File name:

utweb_installer.exe

Full analysis: https://app.any.run/tasks/7f9c4773-3deb-4c9e-b917-73843eca3896
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 04, 2024, 01:08:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
stealer
loader
netreactor
miner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

31E55107F1A4DECF6403F545F75E8877

SHA1:

C6869BB14C6E760334EBC1766C885C8E2A057B23

SHA256:

935D7AF001D1F7C8B7CFEAD656EA3F1651330E2B434B2D3499F835E5D5A65650

SSDEEP:

49152:P7HecD4dnbibBlfYZJehijjvxNlJhVPZuE8H0oPuPV+7Lokcyz/HYCXNeR8K3jQR:D+cD4dnB28vxNlJPPMVH7PqV+Posz/H7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • utweb_installer.exe (PID: 6336)
      • utweb_installer.exe (PID: 6648)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • whhmtsm2.exe (PID: 2360)
      • utweb.exe (PID: 1288)
      • UnifiedStub-installer.exe (PID: 6448)

    • Changes the autorun value in the registry

      • utweb.exe (PID: 1288)
      • rundll32.exe (PID: 7868)
      • rundll32.exe (PID: 9184)

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 6448)
      • rsEngineSvc.exe (PID: 7360)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSSvc.exe (PID: 8880)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • utweb_installer.exe (PID: 6336)
      • utweb_installer.exe (PID: 6648)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • whhmtsm2.exe (PID: 2360)
      • UnifiedStub-installer.exe (PID: 6448)
      • utweb.exe (PID: 1288)

    • Reads security settings of Internet Explorer

      • utweb_installer.tmp (PID: 6356)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • utweb.exe (PID: 1288)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7284)
      • rsEngineSvc.exe (PID: 7368)
      • rsEDRSvc.exe (PID: 6688)
      • rsEngineSvc.exe (PID: 7360)
      • rsVPNSvc.exe (PID: 1528)
      • rsDNSSvc.exe (PID: 1716)

    • Reads the date of Windows installation

      • utweb_installer.tmp (PID: 6356)
      • utweb_installer.tmp (PID: 6672)
      • component0.exe (PID: 7064)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)

    • Reads the Windows owner or organization settings

      • utweb_installer.tmp (PID: 6672)

    • Mutex name with non-standard characters

      • utweb_installer.tmp (PID: 6672)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • utweb_installer.exe (PID: 3540)

    • The process creates files with name similar to system file names

      • utweb_installer.exe (PID: 3540)
      • UnifiedStub-installer.exe (PID: 6448)

    • Process drops legitimate windows executable

      • utweb_installer.exe (PID: 3540)
      • whhmtsm2.exe (PID: 2360)
      • UnifiedStub-installer.exe (PID: 6448)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 6448)
      • rsVPNSvc.exe (PID: 7336)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 7036)
      • rsWSC.exe (PID: 7488)
      • rsClientSvc.exe (PID: 7276)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • WmiApSrv.exe (PID: 3996)
      • rsVPNClientSvc.exe (PID: 7460)
      • rsVPNSvc.exe (PID: 7336)
      • WmiApSrv.exe (PID: 8712)
      • rsDNSClientSvc.exe (PID: 1920)
      • rsDNSResolver.exe (PID: 7676)
      • WmiApSrv.exe (PID: 3548)
      • rsDNSSvc.exe (PID: 8880)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 6448)

    • Potential Corporate Privacy Violation

      • utweb.exe (PID: 1288)

    • Executes application which crashes

      • utweb_installer.tmp (PID: 6672)

    • Checks Windows Trust Settings

      • utweb.exe (PID: 1288)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7284)
      • rsWSC.exe (PID: 7488)
      • rsEngineSvc.exe (PID: 7368)
      • rsEDRSvc.exe (PID: 8824)
      • rsEngineSvc.exe (PID: 7360)
      • rsVPNSvc.exe (PID: 1528)
      • rsEDRSvc.exe (PID: 6688)
      • rsDNSSvc.exe (PID: 1716)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 6448)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 6448)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 6448)

    • Adds/modifies Windows certificates

      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7284)
      • rsEngineSvc.exe (PID: 7360)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 6448)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 6448)
      • rundll32.exe (PID: 7868)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 6448)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 6448)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 8824)
      • rsEngineSvc.exe (PID: 7360)

    • Dropped object may contain URLs of mainers pools

      • rsEngineSvc.exe (PID: 7360)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 8824)

    • The process checks if it is being run in the virtual environment

      • rsEngineSvc.exe (PID: 7360)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSSvc.exe (PID: 8880)

    • Application launched itself

      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7260)

    • Starts CMD.EXE for commands execution

      • rsDNSSvc.exe (PID: 8880)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 8708)
      • cmd.exe (PID: 7972)

    • There is functionality for taking screenshot (YARA)

      • rsVPNSvc.exe (PID: 7336)

