uTorrent.exe
This report is generated from a file or URL submitted to this webservice on September 13th 2020 04:40:46 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- POSTs files to a webserver
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly checks for the presence of an Antivirus engine
The input sample contains a known anti-VM trick - Spreading
- Detected a large number of ARP broadcast requests (network device lookup)
- Network Behavior
- Contacts 9 domains and 9 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 16
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "uTorrent.exe" created file "%APPDATA%\uTorrent\updates\3.5.5_45776.exe:Zone.Identifier"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "a173724f05cb681baffca788273a1759e6c73e13d8aa3ee2e3de51e36d11dcbb.bin" (Offset: 152659)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample contains a known anti-VM trick
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO P2P uTorrent Hydra Client" (SID: 2809605, Rev: 4, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET P2P Bittorrent P2P Client User-Agent (uTorrent)" (SID: 2011706, Rev: 7, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 14/68 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 14/68 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
14/68 Antivirus vendors marked dropped file "3.5.5_45776.exe" as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked dropped file "uTorrent.exe" as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 1320) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 2184) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 3920) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 3528) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 3452) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate)
14/68 Antivirus vendors marked spawned process "uTorrent.exe" (PID: 1984) as malicious (classified as "uTorrent.C potentially unwanted" with 20% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
- "uTorrent.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"uTorrent.exe" wrote 32 bytes to a remote process "%APPDATA%\uTorrent\uTorrent.exe" (Handle: 1332)
"uTorrent.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1332)
"uTorrent.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1332)
"uTorrent.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1332)
"uTorrent.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1272)
"uTorrent.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1272)
"uTorrent.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1272)
"uTorrent.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1272)
"uTorrent.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1280)
"uTorrent.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1280)
"uTorrent.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1280)
"uTorrent.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1280)
"uTorrent.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1292)
"uTorrent.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1292)
"uTorrent.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1292)
"uTorrent.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Roaming\uTorrent\uTorrent.exe" (Handle: 1292) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Detected a large number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.11.34/32, 169.254.16.204/32, 169.254.27.56/32, 169.254.55.127/32, 169.254.68.39/32, 169.254.79.15/32, 169.254.96.220/32, 169.254.185.12/32, 169.254.195.203/32, 169.254.223.78/32, 169.254.224.116/32, 192.168.240.1/32, 192.168.240.2/32, 192.168.240.95/32, 192.168.240.98/32, 192.168.240.115/32, 192.168.240.142/31, 192.168.240.148/32, 192.168.240.212/32, 192.168.240.217/32, 192.168.240.231/32, 192.168.243.5/32, 192.168.243.26/32, 192.168.243.36/32, 192.168.243.39/32, 192.168.243.42/32, 192.168.243.52/32, 192.168.243.64/32, 192.168.243.93/32, 192.168.243.102/32, 192.168.243.108/32, 192.168.243.144/32, 192.168.243.146/32, 192.168.243.202/32, 192.168.243.214/32, 192.168.243.228/32, 192.168.243.232/32, 192.168.243.236/32, 192.168.243.250/32"
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1016 (Show technique in the MITRE ATT&CK™ matrix)
-
Found more than one unique User-Agent
- details
-
Found the following User-Agents: Hydra HttpRequest
ut_core BenchHttp (ver:45776)
uTorrent(45776105433.5.5
uTorrent/355S - source
- Network Traffic
- relevance
- 5/10
-
Detected a large number of ARP broadcast requests (network device lookup)
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "uTorrent.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
References suspicious system modules
