File name:

highkings20182.jpg

Full analysis: https://app.any.run/tasks/528e4020-33fa-47b2-a23d-85e2adaf5f1a
Verdict: Malicious activity
Analysis date: March 23, 2018, 18:42:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: image/jpeg
File info: JPEG image data, baseline, precision 8, 2596x1732, frames 3
MD5:

33C17CCEAE4DB80EE28D7946F3358BC3

SHA1:

C208F4C6F4C6AE8EF541A58FF26901DE4F713260

SHA256:

9BD8C7603E104ACF98B27513A8548C24DD972707AEC018C2C8175623E5ADAE2A

SSDEEP:

6144:dyjECtLa73hJ28dPld/5Ebux8SFKWIq6ez:4TtLa75L/5Ebo8S/6c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Changes IE settings (feature browser emulation)

      • uTorrent.exe (PID: 3084)

    • Creates files in the user directory

      • uTorrent.exe (PID: 3084)

    • Reads internet explorer settings

      • utorrentie.exe (PID: 388)
      • utorrentie.exe (PID: 2292)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3848)

    • Dropped object may contain URL's

      • uTorrent.exe (PID: 3084)

    • Application launched itself

      • iexplore.exe (PID: 3848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jpg | JPEG bitmap (75)
.mp3 | MP3 audio (25)

EXIF

XMP

XMPToolkit: Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21

Photoshop

IPTCDigest: d41d8cd98f00b204e9800998ecf8427e

APP14

DCTEncodeVersion: 100
APP14Flags0: [14], Encoded with Blend=1 downsampling
APP14Flags1: (none)
ColorTransform: YCbCr

Composite

ImageSize: 2596x1732
Megapixels: 4.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs utorrent.exe utorrentie.exe no specs utorrentie.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
388"C:\Users\admin\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe" uTorrent_3084_02633310_1656322002 µTorrent4823DF041B09 uTorrentC:\Users\admin\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exeuTorrent.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
LOW
Description:
WebHelper
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\roaming\utorrent\updates\3.5.0_44090\utorrentie.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2292"C:\Users\admin\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe" uTorrent_3084_026331E0_1751659827 µTorrent4823DF041B09 uTorrentC:\Users\admin\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exeuTorrent.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
LOW
Description:
WebHelper
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\roaming\utorrent\updates\3.5.0_44090\utorrentie.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2764"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\highkings20182.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2792"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3848 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3084"C:\Users\admin\AppData\Roaming\uTorrent\uTorrent.exe" C:\Users\admin\AppData\Roaming\uTorrent\uTorrent.exe
explorer.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
MEDIUM
Description:
µTorrent
Exit code:
0
Version:
3.5.0.44090
Modules
Images
c:\users\admin\appdata\roaming\utorrent\utorrent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
3848"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
436
Read events
367
Write events
69
Delete events
0