  • INFO

    • Checks supported languages

      • utweb_installer.exe (PID: 6336)
      • utweb_installer.tmp (PID: 6356)
      • utweb_installer.exe (PID: 6648)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • whhmtsm2.exe (PID: 2360)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsSyncSvc.exe (PID: 6644)
      • rsSyncSvc.exe (PID: 7036)
      • utweb.exe (PID: 1288)
      • identity_helper.exe (PID: 7768)
      • helper.exe (PID: 8944)
      • identity_helper.exe (PID: 8732)
      • rsWSC.exe (PID: 7284)
      • rsWSC.exe (PID: 7488)
      • rsClientSvc.exe (PID: 7200)
      • rsClientSvc.exe (PID: 7276)
      • rsEngineSvc.exe (PID: 7368)
      • rsEngineSvc.exe (PID: 7360)
      • rsHelper.exe (PID: 8724)
      • rsEDRSvc.exe (PID: 6688)
      • rsEDRSvc.exe (PID: 8824)
      • EPP.exe (PID: 6828)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 6968)
      • rsAppUI.exe (PID: 6732)
      • rsAppUI.exe (PID: 6832)
      • rsAppUI.exe (PID: 7672)
      • rsLitmus.A.exe (PID: 2508)
      • rsVPNClientSvc.exe (PID: 7380)
      • rsVPNClientSvc.exe (PID: 7460)
      • rsVPNSvc.exe (PID: 1528)
      • rsVPNSvc.exe (PID: 7336)
      • VPN.exe (PID: 7860)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7704)
      • rsAppUI.exe (PID: 1500)
      • rsDNSClientSvc.exe (PID: 4056)
      • rsAppUI.exe (PID: 6168)
      • rsAppUI.exe (PID: 6620)
      • rsDNSResolver.exe (PID: 9140)
      • rsDNSResolver.exe (PID: 2700)
      • rsDNSResolver.exe (PID: 7676)
      • rsDNSSvc.exe (PID: 1716)
      • rsDNSClientSvc.exe (PID: 1920)
      • DNS.exe (PID: 5504)
      • rsAppUI.exe (PID: 7260)
      • rsDNSSvc.exe (PID: 8880)
      • rsAppUI.exe (PID: 3692)
      • rsAppUI.exe (PID: 8296)
      • rsAppUI.exe (PID: 7500)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8184)

    • Reads the computer name

      • utweb_installer.tmp (PID: 6356)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsSyncSvc.exe (PID: 6644)
      • rsSyncSvc.exe (PID: 7036)
      • utweb.exe (PID: 1288)
      • identity_helper.exe (PID: 7768)
      • identity_helper.exe (PID: 8732)
      • helper.exe (PID: 8944)
      • rsWSC.exe (PID: 7284)
      • rsWSC.exe (PID: 7488)
      • rsClientSvc.exe (PID: 7200)
      • rsClientSvc.exe (PID: 7276)
      • rsEngineSvc.exe (PID: 7368)
      • rsHelper.exe (PID: 8724)
      • rsEDRSvc.exe (PID: 6688)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 6968)
      • rsAppUI.exe (PID: 6732)
      • rsVPNClientSvc.exe (PID: 7380)
      • rsVPNClientSvc.exe (PID: 7460)
      • rsVPNSvc.exe (PID: 1528)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 7712)
      • rsDNSClientSvc.exe (PID: 4056)
      • rsAppUI.exe (PID: 7704)
      • rsAppUI.exe (PID: 6168)
      • rsDNSResolver.exe (PID: 2700)
      • rsDNSResolver.exe (PID: 7676)
      • rsDNSSvc.exe (PID: 1716)
      • rsDNSClientSvc.exe (PID: 1920)
      • rsDNSSvc.exe (PID: 8880)
      • rsAppUI.exe (PID: 7260)
      • rsAppUI.exe (PID: 3692)
      • rsAppUI.exe (PID: 8296)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8184)

    • Create files in a temporary directory

      • utweb_installer.exe (PID: 6336)
      • utweb_installer.exe (PID: 6648)
      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • whhmtsm2.exe (PID: 2360)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7260)

    • Process checks computer location settings

      • utweb_installer.tmp (PID: 6356)
      • utweb_installer.tmp (PID: 6672)
      • component0.exe (PID: 7064)
      • rsAppUI.exe (PID: 6832)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 7672)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 1500)
      • rsAppUI.exe (PID: 6620)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7500)
      • rsAppUI.exe (PID: 7260)

    • Reads the machine GUID from the registry

      • utweb_installer.tmp (PID: 6672)
      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • utweb.exe (PID: 1288)
      • rsWSC.exe (PID: 7284)
      • rsWSC.exe (PID: 7488)
      • rsEngineSvc.exe (PID: 7368)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 6688)
      • rsEDRSvc.exe (PID: 8824)
      • rsAppUI.exe (PID: 8736)
      • rsVPNSvc.exe (PID: 1528)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 7712)
      • rsDNSSvc.exe (PID: 1716)
      • rsHelper.exe (PID: 8724)
      • rsDNSSvc.exe (PID: 8880)
      • rsAppUI.exe (PID: 7260)
      • rsAppUI.exe (PID: 1656)
      • rsAppUI.exe (PID: 8184)

    • Reads the software policy settings

      • utweb_installer.tmp (PID: 6672)
      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • WerFault.exe (PID: 8000)
      • WerFault.exe (PID: 8628)
      • utweb.exe (PID: 1288)
      • rsWSC.exe (PID: 7284)
      • rsEngineSvc.exe (PID: 7368)
      • rsWSC.exe (PID: 7488)
      • rsEDRSvc.exe (PID: 6688)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 1528)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSSvc.exe (PID: 8880)
      • rsDNSSvc.exe (PID: 1716)