- details
-
"csrss.exe"
"lsass.exe" - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "uTorrent.exe" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline ""/RECOVER" "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.9948.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.afcd.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.7b8d.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.f3c6.dmp"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Checks for a resource fork (ADS) file
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 27
-
Environment Awareness
-
Reads the active computer name
- details
- "uTorrent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "uTorrent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/78 reputation engines marked "http://apps.bittorrent.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
POSTs files to a webserver
- details
-
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 234" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 276" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 277" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 245" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 264" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 243" with no payload
"POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 273" with no payload
"POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 278" with no payload
"POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 394" with no payload
"POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 415
Cache-Control: no-cache" with no payload
"POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=1320U&pr=0U&s=391937U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 391937
Cache-Control: no-cache" with no payload
"POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 263" with no payload
"POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=2184U&pr=0U&s=391937U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 391937
Cache-Control: no-cache" with no payload
"POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393" with no payload
"POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 442
Cache-Control: no-cache" with no payload
"POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3920U&pr=0U&s=286553U&svp=4&ov=45776&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 286553
Cache-Control: no-cache" with no payload
"POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 435
Cache-Control: no-cache" with no payload
"POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3528U&pr=0U&s=292382U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 292382
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
-
"uTorrent.exe" read file "%WINDIR%\win.ini"
"uTorrent.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Searches\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Videos\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Pictures\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Contacts\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Favorites\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Music\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Downloads\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Documents\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Links\desktop.ini"
"uTorrent.exe" read file "%USERPROFILE%\Saved Games\desktop.ini"
"uTorrent.exe" read file "C:\Users\desktop.ini" - source
- API Call
- relevance
- 4/10
-
POSTs files to a webserver
-
Installation/Persistence
-
Drops executable files
- details
-
"3.5.5_45776.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"uTorrent.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "http://127.0.0.1:5001/api/latest/id"
"127.0.0.1"
Heuristic match: "1.3.6.1.5.5.7.3.1"
Heuristic match: "1.3.6.1.4.1.311.10.3.3"
Heuristic match: "1.3.6.1.5.5.7.3.2"
"192.168.0.0"
"169.254.0.0"
"172.16.0.0"
"239.255.255.250"
Heuristic match: "M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST:upnp:rootdevice
MAN:"ssdp:discover"
MX:3"
Heuristic match: "NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
LOCATION: http://%A
SERVER: %s/%s UPnP/1.1 %s/%s
NTS: %s
ST: ut:client:service:pairing
USN: uuid:%s
FRIENDLYNAME:%S
HH:%s"
"239.192.152.143"
Heuristic match: "BT-SEARCH * HTTP/1.1
Host: 239.192.152.143:6771
Port: %u
Infohash: %s"
"255.255.255.255"
Heuristic match: "dhttp://127.0.0.1:5001/hostui"
"208.67.222.222"
"208.67.220.220"
Heuristic match: ""%s" -i "http://pairing:%H@127.0.0.1:%d/proxy?sid=%x&file=%d&token=%H&pairing=%H&service=STREAMING" -vcodec copy -acodec copy -f avi -ss %d -to %d "%s""