Modification events

(PID) Process:(2764) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
(PID) Process:(2764) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000034000000A00400008002000000000000
(PID) Process:(3084) uTorrent.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\8F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3084) uTorrent.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:utorrentie.exe
Value:
11000
(PID) Process:(3084) uTorrent.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
Operation:writeName:utorrentie.exe
Value:
1
(PID) Process:(3084) uTorrent.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION
Operation:writeName:utorrentie.exe
Value:
0
(PID) Process:(3084) uTorrent.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3084) uTorrent.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D00000009000000000000000000000000000000040000000000000090CE7F108CAFD301000000000000000000000000020000001700000000000000FE80000000000000D45917EAB3ED3D860B000000000000001700000000000000FE80000000000000D45917EAB3ED3D860B000000000000001C00000000000000000000000000000000000000000000000000000000000000170000000000000000000000000000000000FFFFC0A8640B000000000000000002000000C0A864640000000000000000000000000000000000000000000000000C00000C37D0000010A73800D8703600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081F800009000230090002300380023000000000000702C000A00000000000000F8412C00
(PID) Process:(388) utorrentie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CCBB90-220C-4C0F-9BBD-360241D30CC7}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(388) utorrentie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CCBB90-220C-4C0F-9BBD-360241D30CC7}
Operation:writeName:WpadDecisionTime
Value:
B07160C8D6C2D301
Executable files
1
Suspicious files
10
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Cab5BE1.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Tar5BE2.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Cab5BF3.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Tar5BF4.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Cab70A6.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\Tar70A7.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Roaming\uTorrent\settings.dat.new
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Local\Temp\utt74FD.tmp
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Roaming\uTorrent\apps\plus.btapp.new
MD5:
SHA256:
3084uTorrent.exeC:\Users\admin\AppData\Roaming\uTorrent\dht_feed.dat.new
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
156
DNS requests
18
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
173.254.195.58:80
http://update.bittorrent.com/time.php
US
whitelisted
GET
304
208.111.149.129:80
http://apps.bittorrent.com/utorrent-onboarding/player.btapp?h=35FmVrb4p-7SQFSt&v=111258682&ol=en&ul=&tk=stable34&c=uTorrent
US
whitelisted
GET
200
69.164.56.4:80
http://cdn.ap.bittorrent.com/control/tags/ut.json
US
text
8.24 Kb
shared
GET
200
87.248.214.108:80
http://www.bt.co/network/index.html?site=954555&reload=true&rules=eyI0IjpbNF0sIjUiOls1XSwiMzgwIjpbMzgwLCA1XX0&adt=4&browser=ie&clientdata=utorrent%7c3%2e5%2e0%2e44090%7c290&geo=us&ie=8&page=torrent&w=498139398&langs=en
IT
html
599 b
whitelisted
GET
200
69.28.184.1:80
http://cdn.ap.bittorrent.com/control/feature/tags/ut.json
US
text
3.73 Kb
shared
GET
200
87.248.214.108:80
http://www.bt.co/assets/js/3p/ie8.js
IT
text
7.34 Kb
whitelisted
GET
200
87.248.214.108:80
http://www.bt.co/assets/js/index-bundled.js
IT
text
109 Kb
whitelisted
GET
200
87.248.214.108:80
http://www.bt.co/network/start.html?langs=en
IT
html
1.34 Kb
whitelisted
POST
200
23.23.85.1:80
http://i-32.b-44090.ut.bench.utorrent.com/e?i=32
US
text
21 b
whitelisted
POST
200
23.21.92.252:80
http://i-43.b-44090.ut.bench.utorrent.com/e?i=43
US
text
21 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
54.235.208.27:80
i-30.b-44090.ut.bench.utorrent.com
Amazon.com, Inc.
US
whitelisted
54.192.218.98:80
now.bt.co
Amazon.com, Inc.
US
unknown
208.111.149.129:80
apps.bittorrent.com
Limelight Networks, Inc.
US
suspicious
52.85.26.33:80
utclient.utorrent.com
Amazon.com, Inc.
US
unknown
54.192.218.98:443
now.bt.co
Amazon.com, Inc.
US
unknown
69.164.56.4:80
cdn.ap.bittorrent.com
Limelight Networks, Inc.
US
suspicious
173.254.195.58:80
update.bittorrent.com
QuadraNet, Inc
US
suspicious
69.28.184.1:80
cdn.ap.bittorrent.com
Limelight Networks, Inc.
US
suspicious
82.221.103.244:6881
router.utorrent.com
Thor Data Center ehf
IS
suspicious
67.215.246.10:6881
router.bittorrent.com
QuadraNet, Inc
US
suspicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
router.bittorrent.com
  • 67.215.246.10
shared
router.utorrent.com
  • 82.221.103.244
whitelisted
i-30.b-44090.ut.bench.utorrent.com
  • 54.235.208.27
  • 23.23.215.82
  • 23.21.92.252
  • 23.21.139.158
  • 23.23.85.1
  • 54.197.251.114
  • 54.225.194.96
  • 174.129.255.167
shared
apps.bittorrent.com
  • 69.164.0.0
  • 208.111.149.129
whitelisted
utclient.utorrent.com
  • 52.85.26.186
  • 52.85.26.33
  • 52.85.26.121
  • 52.85.26.40
  • 52.85.26.54
  • 52.85.26.167
  • 52.85.26.217
  • 52.85.26.65
shared
now.bt.co
  • 54.192.218.98
whitelisted
update.bittorrent.com
  • 173.254.195.58
whitelisted
cdn.ap.bittorrent.com
  • 69.164.56.4
  • 69.28.184.1
shared
i-29.b-44090.ut.bench.utorrent.com
  • 54.235.208.27
  • 23.23.215.82
  • 23.21.92.252
  • 23.21.139.158
  • 23.23.85.1
  • 54.197.251.114
  • 54.225.194.96
  • 174.129.255.167
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT ping request
Potential Corporate Privacy Violation
ET P2P BTWebClient UA uTorrent in use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
highkings20182.jpg