    • Checks proxy server information

      • utweb_installer.tmp (PID: 6672)
      • utweb_installer.exe (PID: 3540)
      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • WerFault.exe (PID: 8000)
      • WerFault.exe (PID: 8628)
      • utweb.exe (PID: 1288)
      • rsWSC.exe (PID: 7284)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7260)

    • Creates files or folders in the user directory

      • utweb_installer.exe (PID: 3540)
      • utweb.exe (PID: 1288)
      • WerFault.exe (PID: 8000)
      • WerFault.exe (PID: 8628)
      • helper.exe (PID: 8944)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7284)
      • rsEngineSvc.exe (PID: 7360)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 6732)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 6168)
      • rsDNSSvc.exe (PID: 8880)
      • rsAppUI.exe (PID: 7260)
      • rsAppUI.exe (PID: 8296)
      • rsAppUI.exe (PID: 1656)

    • Creates a software uninstall entry

      • utweb_installer.exe (PID: 3540)

    • Disables trace logs

      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSSvc.exe (PID: 8880)

    • Reads Environment values

      • component0.exe (PID: 7064)
      • UnifiedStub-installer.exe (PID: 6448)
      • identity_helper.exe (PID: 7768)
      • identity_helper.exe (PID: 8732)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsAppUI.exe (PID: 8736)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 7712)
      • rsDNSSvc.exe (PID: 8880)
      • rsAppUI.exe (PID: 7260)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7284)
      • rsEngineSvc.exe (PID: 7368)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 6688)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 1528)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSResolver.exe (PID: 2700)
      • rsDNSResolver.exe (PID: 7676)
      • rsDNSSvc.exe (PID: 1716)
      • rsDNSSvc.exe (PID: 8880)

    • Reads Microsoft Office registry keys

      • utweb.exe (PID: 1288)
      • msedge.exe (PID: 7032)
      • msedge.exe (PID: 9192)

    • Application launched itself

      • msedge.exe (PID: 7032)
      • msedge.exe (PID: 9192)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 6448)
      • rsWSC.exe (PID: 7488)
      • rsEngineSvc.exe (PID: 7360)
      • rsHelper.exe (PID: 8724)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 7336)
      • rsAppUI.exe (PID: 7712)

    • Reads the time zone

      • runonce.exe (PID: 7896)
      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 7336)
      • runonce.exe (PID: 7368)
      • rsDNSSvc.exe (PID: 8880)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7896)
      • runonce.exe (PID: 7368)

    • Reads CPU info

      • rsEngineSvc.exe (PID: 7360)
      • rsEDRSvc.exe (PID: 8824)
      • rsVPNSvc.exe (PID: 7336)
      • rsDNSSvc.exe (PID: 8880)

    • Reads product name

      • rsEDRSvc.exe (PID: 8824)
      • rsEngineSvc.exe (PID: 7360)
      • rsAppUI.exe (PID: 8736)
      • rsAppUI.exe (PID: 7712)
      • rsAppUI.exe (PID: 7260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 77824
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.0
ProductVersionNumber: 1.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: uTorrеnt Web®
FileVersion: 1.4
LegalCopyright: ©2022 RainBerry Inc. All Rights Reserved
OriginalFileName:
ProductName: uTorrеnt Web®
ProductVersion: 1.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
279
Monitored processes
136
Malicious processes
16
Suspicious processes
5

Behavior graph

Click at the process to see the details
start utweb_installer.exe utweb_installer.tmp no specs utweb_installer.exe utweb_installer.tmp utweb_installer.exe component0.exe whhmtsm2.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs utweb.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs helper.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe THREAT rswsc.exe no specs rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe no specs THREAT rsenginesvc.exe THREAT rshelper.exe no specs rsedrsvc.exe no specs THREAT rsedrsvc.exe epp.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rslitmus.a.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rsvpnclientsvc.exe no specs conhost.exe no specs rsvpnclientsvc.exe no specs rsvpnsvc.exe no specs THREAT rsvpnsvc.exe msedge.exe no specs vpn.exe no specs THREAT rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs rsappui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs rsdnsclientsvc.exe no specs conhost.exe no specs rsdnsclientsvc.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs rsdnssvc.exe no specs rsdnssvc.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs dns.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs rsappui.exe no specs msedge.exe no specs rsappui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1288"C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exe" /RUNONSTARTUPC:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exe
utweb_installer.tmp
User:
admin
Company:
BitTorrent Limited
Integrity Level:
MEDIUM
Description:
µTorrent Web
Version:
1.4.0.5828
Modules
Images
c:\users\admin\appdata\roaming\utorrent web\utweb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
1500"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3856 --field-trial-handle=2260,i,2022242461357451257,1542885313496201897,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exersAppUI.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
LOW
Description:
ReasonLabs Application
Version:
1.4.2
Modules
Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1528"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -iC:\Program Files\ReasonLabs\VPN\rsVPNSvc.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
rsVPNSvc
Exit code:
0
Version:
2.18.0.0
Modules
Images
c:\program files\reasonlabs\vpn\rsvpnsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1656"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3780 --field-trial-handle=1724,i,14849998207315859977,13117056512803473074,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exersAppUI.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
MEDIUM
Description:
ReasonLabs Application
Exit code:
0
Version:
1.4.2
Modules
Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\program files\reasonlabs\common\client\v1.4.2\ffmpeg.dll
c:\windows\system32\combase.dll
c:\windows\system32\dbghelp.dll
1716"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -iC:\Program Files\ReasonLabs\DNS\rsDNSSvc.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
rsDNSSvc
Exit code:
0
Version:
3.15.0.0
Modules
Images
c:\program files\reasonlabs\dns\rsdnssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1920"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Client Service
Version:
4.5.1.0
Modules
Images
c:\program files\reasonlabs\dns\rsdnsclientsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
2360"C:\Users\admin\AppData\Local\Temp\whhmtsm2.exe" /silentC:\Users\admin\AppData\Local\Temp\whhmtsm2.exe
component0.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Exit code:
0
Version:
6.0.6
Modules
Images
c:\users\admin\appdata\local\temp\whhmtsm2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2508"C:\program files\reasonlabs\epp\rsLitmus.A.exe" C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exersEngineSvc.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
54321
Modules
Images
c:\program files\reasonlabs\epp\rslitmus.a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2608"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2444,i,7057798230090934053,13467983087042007820,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2700"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service installC:\Program Files\ReasonLabs\DNS\rsDNSResolver.exeUnifiedStub-installer.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
DNS Resolver
Exit code:
0
Version:
1.5.0.0
Modules
Images
c:\program files\reasonlabs\dns\rsdnsresolver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
Total events
128 802
Read events
128 056
Write events
527
Delete events
219