Heuristic match: "http://127.0.0.1:%d/proxy?sid=%x&file=%d"
Heuristic match: "http://127.0.0.1:%d/proxy?sid=%S&file=%d"
Heuristic match: "%s -n 2 127.0.0.1"
Heuristic match: "http://127.0.0.1:%d/gui/index.html"
Heuristic match: "http://pairing:%H@127.0.0.1:%d/proxy?sid=%x&file=%d&token=%H&pairing=%H&service=STREAMING"
Heuristic match: "http://pairing:%H@127.0.0.1:%d/proxy/%s?sid=%x&file=%d&token=%H&pairing=%H&service=STREAMING"
Heuristic match: "http://pairing:%H@127.0.0.1:%d/fileserve?token=%H&pairing=%H" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 23.23.85.1 on port 80 is sent without HTTP header
TCP traffic to 23.21.92.252 on port 80 is sent without HTTP header
TCP traffic to 67.215.246.203 on port 80 is sent without HTTP header
TCP traffic to 54.235.208.27 on port 80 is sent without HTTP header
TCP traffic to 23.23.215.82 on port 80 is sent without HTTP header
TCP traffic to 54.243.113.215 on port 80 is sent without HTTP header
TCP traffic to 23.21.139.158 on port 80 is sent without HTTP header
TCP traffic to 54.225.194.96 on port 80 is sent without HTTP header
TCP traffic to 54.197.251.114 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\uTorrent.exe" marked "%TEMP%\utt7054.tmp" for deletion
"C:\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\HYD7353.tmp" for deletion
"C:\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt83CF.tmp" for deletion
"C:\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt313E.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt467C.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt50FC.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\uttA7B6.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\uttB275.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt1DC1.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt2842.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt9284.tmp" for deletion
"%APPDATA%\uTorrent\uTorrent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\utt9CC6.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"uTorrent.exe" opened "%APPDATA%\uTorrent\settings.dat" with delete access
"uTorrent.exe" opened "%APPDATA%\uTorrent\settings.dat.new" with delete access
"uTorrent.exe" opened "%APPDATA%\uTorrent\toolbar.benc" with delete access
"uTorrent.exe" opened "%APPDATA%\uTorrent\toolbar.benc.new" with delete access
"uTorrent.exe" opened "%TEMP%\utt313E.tmp" with delete access
"uTorrent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\utt467C.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"uTorrent.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"uTorrent.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"uTorrent.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"uTorrent.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"uTorrent.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
OpenProcessToken
RegOpenKeyExW
LookupAccountNameW
GetUserNameW
RegEnumKeyExW
CreateProcessAsUserW
RegDeleteValueW
GetDriveTypeW
TerminateProcess
LockResource
GetDriveTypeA
FindFirstFileW
GetFileAttributesW
DisconnectNamedPipe
LoadLibraryExW
UnhandledExceptionFilter
GetThreadContext
GetTempPathW
ConnectNamedPipe
DeviceIoControl
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetVersionExA
GetModuleFileNameA
Process32FirstW
CreateThread
ExitThread
GetModuleHandleExW
SleepEx
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetFileSize
OpenProcess
GetStartupInfoW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
GetFileSizeEx
FindFirstFileExA
FindNextFileW
FindNextFileA
CreateFileMappingW
CreateFileW
CreateFileA
GetComputerNameW
WinExec
Process32NextW
GetCommandLineW
GetCommandLineA
CopyFileExW
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
FindResourceW
CreateProcessW
Sleep
FindResourceA
VirtualAlloc
ShellExecuteW
ShellExecuteA
ShellExecuteExW
GetCursorPos
SetWindowsHookExW
FindWindowExW
FindWindowW
GetWindowThreadProcessId
InternetGetConnectedState
accept
WSAStartup
recv
send
WSASend
listen
closesocket
socket
bind
WSASendTo
recvfrom
sendto
connect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"uTorrent.exe" wrote bytes "711160007a3b5f00ab8b02007f950200fc8c0200729602006cc805001ecd5c007d265c00" to virtual address "0x774407E4" (part of module "USER32.DLL")
"uTorrent.exe" wrote bytes "b4360200" to virtual address "0x75284D68" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "a011fe73" to virtual address "0x7725E324" (part of module "WININET.DLL")
"uTorrent.exe" wrote bytes "f8116b7520146b754cbc6d75f5166b75a9116b7585486b75b9346b75a9346b7568346b7500000000a56b4d75e4854d75e04d4d759cc04d75a3bf4d7592ae4d750c7d4d7500000000" to virtual address "0x74051000" (part of module "MSIMG32.DLL")
