSES_ROOT\Applications\uTorrent.exe\shell
Operation:writeName:open
Value:
"%APPDATA%\uTorrent\uTorrent.exe" "%1"
(PID) Process:(6188) mshta.exeKey:HKEY_CLASSES_ROOT\Applications\uTorrent.exe\shell\open
Operation:writeName:command
Value:
"%APPDATA%\uTorrent\uTorrent.exe" "%1"
Executable files
432
Suspicious files
156
Text files
126
Unknown types
1

Dropped files

PID
Process
Filename
Type
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\utt56C8.tmp
MD5:
SHA256:
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Roaming\uTorrent\settings.dat.newbinary
MD5:ED539BFF16274133C3F3E7B476BE19BA
SHA256:A19FB5A04B8BC61A01CFEAC1A05BE0B990EB51A972A41528DEDF468A48F6358E
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\index.htahtml
MD5:76903930C0ADE2285F1AB1BF54BE660D
SHA256:61ACD6E7405FAD348433F8DE4B12ED97B42CACCBCF28FE0E4BA4B4A5D2EA707E
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Roaming\uTorrent\settings.datbinary
MD5:ED539BFF16274133C3F3E7B476BE19BA
SHA256:A19FB5A04B8BC61A01CFEAC1A05BE0B990EB51A972A41528DEDF468A48F6358E
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\es.jsonbinary
MD5:D208BD6553A40136D75A78D5C0E11F52
SHA256:AAC630FBE06486BACE04D05DA5E12CC96715B263CB3CAE8F246E630B6166DE41
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\index.hta.logtext
MD5:2B632A88AF93F552846FDBF6890E8613
SHA256:2B1D8F74B6B7EF3811B62E9320953577A736ED64AB9DD5C3E2390D994A10D234
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\uninstall.htahtml
MD5:D91D3DAD4FB278BAB416A6CF49FDA09E
SHA256:E5A870DDA2BCA2B632F9AA3EEE7768B5DD1498046D53AF5FB6B5D5920DEBE27A
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\i18n\de.jsonbinary
MD5:C6ABA232E3CA1843E2CE5C0EA95A597A
SHA256:7E6E3722FE5BA7CF7709055DF67EC0F7710C357C1600E500F3D4EC0F403F3354
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Local\Temp\HYD5CE3.tmp.1727978352\HTA\install.1727978352.zipcompressed
MD5:A65CA84BF2C878F87206FF596142B062
SHA256:68E37EED2E04830FCE9F735D8A2ECEBB19A651394F5D590581370AC5D7754D90
65247d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\1f91d2d17ea675d4c2c3192e241743f9_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:75398B4451F9ABF6BD5BC752B2694182
SHA256:8A327234B30B3CAF572D7D2DD134350257A5126AE17201D2D6C840A567CDCFDC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
85
TCP/UDP connections
172
DNS requests
118
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6188
mshta.exe
GET
200
208.95.112.1:80
http://ip-api.com/json?callback=jQuery191021072312545877508_1727978356129&_=1727978356130
unknown
shared
3396
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
POST
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
unknown
whitelisted
4880
cscript.exe
GET
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjMzOTYiLCJoIjoiMWhtV1pDS0tPRWFBMDNGRSIsInYiOiIxMTE5MTYzMDAiLCJiIjo0NjM0OCwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjY0Iiwic2xuZyI6ImVuIiwiZGIiOiIiLCJkYnYiOiIxMS4wIiwiaWJyIjpbeyJuYW1lIjoiIiwidmVyc2lvbiI6IjEyMy4wIiwiZXhlTmFtZSI6ImZpcmVmb3gifSx7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTIyLjAiLCJleGVOYW1lIjoiY2hyb21lIn0seyJuYW1lIjoiIiwidmVyc2lvbiI6IjExLjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifSx7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTIyLjAiLCJleGVOYW1lIjoibXNlZGdlIn1dLCJpcCI6IjEzOC4xOTkuMzYuMTk4IiwiY24iOiJHZXJtYW55IiwicGFja2lkIjoibGF2YXNvZnRfYmluZyJ9
unknown
whitelisted
832
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1144
cscript.exe
GET
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMzM5NiIsImgiOiIxaG1XWkNLS09FYUEwM0ZFIiwidiI6IjExMTkxNjMwMCIsImIiOjQ2MzQ4LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiNjQiLCJzbG5nIjoiZW4iLCJkYiI6IiIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTIzLjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiIiLCJ2ZXJzaW9uIjoiMTEuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMjIuMCIsImV4ZU5hbWUiOiJtc2VkZ2UifV0sImlwIjoiMTM4LjE5OS4zNi4xOTgiLCJjbiI6Ikdlcm1hbnkiLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0=
unknown
whitelisted
6168
cscript.exe
GET
200
104.19.208.152:80
http://webcompanion.com/nano_download.php?partner=BT170902
unknown
malicious
3396
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
POST
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
unknown
whitelisted
6524
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
POST
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
unknown
whitelisted
6524
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
POST
200
44.212.231.148:80
http://i-50.b-000.xyz.bench.utorrent.com/e?i=50
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5000
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6524
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
44.212.231.148:80
i-50.b-000.xyz.bench.utorrent.com
AMAZON-AES
US
whitelisted
6524
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
67.215.238.66:80
download-lb.utorrent.com
ASN-QUADRANET-GLOBAL
US
whitelisted
3396
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
44.212.231.148:80
i-50.b-000.xyz.bench.utorrent.com
AMAZON-AES
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
router.bittorrent.com
  • 67.215.246.10
whitelisted
router.utorrent.com
  • 82.221.103.244
whitelisted
i-50.b-000.xyz.bench.utorrent.com
  • 44.212.231.148
  • 52.70.195.186
  • 44.195.254.175
  • 52.200.151.22
  • 52.202.30.183
  • 52.45.191.231
  • 52.2.97.28
  • 52.22.74.205
whitelisted
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
ip-api.com
  • 208.95.112.1
shared
login.live.com
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.75
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6188
mshta.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6168
cscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6168
cscript.exe
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension
6168
cscript.exe
Misc activity
ET INFO WinHttpRequest Downloading EXE
6168
cscript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3396
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
3396
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
3832
uTorrent.exe
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
15 ETPRO signatures available at the full report
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
10/3/2024 5:59:36 PM :-> Starting installer 8.9.0.992 with: .\WebCompanionInstaller.exe --partner=BT170902 --version=8.9.0.992 --silent --partner=BT170902 --homepage=1 --search=1, Run as admin: True
WebCompanionInstaller.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe
SecurityProtocol set to 4032
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe
10/3/2024 5:59:37 PM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
10/3/2024 5:59:37 PM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
Failed to report progress in SendPostRequest: System.Net.WebException: The remote name could not be resolved: 'flow.lavasoft.com' at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at WebCompanionInstaller.Utils.RestUtils.SendPostRequest(String url, String body)
WebCompanionInstaller.exe
10/3/2024 5:59:37 PM :-> Checking prerequisites ...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7d89a16fc0d3afa3cd78cc51e7ae6a81343cb14de6fdca9325142deca5133515.exe