Malware analysis utorrent_installer.exe Malicious activity

Add for printing

File name:	utorrent_installer.exe
Full analysis:	https://app.any.run/tasks/2e0ee010-2e6d-48ac-b424-b01187b96e01
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 26, 2024, 13:22:20
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware innosetup loader stealer netreactor
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	AB8230A8D4A95AD7702D0F8E76405022
SHA1:	BE07E2F1B660D01371366D90546C1565C5FFDD99
SHA256:	D01C9BADF0515CCF84EB54CFD3954FE2915B852654AEBFC73A17E17C93ABDE3A
SSDEEP:	49152:M7HecD4dnbibBl3z5jnaTzI+BM55dF79UlwpfZYLJjd8qXD6qQxfLvdsq04AjqZh:g+cD4dnWz5jnaPIeM51rZYLJpOqECqJ5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- INNOSETUP has been detected (SURICATA)
  - utorrent_installer.tmp (PID: 2232)
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 488)
- Changes the autorun value in the registry
  - MicrosoftEdgeUpdate.exe (PID: 2112)
SUSPICIOUS
- Drops the executable file immediately after the start
  - utorrent_installer.exe (PID: 6188)
  - utorrent_installer.tmp (PID: 2232)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - 5quzwvha.exe (PID: 7156)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
  - MicrosoftEdgeWebView2Setup.exe (PID: 1356)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Reads the date of Windows installation
  - utorrent_installer.tmp (PID: 3984)
  - uTorrent.exe (PID: 6324)
  - utorrent_installer.tmp (PID: 2232)
  - component0.exe (PID: 3316)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Reads security settings of Internet Explorer
  - utorrent_installer.tmp (PID: 3984)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - utorrent_installer.tmp (PID: 2232)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 6740)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
  - utorrentie.exe (PID: 7928)
- Executable content was dropped or overwritten
  - utorrent_installer.exe (PID: 6188)
  - utorrent_installer.tmp (PID: 2232)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - 5quzwvha.exe (PID: 7156)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
  - MicrosoftEdgeWebView2Setup.exe (PID: 1356)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Access to an unwanted program domain was detected
  - utorrent_installer.tmp (PID: 2232)
- Potential Corporate Privacy Violation
  - utorrent_installer.tmp (PID: 2232)
  - utorrent.exe (PID: 2092)
  - uTorrent.exe (PID: 1436)
  - svchost.exe (PID: 7660)
- The process creates files with name similar to system file names
  - uTorrent.exe (PID: 6324)
- Checks Windows Trust Settings
  - utorrent.exe (PID: 2092)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 7928)
- Creates a software uninstall entry
  - utorrent.exe (PID: 2092)
  - UnifiedStub-installer.exe (PID: 488)
- Searches for installed software
  - utorrent.exe (PID: 2092)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
- Process drops legitimate windows executable
  - 5quzwvha.exe (PID: 7156)
  - uTorrent.exe (PID: 1436)
  - MicrosoftEdgeWebView2Setup.exe (PID: 1356)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 6472)
- Mutex name with non-standard characters
  - uTorrent.exe (PID: 1436)
- Changes Internet Explorer settings (feature browser emulation)
  - uTorrent.exe (PID: 1436)
- Reads Microsoft Outlook installation path
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 7928)
- Reads Internet Explorer settings
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 7928)
- Executes application which crashes
  - utorrent_installer.tmp (PID: 2232)
- Process requests binary or script from the Internet
  - utorrentie.exe (PID: 6740)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7628)
  - MicrosoftEdgeUpdate.exe (PID: 7528)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7700)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7752)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 2112)
INFO
- Create files in a temporary directory
  - utorrent_installer.exe (PID: 6188)
  - utorrent_installer.tmp (PID: 2232)
  - utorrent.exe (PID: 2092)
  - uTorrent.exe (PID: 6324)
  - component0.exe (PID: 3316)
  - 5quzwvha.exe (PID: 7156)
  - uTorrent.exe (PID: 1436)
  - MicrosoftEdgeWebView2Setup.exe (PID: 1356)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
  - svchost.exe (PID: 7660)
- Checks supported languages
  - utorrent_installer.exe (PID: 6188)