"uTorrent.exe" wrote bytes "d83a2875" to virtual address "0x752901E0" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "b4362875" to virtual address "0x75290200" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "b4360200" to virtual address "0x75284EA4" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "75dc5875273e587551c15675ee9c5675949856750fb35c75109956759097567500000000f5166b75ead76c75d9176b7569876b750f776d754cbc6d75a9346b7520146b75f8116b75ff106b7500000000" to virtual address "0x734CE000" (part of module "IMAGERES.DLL")
"uTorrent.exe" wrote bytes "b4362875" to virtual address "0x752901E4" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "b89012fe73ffe0" to virtual address "0x75283AD8" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "d83a0200" to virtual address "0x75284E38" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "d83a0200" to virtual address "0x75284D78" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "d83a2875" to virtual address "0x75290258" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "b4362875" to virtual address "0x75290278" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "b88011fe73ffe0" to virtual address "0x765A1368" (part of module "WS2_32.DLL")
"uTorrent.exe" wrote bytes "c0df9e771cf99d77ccf89d770d649f7700000000c0116b7500000000fc3e6b7500000000e0136b75000000009457617625e09e77c6e09e7700000000bc6a607600000000cf316b750000000093196176000000002c326b7500000000" to virtual address "0x75551000" (part of module "NSI.DLL")
"uTorrent.exe" wrote bytes "b4362875" to virtual address "0x7529025C" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "d83a2875" to virtual address "0x752901FC" (part of module "SSPICLI.DLL")
"uTorrent.exe" wrote bytes "7d07a27781eda077ae869f77c6e09e77effda1772d16a0776014a277478d9f77a8e29e7760899f7700000000ad375a768b2d5a76b6415a7600000000" to virtual address "0x73F81000" (part of module "WSHTCPIP.DLL")
"uTorrent.exe" wrote bytes "0efca17781eda077ae869f77c6e09e77effda1772d16a077c0fc9d77da8fa8776014a277478d9f77a8e29e7760899f7700000000ad375a768b2d5a76b6415a7600000000" to virtual address "0x73F91000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "uTorrent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 12 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Environment Awareness
-
Queries volume information
- details
-
"uTorrent.exe" queries volume information of "C:\" at 00064600-00002356-00000046-3605784
"uTorrent.exe" queries volume information of "C:\" at 00064600-00002356-00000046-5048683
"uTorrent.exe" queries volume information of "C:\" at 00071971-00001320-00000046-3008933
"uTorrent.exe" queries volume information of "C:\" at 00072311-00002184-00000046-3214462
"uTorrent.exe" queries volume information of "C:\" at 00072311-00002184-00000046-3746591
"uTorrent.exe" queries volume information of "C:\" at 00073896-00003920-00000046-4348142
"uTorrent.exe" queries volume information of "C:\" at 00073896-00003920-00000046-4799456
"uTorrent.exe" queries volume information of "C:\" at 00075815-00003528-00000046-4728587
"uTorrent.exe" queries volume information of "C:\" at 00075815-00003528-00000046-280682391
"uTorrent.exe" queries volume information of "C:\" at 00077736-00003452-00000046-3518179
"uTorrent.exe" queries volume information of "C:\" at 00077736-00003452-00000046-4102194
"uTorrent.exe" queries volume information of "C:\" at 00079657-00001984-00000046-4163396
"uTorrent.exe" queries volume information of "C:\" at 00079657-00001984-00000046-338847310 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"uTorrent.exe" queries volume information of "C:\" at 00064600-00002356-00000046-3605784
"uTorrent.exe" queries volume information of "C:\" at 00064600-00002356-00000046-5048683
"uTorrent.exe" queries volume information of "C:\" at 00071971-00001320-00000046-3008933
"uTorrent.exe" queries volume information of "C:\" at 00072311-00002184-00000046-3214462
"uTorrent.exe" queries volume information of "C:\" at 00072311-00002184-00000046-3746591
"uTorrent.exe" queries volume information of "C:\" at 00073896-00003920-00000046-4348142
"uTorrent.exe" queries volume information of "C:\" at 00073896-00003920-00000046-4799456
"uTorrent.exe" queries volume information of "C:\" at 00075815-00003528-00000046-4728587
"uTorrent.exe" queries volume information of "C:\" at 00075815-00003528-00000046-280682391
"uTorrent.exe" queries volume information of "C:\" at 00077736-00003452-00000046-3518179
"uTorrent.exe" queries volume information of "C:\" at 00077736-00003452-00000046-4102194
"uTorrent.exe" queries volume information of "C:\" at 00079657-00001984-00000046-4163396