Modification events

(PID) Process:(6672) utweb_installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
101A000036137ED50AE6DA01
(PID) Process:(6672) utweb_installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
BDC262C756273B0EFD4BF0A9E5CB7FEB09447A0DD6B247041FD89A80E5998BEE
(PID) Process:(6672) utweb_installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe"
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe" /S
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\uTorrent Web\uninstall.ico
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayName
Value:
uTorrent Web
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:Publisher
Value:
BitTorrent Limited
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayVersion
Value:
1.4.0
(PID) Process:(3540) utweb_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:NoModify
Value:
1
Executable files
904
Suspicious files
605
Text files
226
Unknown types
43

Dropped files

PID
Process
Filename
Type
6336utweb_installer.exeC:\Users\admin\AppData\Local\Temp\is-DQ9AD.tmp\utweb_installer.tmpexecutable
MD5:1D4508A9912FB54A6395FAB3E02E892B
SHA256:C604A247CEA27D5DAAD0F740E68E1518546FB40D68332F17F60E9C831CA3936A
6672utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-VTJ1C.tmp\utweb_installer.exeexecutable
MD5:A87F9B5D44EDD211272B5C426F1D57F6
SHA256:CD1305DE487481FA02E9DB300F9DD041D7A65CC98CA87576ABEDFA9EE305C2B9
6672utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-VTJ1C.tmp\RAV_Cross.pngimage
MD5:CD09F361286D1AD2622BA8A57B7613BD
SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
3540utweb_installer.exeC:\Users\admin\AppData\Local\Temp\nsnA814.tmp\FindProcDLL.dllexecutable
MD5:B4FAF654DE4284A89EAF7D073E4E1E63
SHA256:C0948B2EC36A69F82C08935FAC4B212238B6792694F009B93B4BDB478C4F26E3
6672utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-VTJ1C.tmp\license.rtftext
MD5:8A708BF775DE14E5FBB16F6077B454D5
SHA256:ECA753676C5C71D7BE141451CD6D1426A08ED5C254078BC585D9BA91395A971A
3540utweb_installer.exeC:\Users\admin\AppData\Roaming\uTorrent Web\localization\de.langtext
MD5:3ABF457A7FD0E7AB549062003EAF5E5F
SHA256:2773849568EFFA2BA7FFBF628E89C75F7887FC779C2434AEF22FBA3F88A84082
6672utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-VTJ1C.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6672utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-VTJ1C.tmp\is-RN3DQ.tmpimage
MD5:CD09F361286D1AD2622BA8A57B7613BD
SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
3540utweb_installer.exeC:\Users\admin\AppData\Local\Temp\nsnA814.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
3540utweb_installer.exeC:\Users\admin\AppData\Roaming\uTorrent Web\localization\es-la.langtext
MD5:3205881F5139242227F5513E80091461
SHA256:80A398E4A040FC95F40167FF18E8866625F74FF2230C5C181E8DA985641D0C95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