  - utorrent_installer.tmp (PID: 3984)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - utorrent_installer.tmp (PID: 2232)
  - component0.exe (PID: 3316)
  - 5quzwvha.exe (PID: 7156)
  - rsSyncSvc.exe (PID: 5516)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6312)
  - rsSyncSvc.exe (PID: 6472)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 6740)
  - MicrosoftEdgeWebView2Setup.exe (PID: 1356)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
  - MicrosoftEdgeUpdate.exe (PID: 7528)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7628)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7700)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7752)
  - MicrosoftEdgeUpdate.exe (PID: 7936)
  - MicrosoftEdgeUpdate.exe (PID: 7984)
  - MicrosoftEdgeUpdate.exe (PID: 8060)
  - utorrentie.exe (PID: 7928)
- Reads the computer name
  - utorrent_installer.tmp (PID: 3984)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
  - rsSyncSvc.exe (PID: 5516)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6312)
  - rsSyncSvc.exe (PID: 6472)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 6740)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
  - MicrosoftEdgeUpdate.exe (PID: 7528)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7628)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7752)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7700)
  - MicrosoftEdgeUpdate.exe (PID: 7936)
  - MicrosoftEdgeUpdate.exe (PID: 7984)
  - MicrosoftEdgeUpdate.exe (PID: 8060)
  - utorrentie.exe (PID: 7928)
- Process checks computer location settings
  - utorrent_installer.tmp (PID: 3984)
  - uTorrent.exe (PID: 6324)
  - utorrent_installer.tmp (PID: 2232)
  - component0.exe (PID: 3316)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
- Checks proxy server information
  - utorrent_installer.tmp (PID: 2232)
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 7028)
  - MicrosoftEdgeUpdate.exe (PID: 7936)
  - WerFault.exe (PID: 6164)
  - MicrosoftEdgeUpdate.exe (PID: 8060)
  - WerFault.exe (PID: 7776)
  - utorrentie.exe (PID: 7928)
- Reads the software policy settings
  - utorrent_installer.tmp (PID: 2232)
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6988)
  - MicrosoftEdgeUpdate.exe (PID: 7936)
  - WerFault.exe (PID: 6164)
  - MicrosoftEdgeUpdate.exe (PID: 8060)
  - utorrentie.exe (PID: 7928)
  - WerFault.exe (PID: 7776)
- Creates files or folders in the user directory
  - uTorrent.exe (PID: 6324)
  - utorrent.exe (PID: 2092)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6740)
  - MicrosoftEdgeUpdate.exe (PID: 2112)
  - WerFault.exe (PID: 6164)
  - utorrentie.exe (PID: 7928)
  - WerFault.exe (PID: 7776)
- Reads the machine GUID from the registry
  - utorrent.exe (PID: 2092)
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
  - uTorrent.exe (PID: 1436)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 7928)
- Disables trace logs
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
- Reads Environment values
  - component0.exe (PID: 3316)
  - UnifiedStub-installer.exe (PID: 488)
  - MicrosoftEdgeUpdate.exe (PID: 7936)
- Creates files in the program directory
  - UnifiedStub-installer.exe (PID: 488)
- Process checks Internet Explorer phishing filters
  - utorrentie.exe (PID: 6312)
  - utorrentie.exe (PID: 6740)
  - utorrentie.exe (PID: 7028)
  - utorrentie.exe (PID: 6988)
  - utorrentie.exe (PID: 7928)
- Reads Microsoft Office registry keys
  - uTorrent.exe (PID: 1436)
  - msedge.exe (PID: 5712)
- Application launched itself
  - msedge.exe (PID: 5712)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (65.1)
.exe	\|	Win32 EXE PECompact compressed (generic) (24.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.9)
.exe	\|	Win32 Executable (generic) (2.6)
.exe	\|	Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:02:15 14:54:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	73216
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	3.6.0.0
ProductVersionNumber:	3.6.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	uТorrеnt® Classic
FileVersion:	3.6
LegalCopyright:	©2022 RainBerry Inc. All Rights Reserved
OriginalFileName:
ProductName:	uТorrеnt® Classic
ProductVersion:	3.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

179

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

488

.\UnifiedStub-installer.exe /silent

C:\Users\admin\AppData\Local\Temp\7zS4FB6E673\UnifiedStub-installer.exe

5quzwvha.exe

User:

admin

Company:

Reason Software Company Inc.