"uTorrent.exe" queries volume information of "C:\" at 00079657-00001984-00000046-338847310 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\UTORRENT")
"uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UTORRENT.EXE")
"uTorrent.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UTORRENT.EXE")
"uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\UTORRENT"; Key: "UNINSTALLSTRING"; Value: "000000000100000088000000220043003A005C00550073006500720073005C0048004100500055004200570053005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00750054006F007200720065006E0074005C00750054006F007200720065006E0074002E00650078006500220020002F0055004E0049004E005300540041004C004C000000")
"uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\UTORRENT"; Key: "DISPLAYICON"; Value: "000000000100000076000000220043003A005C00550073006500720073005C0048004100500055004200570053005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00750054006F007200720065006E0074005C00750054006F007200720065006E0074002E0065007800650022002C0030000000")
"uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\UTORRENT"; Key: "INSTALLLOCATION"; Value: "00000000010000005400000043003A005C00550073006500720073005C0048004100500055004200570053005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00750054006F007200720065006E0074000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Generic HTTP EXE Upload Outbound" (SID: 2016775, Rev: 3, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
-
"i-50.b-000.xyz.bench.utorrent.com"
"i-21.b-45776.ut.bench.utorrent.com"
"update.utorrent.com"
"i-41.b-45776.bench.utorrent.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"23.23.85.1:80"
"23.21.92.252:80"
"67.215.246.203:80"
"54.235.208.27:80"
"23.23.215.82:80"
"54.243.113.215:80"
"23.21.139.158:80"
"54.225.194.96:80"
"54.197.251.114:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"xt(yxxxx9xEX$Cw*w[su\ &\WxZbs\*ws\L~4RSDS+BQMsowntdll.pdbRSDSX\K2wkernel32.pdbRSDSFTKEY^wkernelbase.pdbRSDSY%C'O6`+6advapi32.pdbRSDSS\UFv@"
"R)msvcrt.pdbRSDSPA~Kc6"
"RSDSZ[uMhyOlPortableDeviceApi.pdbr2RSDS@g/o%Mtp.SearchFolder.pdbSt2RSDS"
"YI,m4NetworkExplorer.pdbsi2RSDSt$[JJiwatl.pdb2RSDSglHdsxs.pdbF2*y"
"61nRSDSliH$powrprof.pdbr,1d.LegalCopyright*1Mrosoft Corporation. 1lrights reserved.P1r inalFilenameStruct1e&uery.dll@Product1m,Windows SearchD1r2uctVersion7.00.76012851DVarFileInfo1>anslationFE2X1D1J1P1V1\1b1h1n1t1<02xzS2oz" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"uTorrent.exe" created file "%TEMP%\HYD7353.tmp.1599964958\index.hta.log"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt83CF.tmp.new"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt7054.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt313E.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt467C.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt50FC.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\uttA7B6.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\uttB275.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt1DC1.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt2842.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt9CC6.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt9284.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt840.tmp"
"uTorrent.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\utt12B1.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit"
"\Sessions\1\BaseNamedObjects\Global\C::Users:%OSUSER%:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs"
"Local\uTorrent.exe"
"Local\Torrent4823DF041B09"
"Local\Shell.CMruPidlList"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\uTorrent.exe"
"\Sessions\1\BaseNamedObjects\Local\Torrent4823DF041B09"
"\Sessions\1\BaseNamedObjects\Local\Shell.CMruPidlList"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=2356&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=2356&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=2356&cau=0&au=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtorrentoffer&pid=2356&cau=0&toroffer=0&torofferid=<NULL>&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache"
"GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&wizardcomplete&pid=2356&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "uTorrent.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73B40000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"uTorrent.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")
"uTorrent.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")
"uTorrent.exe" touched "NetworkListManager" (Path: "HKCU\WOW6432NODE\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")
"uTorrent.exe" touched "Network List Manager" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}")
