File name:

utweb_installer (2).exe

Full analysis: https://app.any.run/tasks/e47ffe8b-7fe0-43fa-ab95-0862acdcd59a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 21, 2024, 18:20:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
arch-html
bittorrent
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

6A2B68A6587E292DA47CB2943D83D534

SHA1:

20D164015A691BDFBDEFDA52699191567DE47FDB

SHA256:

EF84A998FDC17CC0CF630E8E00586D6BC2ADE522C21686053D026B6649D5115B

SSDEEP:

98304:9DhpQ6BdlITYC6WCvJOS3Z5yPT6x6Ik4ce/Unba+O+CB3jD9xMpl0n:5SK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • utweb.exe (PID: 5544)

    • BITTORRENT has been detected (SURICATA)

      • utweb.exe (PID: 5544)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • Starts application with an unusual extension

      • utweb_installer (2).exe (PID: 6156)

    • The process creates files with name similar to system file names

      • beta (PID: 6960)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 7440)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • beta (PID: 6960)

    • Process drops legitimate windows executable

      • beta (PID: 6960)
      • icarus.exe (PID: 7872)

    • Creates a software uninstall entry

      • beta (PID: 6960)

    • Reads security settings of Internet Explorer

      • beta (PID: 6960)
      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • utweb.exe (PID: 5544)
      • installer.exe (PID: 7440)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 7064)
      • utweb.exe (PID: 5544)
      • installer.exe (PID: 7440)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 7064)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)
      • icarus.exe (PID: 7872)

    • Adds/modifies Windows certificates

      • utweb.exe (PID: 5544)
      • saBSI.exe (PID: 7064)

    • Potential Corporate Privacy Violation

      • utweb.exe (PID: 5544)

    • Starts itself from another location

      • icarus.exe (PID: 7668)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 7440)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 7872)

  • INFO

    • Checks supported languages

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • RazerLightInstaller.exe (PID: 7152)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • utweb.exe (PID: 2996)
      • helper.exe (PID: 7616)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7880)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • identity_helper.exe (PID: 7460)
      • installer.exe (PID: 7440)
      • identity_helper.exe (PID: 6404)

    • Reads the computer name

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • RazerLightInstaller.exe (PID: 7152)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • helper.exe (PID: 7616)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • icarus.exe (PID: 7880)
      • identity_helper.exe (PID: 7460)
      • installer.exe (PID: 7440)
      • identity_helper.exe (PID: 6404)

    • The sample compiled with english language support

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • Sends debugging messages

      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • RazerLightInstaller.exe (PID: 7152)
      • installer.exe (PID: 7440)

    • Checks proxy server information

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • RazerLightInstaller.exe (PID: 7152)
      • utweb.exe (PID: 5544)

    • Reads the machine GUID from the registry

      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • RazerLightInstaller.exe (PID: 7152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • icarus.exe (PID: 7880)
      • installer.exe (PID: 7440)

    • Reads the software policy settings

      • utweb_installer (2).exe (PID: 6156)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • RazerLightInstaller.exe (PID: 7152)
      • utweb.exe (PID: 5544)
      • installer.exe (PID: 7440)

    • Create files in a temporary directory

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • saBSI.exe (PID: 7064)
      • RazerLightInstaller.exe (PID: 7152)
      • installer.exe (PID: 7440)

    • Creates files or folders in the user directory

      • beta (PID: 6960)
      • utweb.exe (PID: 5544)
      • helper.exe (PID: 7616)

    • The process uses the downloaded file

      • utweb_installer (2).exe (PID: 6156)

    • Creates files in the program directory

      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • Disables trace logs

      • RazerLightInstaller.exe (PID: 7152)

    • Process checks computer location settings

      • utweb_installer (2).exe (PID: 6156)

    • Manual execution by a user

      • utweb.exe (PID: 2996)
      • msedge.exe (PID: 6452)
      • chrome.exe (PID: 440)

    • Application launched itself

      • msedge.exe (PID: 436)
      • msedge.exe (PID: 6452)
      • msedge.exe (PID: 7652)
      • chrome.exe (PID: 440)

    • Reads CPU info

      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7880)
      • icarus.exe (PID: 7872)

    • Reads Environment values

      • icarus.exe (PID: 7872)
      • identity_helper.exe (PID: 7460)