Integrity Level:

HIGH

Description:

UnifiedStub

Version:

6.0.6

Modules

Images
c:\users\admin\appdata\local\temp\7zs4fb6e673\unifiedstub-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

608

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2732 --field-trial-handle=2736,i,7051515185000847419,14408970880117027495,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1356

MicrosoftEdgeWebView2Setup.exe /silent /install

C:\Users\admin\AppData\Roaming\utorrent\MicrosoftEdgeWebView2Setup.exe

uTorrent.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update Setup

Version:

1.3.195.15

Modules

Images
c:\users\admin\appdata\roaming\utorrent\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1436

"C:\Users\admin\AppData\Roaming\uTorrent\uTorrent.exe"

C:\Users\admin\AppData\Roaming\utorrent\uTorrent.exe

utorrent_installer.tmp

User:

admin

Company:

BitTorrent Limited

Integrity Level:

MEDIUM

Description:

µTorrent

Version:

3.6.0.47132

Modules

Images
c:\users\admin\appdata\roaming\utorrent\utorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2092

"C:\Users\admin\AppData\Local\Temp\nsv52.tmp\utorrent.exe" /S /FORCEINSTALL 1110000101111110

C:\Users\admin\AppData\Local\Temp\nsv52.tmp\utorrent.exe

uTorrent.exe

User:

admin

Company:

BitTorrent Limited

Integrity Level:

HIGH

Description:

µTorrent

Exit code:

Version:

3.6.0.47132

Modules

Images
c:\users\admin\appdata\local\temp\nsv52.tmp\utorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2112

C:\Users\admin\AppData\Local\Temp\EU2771.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"

C:\Users\admin\AppData\Local\Temp\EU2771.tmp\MicrosoftEdgeUpdate.exe

MicrosoftEdgeWebView2Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update

Version:

1.3.195.15

Modules

Images
c:\users\admin\appdata\local\temp\eu2771.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

2232

"C:\Users\admin\AppData\Local\Temp\is-HDVMK.tmp\utorrent_installer.tmp" /SL5="$803A6,840718,816128,C:\Users\admin\AppData\Local\Temp\utorrent_installer.exe" /SPAWNWND=$603D2 /NOTIFYWND=$704DC

C:\Users\admin\AppData\Local\Temp\is-HDVMK.tmp\utorrent_installer.tmp

utorrent_installer.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

3221226525

Version:

51.1052.0.0

Modules

Images
c:\windows\syswow64\explorerframe.dll
c:\windows\syswow64\ondemandconnroutehelper.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\dataexchange.dll
c:\windows\syswow64\dcomp.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\twinapi.appcore.dll

3316

"C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\component0.exe" -ip:"dui=bb926e54-e3ca-40fd-ae90-2764341e7792&dit=20240826132230&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&b=&se=true" -vp:"dui=bb926e54-e3ca-40fd-ae90-2764341e7792&dit=20240826132230&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&oip=26&ptl=7&dta=true" -dp:"dui=bb926e54-e3ca-40fd-ae90-2764341e7792&dit=20240826132230&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100" -i -v -d -se=true

C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\component0.exe

utorrent_installer.tmp

User:

admin

Company:

Reason Software Company Inc.