"uTorrent.exe" touched "Portable Devices" (Path: "HKCU\WOW6432NODE\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}\SHELLFOLDER")
"uTorrent.exe" touched "PortableDeviceManager Class" (Path: "HKCU\WOW6432NODE\CLSID\{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}\TREATAS")
"uTorrent.exe" touched "Portable Media Devices" (Path: "HKCU\WOW6432NODE\CLSID\{640167B4-59B0-47A6-B335-A6B3C0695AEA}\SHELLFOLDER")
"uTorrent.exe" touched "File Open Dialog" (Path: "HKCU\WOW6432NODE\CLSID\{DC1C5A9C-E88A-4DDE-A5A1-60F82A20AEF7}\TREATAS")
"uTorrent.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"uTorrent.exe" touched "MruLongList" (Path: "HKCU\WOW6432NODE\CLSID\{53BD6B4E-3780-4693-AFC3-7161C2F3EE9C}\TREATAS")
"uTorrent.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"uTorrent.exe" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"uTorrent.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"uTorrent.exe" touched "Explorer Browser" (Path: "HKCU\WOW6432NODE\CLSID\{71F96385-DDD6-48D3-A0C1-AE06E8B055FB}\TREATAS")
"uTorrent.exe" touched "Browser Progress Aggregator" (Path: "HKCU\WOW6432NODE\CLSID\{104846AB-42B1-4E38-A80D-136F78C3F258}\TREATAS")
"uTorrent.exe" touched "Explorer Navigation Bar" (Path: "HKCU\WOW6432NODE\CLSID\{056440FD-8568-48E7-A632-72157243B55B}\TREATAS")
"uTorrent.exe" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\WOW6432NODE\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"uTorrent.exe" touched "Sharing Overlay (Private)" (Path: "HKCU\WOW6432NODE\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"uTorrent.exe" touched "TF_ThreadMgr" (Path: "HKCU\WOW6432NODE\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\TREATAS")
"uTorrent.exe" touched "TF_DisplayAttributeMgr" (Path: "HKCU\WOW6432NODE\CLSID\{3CE74DE4-53D3-4D74-8B83-431B3828BA53}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "uTorrent.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "uTorrent.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "uTorrent.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
- "uTorrent.exe" searching for class ""
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline ""/RECOVER" "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.9948.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.afcd.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.7b8d.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.f3c6.dmp"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline ""/RECOVER" "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.9948.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.afcd.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.7b8d.dmp"" (Show Process)
Spawned process "uTorrent.exe" with commandline "/RECOVER "%APPDATA%\uTorrent\45776-utorrent.f3c6.dmp"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 31:E5:38:0E:1E:0E:1D:D8:41:F0:C1:74:1B:38:55:6B:25:2E:62:31; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" (SHA1: 57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign
Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Connects to LPC ports
- details
- "uTorrent.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"3.5.5_45776.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"_Torrent.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Sun Sep 13 02:47:59 2020 mtime=Sun Sep 13 02:47:59 2020 atime=Sun Sep 13 02:47:59 2020 length=5191064 window=hide"
"uTorrent.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"utt840.tmp" has type "data"
"utt50FC.tmp" has type "data"
"3b00ffd9ca58087d38ebf87720b255aa_6b06490d-f9fd-424c-8b6d-83edc4369e89" has type "data"
"utt467C.tmp" has type "data"
"uttA7B6.tmp" has type "data"
"KTK479EL.txt" has type "ASCII text"
"45776-utorrent.1671.dmp" has type "MDMP crash report data"
"WN9LKG01.txt" has type "ASCII text"
"AHZ3IWU4.txt" has type "ASCII text"
"maindoc.ico" has type "MS Windows icon resource - 4 icons 256x256"
"index.hta.log" has type "ASCII text with CRLF line terminators"
"3VYR1M9U.txt" has type "ASCII text"
"85bb304e7143b24a2c430389dc6f738f_6b06490d-f9fd-424c-8b6d-83edc4369e89" has type "data"
"XKN2V5FN.txt" has type "ASCII text"
"53e500adee4625ed618633b9ddd39f32_6b06490d-f9fd-424c-8b6d-83edc4369e89" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"uTorrent.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"uTorrent.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"uTorrent.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"uTorrent.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"uTorrent.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\UI51GU1M.txt"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\en-US\wininet.dll.mui"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\wshqos.dll"