101
TCP/UDP connections
417
DNS requests
167
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3540
utweb_installer.exe
POST
200
52.22.37.6:80
http://i-4101.b-5828.utweb.bench.utorrent.com/e?i=4101
unknown
unknown
6976
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1288
utweb.exe
POST
200
44.221.93.128:80
http://i-4101.b-10724.utweb_ui.bench.utorrent.com/e?i=4101&e=eyJhY3Rpb24iOiJ2MS4xMDcyNC5kZS5hcHAucGxhY2Vob2xkZXIuZGFzaGJvYXJkLnBsYWNlaG9sZGVyIiwiYXBwTmFtZSI6InV0d2ViIiwiYXBwVmVyc2lvbiI6IjEuNC4wLjU4MjguMTA3MjQiLCJpc1V0d2ViIjp0cnVlLCJ0dXRvcmlhbFZpZGVvSGFzaExpc3QiOlsiODBiMzlhMmUzN2FhMzUyY2QyZmNiZmJlZjdjNGE2ZTllOGNmZTQzOCIsIjlhMjNiZTZjNTVkNWY4ZDFlMjgyNjBlNDAzYmFlNTQxMjQ0MzU3OWUiLCIzOGU5NzIzNGZkNjBjNGYzMDM0NGQ5ZmFlODA4OTlhNzVmY2ZiZmZlIiwiNjFiM2I4ODU2YzQ4MzllZGY1MWY1YzIzNDY1OTliNmJlYzUyNDE0NSIsIjU2MmUyOWM3ODM2ZGFkYmNmNTViM2RlYmY4MzA2MzI3MTc2OWM5NGYiXSwidXVpZCI6IjgwNjhjNzI4ZmU1MWVmMTFiNGUzMThmNzc4NmY5NmVlIiwiYmVuY2hHZW8iOiJkZSIsInV0d2ViU2FtcGxlUmF0ZSI6MSwiZ2FCbG9ja2VyRGV0ZWN0ZWQiOm51bGwsIm5hbWUiOiJ0MCIsInRyYWNraW5nSWQiOiJVQS04ODY5ODEwMi0xMCIsImNvb2tpZU5hbWUiOiJfZ2EiLCJjb29raWVEb21haW4iOiJyYWluYmVycnl0di5jb20iLCJjb29raWVQYXRoIjoiLyIsImNvb2tpZUV4cGlyZXMiOjYzMDcyMDAwLCJsZWdhY3lIaXN0b3J5SW1wb3J0Ijp0cnVlLCJhbGxvd0xpbmtlciI6ZmFsc2UsImFsbG93QW5jaG9yIjp0cnVlLCJzYW1wbGVSYXRlIjoxMDAsInNpdGVTcGVlZFNhbXBsZVJhdGUiOjEsImFsd2F5c1NlbmRSZWZlcnJlciI6ZmFsc2UsInN0b3JhZ2UiOiJjb29raWUiLCJfZ2UiOnRydWUsImFwaVZlcnNpb24iOjEsImNsaWVudFZlcnNpb24iOiJqNTYiLCJfZ2NuIjoiX2dpZCIsImNsaWVudElkIjoiMTc3NzM1Nzg1OC4xNzIyNzMzNzU5IiwiX2dpZCI6IjIxMjg3MTE2MjIuMTcyMjczMzc1OSIsImxvY2F0aW9uIjoiaHR0cHM6Ly91dHdlYi5yYWluYmVycnl0di5jb20vZ3VpL2luZGV4Lmh0bWw/dj0xLjQuMC41ODI4Iiwic2NyZWVuUmVzb2x1dGlvbiI6IjEyODB4NzIwIiwic2NyZWVuQ29sb3JzIjoiMjQtYml0Iiwidmlld3BvcnRTaXplIjoiMTI3Mng2MDYiLCJlbmNvZGluZyI6IlVURi04IiwiamF2YUVuYWJsZWQiOmZhbHNlLCJsYW5ndWFnZSI6ImVuLXVzIiwiYWRTZW5zZUlkIjo0OTI3MjkxMDgsImRpbWVuc2lvbjEiOiIxNzc3MzU3ODU4LjE3MjI3MzM3NTkiLCJkaW1lbnNpb242IjoxLCJ0aXRsZSI6Is68VG9ycmVudCBXZWIiLCJzY3JlZW5OYW1lIjoiZGFzaGJvYXJkIiwicGFnZSI6Ii9kYXNoYm9hcmQiLCJkaW1lbnNpb24yIjoxNzIyNzMzNzU4NzU3LCJkaW1lbnNpb24zIjowLCJkaW1lbnNpb243IjoiODA2OGM3MjhmZTUxZWYxMWI0ZTMxOGY3Nzg2Zjk2ZWUiLCJoaXRUeXBlIjoiZXZlbnQiLCJfdGkiOjE3MjI3MzM3NTkwNzcsIl90byI6MTcsIl9oYyI6MywiX2oxIjoiIiwiX2oyIjoiIiwiX3MiOjMsImV2ZW50Q2F0ZWdvcnkiOiJhcHAiLCJldmVudEFjdGlvbiI6InBhZ2Vsb2FkIiwiZXZlbnRMYWJlbCI6ImRhc2hib2FyZCIsImV2ZW50TmFtZSI6InV0d2ViX3VpIiwiQlVJTERfTlVNQkVSIjoiMTA3MjQifQ==
unknown
whitelisted
1288
utweb.exe
POST
200
44.221.93.128:80