Integrity Level:

HIGH

Description:

rsStubActivator

Version:

1.6.1.0

Modules

Images
c:\users\admin\appdata\local\temp\is-nnqno.tmp\component0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3984

"C:\Users\admin\AppData\Local\Temp\is-87E6D.tmp\utorrent_installer.tmp" /SL5="$704DC,840718,816128,C:\Users\admin\AppData\Local\Temp\utorrent_installer.exe"

C:\Users\admin\AppData\Local\Temp\is-87E6D.tmp\utorrent_installer.tmp

—

utorrent_installer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

3221226525

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-87e6d.tmp\utorrent_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

4284

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x314,0x320,0x324,0x26c,0x32c,0x7fffca6e5fd8,0x7fffca6e5fe4,0x7fffca6e5ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

51 340

Read events

50 396

Write events

881

Delete events

Modification events


(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6324) uTorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2092) utorrent.exe	Key:	HKEY_CLASSES_ROOT\FalconBetaAccount
Operation:	write	Name:	remote_access_client_id
Value: 9851630666
(PID) Process:	(2092) utorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitTorrent
Operation:	write	Name:	computerID
Value: 31940738E382C114AF96F63B3B3E1A5915B4D672B5BADCDD
(PID) Process:	(2092) utorrent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

286

Suspicious files

112

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2092	utorrent.exe	C:\Users\admin\AppData\Local\Temp\utt572.tmp		—
		MD5:—	SHA256:—
2232	utorrent_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\RAV_Cross.png		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
2232	utorrent_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2232	utorrent_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\is-NARPI.tmp		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
6188	utorrent_installer.exe	C:\Users\admin\AppData\Local\Temp\is-87E6D.tmp\utorrent_installer.tmp		executable
		MD5:B5C6503FA27E20B063757F38E846ED67	SHA256:7D4547431C74B2797F1C7B624562084AB56AAA0C2F0A98B06987806ADB739EAB
2092	utorrent.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\1f91d2d17ea675d4c2c3192e241743f9_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:75398B4451F9ABF6BD5BC752B2694182	SHA256:8A327234B30B3CAF572D7D2DD134350257A5126AE17201D2D6C840A567CDCFDC
2232	utorrent_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\uTorrent.exe		executable
		MD5:DA579CAE896BD49996ED1F4808B56964	SHA256:35FCEC7B2054CEC9FB6524DE6C26F2E77956FC86ADB6CFC728B486A6E91A88B5
6324	uTorrent.exe	C:\Users\admin\AppData\Local\Temp\nsv52.tmp\System.dll		executable
		MD5:CFF85C549D536F651D4FB8387F1976F2	SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
2232	utorrent_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-NNQNO.tmp\is-HLE7N.tmp		executable
		MD5:FC35C5E6FFA56EA5B5DD34158B67A133	SHA256:E52483C3401C5B03AD38C9597370E355BADDC696ED4F3C1CBD58EB452506F96A
6324	uTorrent.exe	C:\Users\admin\AppData\Local\Temp\nsv52.tmp\utwin_install.log		binary
		MD5:BA38B9F417707A68B53F2D393099CDD8	SHA256:31F0DB7B07CB2DA344004F2943662A3026F9FF71B5B320221C3D370562EBA746