"uTorrent.exe" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\en-US\comdlg32.dll.mui"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"uTorrent.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\EhStorShell.dll"
"uTorrent.exe" touched file "C:\Windows\SysWOW64\en-US\EhStorShell.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "apps.bittorrent.com/conduit/eula/ByChoosingToInstall.html"
Pattern match: "http://events.bittorrent.com/startConversion"
Pattern match: "https://api.bt.co/dev/rule/utclassic/"
Pattern match: "https://api.bt.co/v1/rule/utclassic/"
Pattern match: "http://www.utorrent.com"
Pattern match: "www.bittorrent.com/legal/eula"
Pattern match: "http://download-lb.utorrent.com/"
Pattern match: "http://dist.btfs.io/NSIS_Installer/amd64/btfs_install_amd64.exe"
Pattern match: "http://127.0.0.1:5001/api/latest/id"
Pattern match: "http://pr.apps.bittorrent.com/client-webui/%s/client-webui.json"
Heuristic match: "update.utorrent.com"
Pattern match: "bench.utorrent.com/e?i=50"
Pattern match: "http://i-"
Heuristic match: "dishes.utorrent.com"
Pattern match: "http://yogi.apps.bittorrent.com/track/?data=%s&ip=1"
Heuristic match: ".bench.utorrent.com"
Pattern match: "http://localhost:%d/proxy/0/"
Pattern match: "http://localhost"
Heuristic match: "router.utorrent.com"
Heuristic match: "router.bittorrent.com"
Pattern match: "bench.utorrent.com/e?i="
Pattern match: "http://i-45.b-"
Heuristic match: "raptor.utorrent.com"
Heuristic match: "remote.utorrent.com"
Pattern match: "http://crl.thawte.com/ThawteServerPremiumCA.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://svr-ov-crl.thawte.com/ThawteOV.crl0"
Pattern match: "http://certificates.godaddy.com/repository100"
Pattern match: "http://crl.godaddy.com/gds1-14.crl0S"
Pattern match: "http://certificates.godaddy.com/repository/0"
Pattern match: "http://ocsp.godaddy.com/0J"
Pattern match: "http://certificates.godaddy.com/repository/gd_intermediate.crt0"
Heuristic match: "*.bittorrent.com"
Pattern match: "http://crl.godaddy.com/gds1-82.crl0S"
Heuristic match: "*.utorrent.li"
Heuristic match: "%u.%u.%u.%u.in-addr.arpa"
Heuristic match: "%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.ip6.arpa"
Heuristic match: "utorrent.com"
Heuristic match: "zz.countries.nerd.dk"
Pattern match: "http://search.utorrent.com/bntop.html"
Pattern match: "http://utorrent.com/webui-guide.php"
Pattern match: "http://%A"
Pattern match: "http://%s:%d/%s"
Pattern match: "http://schemas.xmlsoap.org/soap/envelope/"
Pattern match: "http://update.utorrent.com/streamstats.php"
Pattern match: "http://www.google-analytics.com"
Pattern match: "http://cdn.bitmedianetwork.com/network/index.html"
Pattern match: "http://download.utorrent.com/help/utorrent-help-3551.zip"
Pattern match: "http://www.utorrent.com?client=%s%s"
Pattern match: "http://forum.utorrent.com?client=%s%s"
Pattern match: "http://www.utorrent.com/faq?client=%s%s"
Heuristic match: "bittorrent.com"
Pattern match: "http://bundles.bittorrent.com/feed.rss"
Pattern match: "http://beta.bundles.bittorrent.com/feed.rss"
Pattern match: "www.bittorrent.com"
Heuristic match: "inspsearch.com"
Heuristic match: "ll.download3.utorrent.com"
Heuristic match: "llsw.download3.utorrent.com"
Pattern match: "http://localhost:%d"
Heuristic match: "update.utorrent.li"
Pattern match: "http://%s/updatestats.php"
Pattern match: "http://%s/installstats.php"
Pattern match: "http://%s/update_event.php"
Pattern match: "http://apps.bittorrent.com"
Pattern match: "http://btinstall-artifacts.staging.bittorrent.com"
Pattern match: "http://btinstall-artifacts.bittorrent.com"
Heuristic match: "download.utorrent.com"
Heuristic match: "download.bittorrent.com"
Pattern match: "http://www.utorrent.com/pro/?x-source=myproacct#comp-tbl"
Pattern match: "http://utorrent.com/prodnews"
Pattern match: "https://utclient.utorrent.com/client-user-onboarding/index.html"
Pattern match: "https://utclient.utorrent.com/client-user-onboarding/second-entry-index.html"
Pattern match: "https://activate.utorrent.com"
Pattern match: "http://play-artifacts.staging.bittorrent.com"
Pattern match: "http://play-artifacts.bittorrent.com"
Pattern match: "http://www.utorrent.com/help/guides/rss"
Pattern match: "https://gearbox.bittorrent.com"
Pattern match: "http://remote.utorrent.com/send?btih="
Pattern match: "http://tinyurl.com/api-create.php?url=%U"
Heuristic match: "ndt.iupui.par01.measurement-lab.org"
Heuristic match: "ndt.iupui.ath01.measurement-lab.org"
Heuristic match: "ndt.iupui.ams01.measurement-lab.org"
Heuristic match: "ndt.iupui.ams02.measurement-lab.org"