http://i-4101.b-10724.utweb_ui.bench.utorrent.com/e?i=4101&e=eyJhY3Rpb24iOiJ2MS4xMDcyNC5kZS5wYWdldmlldy5wbGFjZWhvbGRlci5wbGFjZWhvbGRlci5wbGFjZWhvbGRlciIsImFwcE5hbWUiOiJ1dHdlYiIsImFwcFZlcnNpb24iOiIxLjQuMC41ODI4LjEwNzI0IiwiaXNVdHdlYiI6dHJ1ZSwidHV0b3JpYWxWaWRlb0hhc2hMaXN0IjpbIjgwYjM5YTJlMzdhYTM1MmNkMmZjYmZiZWY3YzRhNmU5ZThjZmU0MzgiLCI5YTIzYmU2YzU1ZDVmOGQxZTI4MjYwZTQwM2JhZTU0MTI0NDM1NzllIiwiMzhlOTcyMzRmZDYwYzRmMzAzNDRkOWZhZTgwODk5YTc1ZmNmYmZmZSIsIjYxYjNiODg1NmM0ODM5ZWRmNTFmNWMyMzQ2NTk5YjZiZWM1MjQxNDUiLCI1NjJlMjljNzgzNmRhZGJjZjU1YjNkZWJmODMwNjMyNzE3NjljOTRmIl0sInV1aWQiOiI4MDY4YzcyOGZlNTFlZjExYjRlMzE4Zjc3ODZmOTZlZSIsImJlbmNoR2VvIjoiZGUiLCJ1dHdlYlNhbXBsZVJhdGUiOjEsImdhQmxvY2tlckRldGVjdGVkIjpudWxsLCJuYW1lIjoidDAiLCJ0cmFja2luZ0lkIjoiVUEtODg2OTgxMDItMTAiLCJjb29raWVOYW1lIjoiX2dhIiwiY29va2llRG9tYWluIjoicmFpbmJlcnJ5dHYuY29tIiwiY29va2llUGF0aCI6Ii8iLCJjb29raWVFeHBpcmVzIjo2MzA3MjAwMCwibGVnYWN5SGlzdG9yeUltcG9ydCI6dHJ1ZSwiYWxsb3dMaW5rZXIiOmZhbHNlLCJhbGxvd0FuY2hvciI6dHJ1ZSwic2FtcGxlUmF0ZSI6MTAwLCJzaXRlU3BlZWRTYW1wbGVSYXRlIjoxLCJhbHdheXNTZW5kUmVmZXJyZXIiOmZhbHNlLCJzdG9yYWdlIjoiY29va2llIiwiX2dlIjp0cnVlLCJhcGlWZXJzaW9uIjoxLCJjbGllbnRWZXJzaW9uIjoiajU2IiwiX2djbiI6Il9naWQiLCJjbGllbnRJZCI6IjE3NzczNTc4NTguMTcyMjczMzc1OSIsIl9naWQiOiIyMTI4NzExNjIyLjE3MjI3MzM3NTkiLCJsb2NhdGlvbiI6Imh0dHBzOi8vdXR3ZWIucmFpbmJlcnJ5dHYuY29tL2d1aS9pbmRleC5odG1sP3Y9MS40LjAuNTgyOCIsInNjcmVlblJlc29sdXRpb24iOiIxMjgweDcyMCIsInNjcmVlbkNvbG9ycyI6IjI0LWJpdCIsInZpZXdwb3J0U2l6ZSI6IjEyNzJ4NjA2IiwiZW5jb2RpbmciOiJVVEYtOCIsImphdmFFbmFibGVkIjpmYWxzZSwibGFuZ3VhZ2UiOiJlbi11cyIsImFkU2Vuc2VJZCI6NDkyNzI5MTA4LCJkaW1lbnNpb24xIjoiMTc3NzM1Nzg1OC4xNzIyNzMzNzU5IiwiZGltZW5zaW9uNiI6MSwidGl0bGUiOiLOvFRvcnJlbnQgV2ViIiwic2NyZWVuTmFtZSI6ImRhc2hib2FyZCIsInBhZ2UiOiIvZGFzaGJvYXJkIiwiZGltZW5zaW9uMiI6MTcyMjczMzc1ODc0NywiZGltZW5zaW9uMyI6MCwiZGltZW5zaW9uNyI6IjgwNjhjNzI4ZmU1MWVmMTFiNGUzMThmNzc4NmY5NmVlIiwiaGl0VHlwZSI6InBhZ2V2aWV3IiwiX3RpIjoxNzIyNzMzNzU5MDc3LCJfdG8iOjE5LCJfaGMiOjEsIl9qMSI6IjE0NjE4MjIwMDgiLCJfajIiOiI0Nzg1MTU1MjIiLCJfciI6MSwidHJhbnNwb3J0VXJsIjoiaHR0cHM6Ly93d3cuZ29vZ2xlLWFuYWx5dGljcy5jb20vci9jb2xsZWN0IiwiX3MiOjEsImV2ZW50TmFtZSI6InV0d2ViX3VpIiwiQlVJTERfTlVNQkVSIjoiMTA3MjQifQ==
unknown
whitelisted
1288
utweb.exe
POST
200
44.221.93.128:80
http://i-4101.b-10724.utweb_ui.bench.utorrent.com/e?i=4101&e=eyJhY3Rpb24iOiJ2MS4xMDcyNC5kZS5hZGNvbmZpZy5wbGFjZWhvbGRlci5wbGFjZWhvbGRlci5wbGFjZWhvbGRlciIsImFwcE5hbWUiOiJ1dHdlYiIsImFwcFZlcnNpb24iOiIxLjQuMC41ODI4LjEwNzI0IiwiaXNVdHdlYiI6dHJ1ZSwidHV0b3JpYWxWaWRlb0hhc2hMaXN0IjpbIjgwYjM5YTJlMzdhYTM1MmNkMmZjYmZiZWY3YzRhNmU5ZThjZmU0MzgiLCI5YTIzYmU2YzU1ZDVmOGQxZTI4MjYwZTQwM2JhZTU0MTI0NDM1NzllIiwiMzhlOTcyMzRmZDYwYzRmMzAzNDRkOWZhZTgwODk5YTc1ZmNmYmZmZSIsIjYxYjNiODg1NmM0ODM5ZWRmNTFmNWMyMzQ2NTk5YjZiZWM1MjQxNDUiLCI1NjJlMjljNzgzNmRhZGJjZjU1YjNkZWJmODMwNjMyNzE3NjljOTRmIl0sInV1aWQiOiI4MDY4YzcyOGZlNTFlZjExYjRlMzE4Zjc3ODZmOTZlZSIsImJlbmNoR2VvIjoiZGUiLCJ1dHdlYlNhbXBsZVJhdGUiOjEsImdhQmxvY2tlckRldGVjdGVkIjpudWxsLCJuYW1lIjoidDAiLCJ0cmFja2luZ0lkIjoiVUEtODg2OTgxMDItMTAiLCJjb29raWVOYW1lIjoiX2dhIiwiY29va2llRG9tYWluIjoicmFpbmJlcnJ5dHYuY29tIiwiY29va2llUGF0aCI6Ii8iLCJjb29raWVFeHBpcmVzIjo2MzA3MjAwMCwibGVnYWN5SGlzdG9yeUltcG9ydCI6dHJ1ZSwiYWxsb3dMaW5rZXIiOmZhbHNlLCJhbGxvd0FuY2hvciI6dHJ1ZSwic2FtcGxlUmF0ZSI6MTAwLCJzaXRlU3BlZWRTYW1wbGVSYXRlIjoxLCJhbHdheXNTZW5kUmVmZXJyZXIiOmZhbHNlLCJzdG9yYWdlIjoiY29va2llIiwiX2dlIjp0cnVlLCJhcGlWZXJzaW9uIjoxLCJjbGllbnRWZXJzaW9uIjoiajU2IiwiX2djbiI6Il9naWQiLCJjbGllbnRJZCI6IjE3NzczNTc4NTguMTcyMjczMzc1OSIsIl9naWQiOiIyMTI4NzExNjIyLjE3MjI3MzM3NTkiLCJsb2NhdGlvbiI6Imh0dHBzOi8vdXR3ZWIucmFpbmJlcnJ5dHYuY29tL2d1aS9pbmRleC5odG1sP3Y9MS40LjAuNTgyOCIsInNjcmVlblJlc29sdXRpb24iOiIxMjgweDcyMCIsInNjcmVlbkNvbG9ycyI6IjI0LWJpdCIsInZpZXdwb3J0U2l6ZSI6IjEyNzJ4NjA2IiwiZW5jb2RpbmciOiJVVEYtOCIsImphdmFFbmFibGVkIjpmYWxzZSwibGFuZ3VhZ2UiOiJlbi11cyIsImFkU2Vuc2VJZCI6NDkyNzI5MTA4LCJkaW1lbnNpb24xIjoiMTc3NzM1Nzg1OC4xNzIyNzMzNzU5IiwiZGltZW5zaW9uNiI6MSwidGl0bGUiOiLOvFRvcnJlbnQgV2ViIiwic2NyZWVuTmFtZSI6ImRhc2hib2FyZCIsInBhZ2UiOiIvZGFzaGJvYXJkIiwiZGltZW5zaW9uMiI6MTcyMjczMzc1ODc1OCwiZGltZW5zaW9uMyI6MCwiZGltZW5zaW9uNyI6IjgwNjhjNzI4ZmU1MWVmMTFiNGUzMThmNzc4NmY5NmVlIiwiaGl0VHlwZSI6ImV2ZW50IiwiX3RpIjoxNzIyNzMzNzU5MDc3LCJfdG8iOjE2LCJfaGMiOjQsIl9qMSI6IiIsIl9qMiI6IiIsIl9zIjo0LCJldmVudENhdGVnb3J5IjoiYWRjb25maWciLCJldmVudEFjdGlvbiI6Im5ldyIsIm5vbkludGVyYWN0aW9uIjp0cnVlLCJldmVudE5hbWUiOiJ1dHdlYl91aSIsIkJVSUxEX05VTUJFUiI6IjEwNzI0In0=
unknown
whitelisted
1288
utweb.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
1288
utweb.exe
POST
200
44.221.93.128:80
http://i-4101.b-10724.utweb_ui.bench.utorrent.com/e?i=4101&e=eyJhY3Rpb24iOiJ2MS4xMDcyNC5kZS51c2VyLnBsYWNlaG9sZGVyLjE3MjI3MzM3NTc2NjUucGxhY2Vob2xkZXIiLCJhcHBOYW1lIjoidXR3ZWIiLCJhcHBWZXJzaW9uIjoiMS40LjAuNTgyOC4xMDcyNCIsImlzVXR3ZWIiOnRydWUsInR1dG9yaWFsVmlkZW9IYXNoTGlzdCI6WyI4MGIzOWEyZTM3YWEzNTJjZDJmY2JmYmVmN2M0YTZlOWU4Y2ZlNDM4IiwiOWEyM2JlNmM1NWQ1ZjhkMWUyODI2MGU0MDNiYWU1NDEyNDQzNTc5ZSIsIjM4ZTk3MjM0ZmQ2MGM0ZjMwMzQ0ZDlmYWU4MDg5OWE3NWZjZmJmZmUiLCI2MWIzYjg4NTZjNDgzOWVkZjUxZjVjMjM0NjU5OWI2YmVjNTI0MTQ1IiwiNTYyZTI5Yzc4MzZkYWRiY2Y1NWIzZGViZjgzMDYzMjcxNzY5Yzk0ZiJdLCJ1dWlkIjoiODA2OGM3MjhmZTUxZWYxMWI0ZTMxOGY3Nzg2Zjk2ZWUiLCJiZW5jaEdlbyI6ImRlIiwidXR3ZWJTYW1wbGVSYXRlIjoxLCJnYUJsb2NrZXJEZXRlY3RlZCI6bnVsbCwibmFtZSI6InQwIiwidHJhY2tpbmdJZCI6IlVBLTg4Njk4MTAyLTEwIiwiY29va2llTmFtZSI6Il9nYSIsImNvb2tpZURvbWFpbiI6InJhaW5iZXJyeXR2LmNvbSIsImNvb2tpZVBhdGgiOiIvIiwiY29va2llRXhwaXJlcyI6NjMwNzIwMDAsImxlZ2FjeUhpc3RvcnlJbXBvcnQiOnRydWUsImFsbG93TGlua2VyIjpmYWxzZSwiYWxsb3dBbmNob3IiOnRydWUsInNhbXBsZVJhdGUiOjEwMCwic2l0ZVNwZWVkU2FtcGxlUmF0ZSI6MSwiYWx3YXlzU2VuZFJlZmVycmVyIjpmYWxzZSwic3RvcmFnZSI6ImNvb2tpZSIsIl9nZSI6dHJ1ZSwiYXBpVmVyc2lvbiI6MSwiY2xpZW50VmVyc2lvbiI6Imo1NiIsIl9nY24iOiJfZ2lkIiwiY2xpZW50SWQiOiIxNzc3MzU3ODU4LjE3MjI3MzM3NTkiLCJfZ2lkIjoiMjEyODcxMTYyMi4xNzIyNzMzNzU5IiwibG9jYXRpb24iOiJodHRwczovL3V0d2ViLnJhaW5iZXJyeXR2LmNvbS9ndWkvaW5kZXguaHRtbD92PTEuNC4wLjU4MjgiLCJzY3JlZW5SZXNvbHV0aW9uIjoiMTI4MHg3MjAiLCJzY3JlZW5Db2xvcnMiOiIyNC1iaXQiLCJ2aWV3cG