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

137

DNS requests

105

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2232	utorrent_installer.tmp	HEAD	200	67.215.238.66:80	http://download-new.utorrent.com/endpoint/utorrent/os/riserollout/track/stable	unknown	—	—	whitelisted
2028	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2232	utorrent_installer.tmp	GET	200	67.215.238.66:80	http://download-new.utorrent.com/endpoint/utorrent/os/riserollout/track/stable	unknown	—	—	whitelisted
2092	utorrent.exe	GET	200	82.221.103.245:80	http://update.utorrent.li/installstats.php?cl=uTorrent&v=113358876&h=44LBFK-W9js7PhpZ&w=4A65000A&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=2092&cau=0&lunv=0&au=0&view=win32	unknown	—	—	whitelisted
2092	utorrent.exe	GET	200	82.221.103.245:80	http://update.utorrent.li/installstats.php?cl=uTorrent&v=113358876&h=44LBFK-W9js7PhpZ&w=4A65000A&bu=0&pr=0&cmp=0&ocmp=0&installresult&pid=2092&cau=0&lunv=0&installresult=0&exit=1&au=0&ic=1&view=win32	unknown	—	—	whitelisted
6324	uTorrent.exe	POST	200	52.200.43.26:80	http://i-6000.b-47132.ut.bench.utorrent.com/e?i=6000	unknown	—	—	unknown
6372	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6372	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1436	uTorrent.exe	GET	—	41.63.96.130:80	http://apps.bittorrent.com/utorrent-onboarding/player.btapp	unknown	—	—	whitelisted
6324	uTorrent.exe	POST	200	52.200.43.26:80	http://i-6000.b-47132.ut.bench.utorrent.com/e?i=6000	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5644	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	18.173.206.196:443	d1l65h99sv20xf.cloudfront.net	—	US	whitelisted
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2232	utorrent_installer.tmp	18.173.206.196:443	d1l65h99sv20xf.cloudfront.net	—	US	whitelisted
2232	utorrent_installer.tmp	67.215.238.66:80	download-new.utorrent.com	ASN-QUADRANET-GLOBAL	US	whitelisted
2028	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2028	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.186.46	whitelisted
d1l65h99sv20xf.cloudfront.net	18.173.206.196 18.173.206.213 18.173.206.43 18.173.206.207	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
download-new.utorrent.com	67.215.238.66	whitelisted
login.live.com	40.126.32.74 20.190.160.22 40.126.32.68 40.126.32.72 40.126.32.134 20.190.160.20 20.190.160.17 20.190.160.14 20.190.159.75 20.190.159.23 20.190.159.0 20.190.159.4 40.126.31.69 40.126.31.67 20.190.159.2 40.126.31.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
shield.reasonsecurity.com	18.172.112.38 18.172.112.11 18.172.112.34 18.172.112.22	unknown
i-6000.b-47132.ut.bench.utorrent.com	52.200.43.26 52.3.106.130 52.5.193.209 52.20.207.117 52.72.183.32 50.16.219.170 52.21.223.158 52.22.189.65	whitelisted
router.bittorrent.com	67.215.246.10	whitelisted

Threats

PID	Process	Class	Message
2232	utorrent_installer.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
2232	utorrent_installer.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2232	utorrent_installer.tmp	Misc activity	ET INFO EXE - Served Attached HTTP
6324	uTorrent.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2092	utorrent.exe	Potential Corporate Privacy Violation	ET P2P Bittorrent P2P Client User-Agent (uTorrent)
2092	utorrent.exe	Potential Corporate Privacy Violation	ET P2P Bittorrent P2P Client User-Agent (uTorrent)
6324	uTorrent.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1436	uTorrent.exe	Potential Corporate Privacy Violation	ET P2P BTWebClient UA uTorrent in use
1436	uTorrent.exe	Potential Corporate Privacy Violation	ET P2P BitTorrent DHT ping request
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)

Add for printing

No debug info

General Info

utorrent_installer.exe

AB8230A8D4A95AD7702D0F8E76405022

BE07E2F1B660D01371366D90546C1565C5FFDD99

D01C9BADF0515CCF84EB54CFD3954FE2915B852654AEBFC73A17E17C93ABDE3A

49152:M7HecD4dnbibBl3z5jnaTzI+BM55dF79UlwpfZYLJjd8qXD6qQxfLvdsq04AjqZh:g+cD4dnWz5jnaPIeM51rZYLJpOqECqJ5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

INNOSETUP has been detected (SURICATA)

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Drops the executable file immediately after the start

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Access to an unwanted program domain was detected

Potential Corporate Privacy Violation

The process creates files with name similar to system file names

Checks Windows Trust Settings

Creates a software uninstall entry

Searches for installed software

Process drops legitimate windows executable

Executes as Windows Service

Mutex name with non-standard characters

Changes Internet Explorer settings (feature browser emulation)

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Executes application which crashes

Process requests binary or script from the Internet

Starts a Microsoft application from unusual location

Creates/Modifies COM task schedule object

Starts itself from another location

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Disables trace logs

Reads Environment values

Creates files in the program directory

Process checks Internet Explorer phishing filters

Reads Microsoft Office registry keys

Application launched itself

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information