File name:

utweb_installer (2).exe

Full analysis: https://app.any.run/tasks/e47ffe8b-7fe0-43fa-ab95-0862acdcd59a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 21, 2024, 18:20:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
arch-html
bittorrent
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

6A2B68A6587E292DA47CB2943D83D534

SHA1:

20D164015A691BDFBDEFDA52699191567DE47FDB

SHA256:

EF84A998FDC17CC0CF630E8E00586D6BC2ADE522C21686053D026B6649D5115B

SSDEEP:

98304:9DhpQ6BdlITYC6WCvJOS3Z5yPT6x6Ik4ce/Unba+O+CB3jD9xMpl0n:5SK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • utweb.exe (PID: 5544)

    • BITTORRENT has been detected (SURICATA)

      • utweb.exe (PID: 5544)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • beta (PID: 6960)
      • utweb_installer (2).exe (PID: 6156)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • installer.exe (PID: 8152)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 7440)

    • The process creates files with name similar to system file names

      • beta (PID: 6960)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 7440)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • beta (PID: 6960)

    • Starts application with an unusual extension

      • utweb_installer (2).exe (PID: 6156)

    • Process drops legitimate windows executable

      • beta (PID: 6960)
      • icarus.exe (PID: 7872)

    • Creates a software uninstall entry

      • beta (PID: 6960)

    • Reads security settings of Internet Explorer

      • beta (PID: 6960)
      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • utweb.exe (PID: 5544)
      • installer.exe (PID: 7440)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 7064)
      • utweb.exe (PID: 5544)
      • installer.exe (PID: 7440)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 7064)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • Adds/modifies Windows certificates

      • utweb.exe (PID: 5544)
      • saBSI.exe (PID: 7064)

    • Starts itself from another location

      • icarus.exe (PID: 7668)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 7440)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 7872)

    • Potential Corporate Privacy Violation

      • utweb.exe (PID: 5544)

  • INFO

    • The sample compiled with english language support

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • Reads the computer name

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • RazerLightInstaller.exe (PID: 7152)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • helper.exe (PID: 7616)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • icarus.exe (PID: 7880)
      • identity_helper.exe (PID: 7460)
      • installer.exe (PID: 7440)
      • identity_helper.exe (PID: 6404)

    • Sends debugging messages

      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • RazerLightInstaller.exe (PID: 7152)
      • installer.exe (PID: 7440)

    • Reads the machine GUID from the registry

      • utweb_installer (2).exe (PID: 6156)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • RazerLightInstaller.exe (PID: 7152)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • icarus.exe (PID: 7880)
      • installer.exe (PID: 7440)

    • Checks supported languages

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • RazerLightInstaller.exe (PID: 7152)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • utweb.exe (PID: 5544)
      • utweb.exe (PID: 2996)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7880)
      • icarus.exe (PID: 7872)
      • helper.exe (PID: 7616)
      • installer.exe (PID: 8152)
      • identity_helper.exe (PID: 7460)
      • installer.exe (PID: 7440)
      • identity_helper.exe (PID: 6404)

    • Checks proxy server information

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • RazerLightInstaller.exe (PID: 7152)
      • utweb.exe (PID: 5544)

    • Create files in a temporary directory

      • utweb_installer (2).exe (PID: 6156)
      • beta (PID: 6960)
      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • RazerLightInstaller.exe (PID: 7152)
      • installer.exe (PID: 7440)

    • Reads the software policy settings

      • utweb_installer (2).exe (PID: 6156)
      • avg_antivirus_free_setup.exe (PID: 7076)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • saBSI.exe (PID: 7064)
      • utweb.exe (PID: 5544)
      • RazerLightInstaller.exe (PID: 7152)
      • installer.exe (PID: 7440)

    • Creates files or folders in the user directory

      • beta (PID: 6960)
      • utweb.exe (PID: 5544)
      • helper.exe (PID: 7616)

    • Creates files in the program directory

      • saBSI.exe (PID: 7064)
      • avg_antivirus_free_online_setup.exe (PID: 6152)
      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7872)
      • installer.exe (PID: 8152)
      • installer.exe (PID: 7440)

    • The process uses the downloaded file

      • utweb_installer (2).exe (PID: 6156)

    • Application launched itself

      • msedge.exe (PID: 436)
      • msedge.exe (PID: 6452)
      • msedge.exe (PID: 7652)
      • chrome.exe (PID: 440)

    • Manual execution by a user

      • utweb.exe (PID: 2996)
      • msedge.exe (PID: 6452)
      • chrome.exe (PID: 440)

    • Process checks computer location settings

      • utweb_installer (2).exe (PID: 6156)

    • Reads CPU info

      • icarus.exe (PID: 7668)
      • icarus.exe (PID: 7880)
      • icarus.exe (PID: 7872)

    • Reads Environment values

      • icarus.exe (PID: 7872)
      • identity_helper.exe (PID: 7460)

    • The sample compiled with czech language support

      • icarus.exe (PID: 7872)