    • The sample compiled with czech language support

      • icarus.exe (PID: 7872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 09:12:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2194432
InitializedDataSize: 2386944
UninitializedDataSize: -
EntryPoint: 0x1cc6df
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.2.0.11263
ProductVersionNumber: 3.2.0.11263
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: u Torrent Web
FileDescription: u Torrent Web
FileVersion: 3.2.0.11263
LegalCopyright: (c) u Torrent Web
ProductName: u Torrent Web
ProductVersion: 3.2.0.11263
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
73
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start utweb_installer (2).exe beta sabsi.exe avg_antivirus_free_setup.exe razerlightinstaller.exe avg_antivirus_free_online_setup.exe #BITTORRENT utweb.exe utweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helper.exe icarus.exe icarus.exe icarus.exe no specs installer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs installer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs utweb_installer (2).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://utweb.rainberrytv.com/gui/index.html?v=1.4.0.6042&firstrun=1&localauth=localapi1990bde6f12497dc:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeutweb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
440"C:\Users\admin\AppData\Local\Temp\utweb_installer (2).exe" C:\Users\admin\AppData\Local\Temp\utweb_installer (2).exeexplorer.exe
User:
admin
Company:
u Torrent Web
Integrity Level:
MEDIUM
Description:
u Torrent Web
Exit code:
3221226540
Version:
3.2.0.11263
Modules
Images
c:\users\admin\appdata\local\temp\utweb_installer (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
440"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3496 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6540 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2512 --field-trial-handle=2360,i,3816618437759507481,14886850493083424391,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2800"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2384 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2972"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6704 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exe" C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exeexplorer.exe
User:
admin
Company:
BitTorrent Limited
Integrity Level:
MEDIUM
Description:
µTorrent Web
Exit code:
0
Version:
1.4.0.6042
Modules
Images
c:\users\admin\appdata\roaming\utorrent web\utweb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
3436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2448 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
29 124
Read events
28 997
Write events
120
Delete events
7

Modification events

(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe"
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe" /S
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\uTorrent Web\uninstall.ico
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayName
Value:
uTorrent Web
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:Publisher
Value:
BitTorrent Limited
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayVersion
Value:
1.4.0
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:NoModify
Value:
1
Executable files
224
Suspicious files
667
Text files
968
Unknown types
24

Dropped files

PID
Process
Filename
Type
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\avg.zipcompressed
MD5:56B0D3E1B154AE65682C167D25EC94A6
SHA256:434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI.zipcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\betaexecutable
MD5:F90AC5C11AA97726788246A120FD2550
SHA256:CAD49B1006DA8A23994531B755BEB3833542ED73CDE2C0A4882887EF8A1588E5
6960betaC:\Users\admin\AppData\Local\Temp\nsgB1FF.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\es-la.langtext
MD5:3205881F5139242227F5513E80091461
SHA256:80A398E4A040FC95F40167FF18E8866625F74FF2230C5C181E8DA985641D0C95
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\fr.langtext
MD5:11A3F9F9D7F238D2B1E8D7699DBAFF02
SHA256:53656932C41719FCD2B809CC3FB84F40EC39DB344E527450D8A830E271E49A28
6960betaC:\Users\admin\AppData\Local\Temp\nsgB1FF.tmp\FindProcDLL.dllexecutable
MD5:B4FAF654DE4284A89EAF7D073E4E1E63
SHA256:C0948B2EC36A69F82C08935FAC4B212238B6792694F009B93B4BDB478C4F26E3
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\de.langtext
MD5:3ABF457A7FD0E7AB549062003EAF5E5F
SHA256:2773849568EFFA2BA7FFBF628E89C75F7887FC779C2434AEF22FBA3F88A84082
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\ru.langtext
MD5:B5171E547C00802760E2497ACF036590
SHA256:35B50DCA884BF00627C242DC5F696DEACA46302CD695D2B86DADAB2D9FF7B905
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\pl.langtext
MD5:C286292F897E4120E2F498A420516C8F
SHA256:AEC6B6070D50D4B2823132715755A34E0D9F5FC1F11E92BA6811C407F8911B87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
339
DNS requests
209
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6960
beta
POST
200
44.194.12.79:80
http://i-4101.b-6042.utweb.bench.utorrent.com/e?i=4101
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
6960
beta
POST
200
44.194.12.79:80
http://i-4101.b-6042.utweb.bench.utorrent.com/e?i=4101
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
200
142.250.186.110:80
http://www.google-analytics.com/collect
unknown
whitelisted
5544
utweb.exe
GET
200
41.63.96.2:80
http://btinstall-artifacts.bittorrent.com/helper_ui/helper_web_ui.btinstall
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4992
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6156
utweb_installer (2).exe
13.33.216.46:443
dvpwdfe80sj9.cloudfront.net
US
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.189
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.123
  • 104.126.37.161
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.168
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
dvpwdfe80sj9.cloudfront.net
  • 13.33.216.46
  • 13.33.216.215
  • 13.33.216.105
  • 13.33.216.56
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.73
unknown
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
go.microsoft.com
  • 184.28.89.167
unknown

Threats

PID
Process
Class
Message
6960
beta
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
6960
beta
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
5544
utweb.exe
Misc activity
INFO [ANY.RUN] P2P BitTorrent Protocol
5544
utweb.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
5544
utweb.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
utweb_installer (2).exe
LoadingPage
utweb_installer (2).exe
LicensePage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
DownloadPageISV
utweb_installer (2).exe
FinishPageISV
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
utweb_installer (2).exe