9ydFNpemUiOiIxMjcyeDYwNiIsImVuY29kaW5nIjoiVVRGLTgiLCJqYXZhRW5hYmxlZCI6ZmFsc2UsImxhbmd1YWdlIjoiZW4tdXMiLCJhZFNlbnNlSWQiOjQ5MjcyOTEwOCwiZGltZW5zaW9uMSI6IjE3NzczNTc4NTguMTcyMjczMzc1OSIsImRpbWVuc2lvbjYiOjEsInRpdGxlIjoizrxUb3JyZW50IFdlYiIsInNjcmVlbk5hbWUiOiJkYXNoYm9hcmQiLCJwYWdlIjoiL2Rhc2hib2FyZCIsImRpbWVuc2lvbjIiOjE3MjI3MzM3NTg3NTcsImRpbWVuc2lvbjMiOjAsImRpbWVuc2lvbjciOiI4MDY4YzcyOGZlNTFlZjExYjRlMzE4Zjc3ODZmOTZlZSIsImhpdFR5cGUiOiJldmVudCIsIl90aSI6MTcyMjczMzc1OTA3NywiX3RvIjoxOCwiX2hjIjoyLCJfajEiOiIiLCJfajIiOiIiLCJfcyI6MiwiZXZlbnRDYXRlZ29yeSI6InVzZXIiLCJldmVudEFjdGlvbiI6ImZpcnN0X3J1biIsImV2ZW50TGFiZWwiOjE3MjI3MzM3NTc2NjUsImV2ZW50TmFtZSI6InV0d2ViX3VpIiwiQlVJTERfTlVNQkVSIjoiMTA3MjQifQ==
unknown
whitelisted
1288
utweb.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA3Ry9FoZbFjnbmEXM7L0qI%3D
unknown
whitelisted
1288
utweb.exe
POST
200
52.20.32.186:80
http://i-4103.b-5828.utw.bench.utorrent.com/e?i=4103
unknown
unknown
1288
utweb.exe
POST
200
52.207.183.181:80
http://i-4103.b-5828.utw.bench.utorrent.com/e?i=4103
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3028
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4040
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
6672
utweb_installer.tmp
143.204.205.202:443
d2sxdxjyuufits.cloudfront.net
AMAZON-02
US
unknown
4
System
192.168.100.255:137
whitelisted
4040
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6672
utweb_installer.tmp
67.215.238.66:443
download-lb.utorrent.com
ASN-QUADRANET-GLOBAL
US
unknown
5336
SearchApp.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
d2sxdxjyuufits.cloudfront.net
  • 143.204.205.202
  • 143.204.205.172
  • 143.204.205.67
  • 143.204.205.63
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.139
  • 104.126.37.145
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.138
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
th.bing.com
  • 104.126.37.145
  • 104.126.37.131
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
3540
utweb_installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
3540
utweb_installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1288
utweb.exe
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT ping request
1288
utweb.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
1288
utweb.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7312
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7312
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7312
msedge.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (polyfill .io) in DNS Lookup
7312
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Process
Message
rsEngineSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
rsEDRSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll"...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
utweb_installer.exe