    • Disables trace logs

      • RazerLightInstaller.exe (PID: 7152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 09:12:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2194432
InitializedDataSize: 2386944
UninitializedDataSize: -
EntryPoint: 0x1cc6df
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.2.0.11263
ProductVersionNumber: 3.2.0.11263
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: u Torrent Web
FileDescription: u Torrent Web
FileVersion: 3.2.0.11263
LegalCopyright: (c) u Torrent Web
ProductName: u Torrent Web
ProductVersion: 3.2.0.11263
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
73
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start utweb_installer (2).exe beta sabsi.exe avg_antivirus_free_setup.exe razerlightinstaller.exe avg_antivirus_free_online_setup.exe #BITTORRENT utweb.exe utweb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs helper.exe icarus.exe icarus.exe icarus.exe no specs installer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs installer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs utweb_installer (2).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://utweb.rainberrytv.com/gui/index.html?v=1.4.0.6042&firstrun=1&localauth=localapi1990bde6f12497dc:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeutweb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
440"C:\Users\admin\AppData\Local\Temp\utweb_installer (2).exe" C:\Users\admin\AppData\Local\Temp\utweb_installer (2).exeexplorer.exe
User:
admin
Company:
u Torrent Web
Integrity Level:
MEDIUM
Description:
u Torrent Web
Exit code:
3221226540
Version:
3.2.0.11263
Modules
Images
c:\users\admin\appdata\local\temp\utweb_installer (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
440"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3496 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6540 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2512 --field-trial-handle=2360,i,3816618437759507481,14886850493083424391,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2800"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2384 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2972"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6704 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exe" C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exeexplorer.exe
User:
admin
Company:
BitTorrent Limited
Integrity Level:
MEDIUM
Description:
µTorrent Web
Exit code:
0
Version:
1.4.0.6042
Modules
Images
c:\users\admin\appdata\roaming\utorrent web\utweb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
3436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2448 --field-trial-handle=2392,i,14058650506096939003,9325416929139321490,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
29 124
Read events
28 997
Write events
120
Delete events
7

Modification events

(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe"
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Roaming\uTorrent Web\Uninstall.exe" /S
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\uTorrent Web\uninstall.ico
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayName
Value:
uTorrent Web
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:Publisher
Value:
BitTorrent Limited
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:DisplayVersion
Value:
1.4.0
(PID) Process:(6960) betaKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\utweb
Operation:writeName:NoModify
Value:
1
Executable files
224
Suspicious files
667
Text files
968
Unknown types
24

Dropped files

PID
Process
Filename
Type
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\webui\version.txttext
MD5:646301F56A97AABEE83F521011A15A97
SHA256:5EA8BEFF4EB03A1AEAE8E4645FBE1536171BA059EDF48D05ABBD90D6B4FE33FE
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\avg.zipcompressed
MD5:56B0D3E1B154AE65682C167D25EC94A6
SHA256:434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\pt-br.langtext
MD5:744641954533C29EAEC0E5527135C016
SHA256:A75D0E4D554599BF690FA9F922FFABB75268AF1F8E59B66C4C5FDAE2439CB262
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI.zipcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\betaexecutable
MD5:F90AC5C11AA97726788246A120FD2550
SHA256:CAD49B1006DA8A23994531B755BEB3833542ED73CDE2C0A4882887EF8A1588E5
6156utweb_installer (2).exeC:\Users\admin\AppData\Local\Temp\ISV638F.tmp\RazerLightInstaller.zipcompressed
MD5:42CDE6F10EA8538B69167CBD92D60C2C
SHA256:3183647F88F9171DEB6A6D8C494AE77D2D375E22151ECBFABDE5C282DBB216F0
6960betaC:\Users\admin\AppData\Local\Temp\nsgB1FF.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6960betaC:\Users\admin\AppData\Local\Temp\nsgB1FF.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\es-la.langtext
MD5:3205881F5139242227F5513E80091461
SHA256:80A398E4A040FC95F40167FF18E8866625F74FF2230C5C181E8DA985641D0C95
6960betaC:\Users\admin\AppData\Roaming\uTorrent Web\localization\de.langtext
MD5:3ABF457A7FD0E7AB549062003EAF5E5F
SHA256:2773849568EFFA2BA7FFBF628E89C75F7887FC779C2434AEF22FBA3F88A84082
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
339
DNS requests
209
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6960
beta
POST
200
44.194.12.79:80
http://i-4101.b-6042.utweb.bench.utorrent.com/e?i=4101
unknown
whitelisted
6960
beta
POST
200
44.194.12.79:80
http://i-4101.b-6042.utweb.bench.utorrent.com/e?i=4101
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
200
142.250.186.110:80
http://www.google-analytics.com/collect
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
7076
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
5880
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4992
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6156
utweb_installer (2).exe
13.33.216.46:443
dvpwdfe80sj9.cloudfront.net
US
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.189
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.123
  • 104.126.37.161
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.168
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
dvpwdfe80sj9.cloudfront.net
  • 13.33.216.46
  • 13.33.216.215
  • 13.33.216.105
  • 13.33.216.56
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.73
unknown
download-lb.utorrent.com
  • 67.215.238.66
whitelisted
go.microsoft.com
  • 184.28.89.167
unknown

Threats

PID
Process
Class
Message
6960
beta
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
6960
beta
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
5544
utweb.exe
Misc activity
INFO [ANY.RUN] P2P BitTorrent Protocol
5544
utweb.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
5544
utweb.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
utweb_installer (2).exe
LoadingPage
utweb_installer (2).exe
LicensePage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
ProductPage
utweb_installer (2).exe
DownloadPageISV
utweb_installer (2).exe
FinishPageISV
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV638F.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
utweb_installer (2).exe