Heuristic match: "ndt.iupui.lhr01.measurement-lab.org"
Heuristic match: "ndt.iupui.lax01.measurement-lab.org"
Heuristic match: "ndt.iupui.nuq01.measurement-lab.org"
Heuristic match: "ndt.iupui.mia01.measurement-lab.org"
Heuristic match: "ndt.iupui.atl01.measurement-lab.org"
Heuristic match: "ndt.iupui.ord01.measurement-lab.org"
Heuristic match: "ndt.iupui.lga01.measurement-lab.org"
Heuristic match: "ndt.iupui.lga02.measurement-lab.org"
Heuristic match: "ndt.iupui.dfw01.measurement-lab.org"
Heuristic match: "ndt.iupui.sea01.measurement-lab.org"
Pattern match: "http://ll.www.bittorrent.com/llspeedtest/"
Pattern match: "http://update.utorrent.com/speedstats.php?result="
Pattern match: "http://utorrent.com/testport?plain=1"
Pattern match: "http://ll.www.bittorrent.com/llspeedtest/speedtestobjects.txt"
Pattern match: "http://update.utorrent.com/speedserverlist.php"
Pattern match: "http://www.utorrent.com/testport.php?port=%d"
Pattern match: "https://www.facebook.com/connect/login_success.html"
Pattern match: "http://www.facebook.com/connect/login_success.html"
Pattern match: "https://www.facebook.com/login.php"
Pattern match: "http://www.facebook.com/login.php"
Pattern match: "https://www.facebook.com/connect/uiserver.php"
Pattern match: "http://www.facebook.com/connect/uiserver.php"
Pattern match: "https://www.facebook.com/dialog/permissions.request"
Pattern match: "http://www.facebook.com/dialog/permissions.request"
Pattern match: "https://www.facebook.com/checkpoint/"
Pattern match: "http://www.facebook.com/checkpoint/"
Pattern match: "https://www.facebook.com/dialog/oauth"
Pattern match: "http://www.facebook.com/dialog/oauth"
Pattern match: "https://www.facebook.com/dialog/apprequests"
Heuristic match: "i-41.b-45776.bench.utorrent.com"
Pattern match: "http://video.trontv.com/partners/didomi/client-cmp-ut.min.html"
Pattern match: "http://report.bittorrent.com"
Pattern match: "http://www.apple.com/itunes"
Pattern match: "http://help.utorrent.com/customer/portal/articles/257678"
Pattern match: "https://clients2.google.com/service/update2/crx"
Pattern match: "http://www.mybrowserbar.com/images/pixel.gif?tb=%d&cnid=%s"
Pattern match: "http://www.mybrowserbar.com/images/pixel.gif?yxds=%d&yxhp=%d&yxov=1&cnid=%s"
Heuristic match: "Torrent .NET"
Pattern match: "http://%S/announce"
Pattern match: "p.pend/p.max:%d/%d"
Heuristic match: "tracker.openbittorrent.com"
Heuristic match: "tracker.opentrackr.org"
Pattern match: "http://pairing:%H@127.0.0.1:%d/proxy?sid=%x&file=%d&token=%H&pairing=%H&service=STREAMING"
Pattern match: "http://127.0.0.1:%d/proxy?sid=%x&file=%d"
Pattern match: "http://127.0.0.1:%d/proxy?sid=%S&file=%d"
Pattern match: "http://www.utorrent.com/get-help"
Pattern match: "http://utclient.utorrent.com/pro/flow/onboarding-pro/i18n/en/first-torrent-ut.html"
Pattern match: "http://utclient.utorrent.com/pro/flow/onboarding-pro/i18n/en/steps-ut.html"
Pattern match: "https://dlive.tv/?link_from=bt_classic"
Pattern match: "http://127.0.0.1:%d/gui/index.html"
Pattern match: "https://www.utorrent.com/remote"
Pattern match: "http://bit.ly/HTwxBj"
Pattern match: "https://www.bittorrent.com/btfs/faq"
Pattern match: "http://www.utorrent.com/faq.php"
Pattern match: "http://pairing:%H@127.0.0.1:%d/proxy/%s?sid=%x&file=%d&token=%H&pairing=%H&service=STREAMING"
Pattern match: "http://utclient.utorrent.com/offers/onboarding-basic/i18n/en/ads-nofill.html"
Pattern match: "http://pairing:%H@127.0.0.1:%d/fileserve?token=%H&pairing=%H"
Heuristic match: "i-50.b-000.xyz.bench.utorrent.com"
Heuristic match: "i-21.b-45776.ut.bench.utorrent.com"
Pattern match: "http://localhost:0/proxy/0/"
Pattern match: "http://www.utorrent.com/faq"
Pattern match: "pdate.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3920U&pr=0U&s=286553U&svp=4&ov=45"
Pattern match: "events.bittorrent.com/startConversion-amd64.exe391daemon"
Pattern match: "events.bittorrent.com/startConversion491k491http://events.bittorrent.com/startConversion`491http://events.bittorrent.com/startConversiony491v491http://events.bittorrent.com/startConversionO491https://api.bt.co/dev/rule/utclassic/o/v1/rule/utclassic/491http"
Pattern match: "events.bittorrent.com/startConversion91http://events.bittorrent.com/startConversionz91|91eo"
Pattern match: "sqm.microsoft.com/sqm/WindowsLive/sqmserver.dllp.1Content-Type"
Pattern match: "http://www.bittorrent.com/legal/privacy"
Heuristic match: "Rg1Is6Rg10HC2Rg1 Ms8MsF>Rg1]Gs:Rg1k%&Rg1Rg1nIs.Rg1&jtt.uto*Rg1e*.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
-
"dp%0goO"
"0u]:"
"dp%0goO"
"0u]:"
"0z{h}"
"dp%0goO" - source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"https://www.facebook.com/connect/login_success.html" (Indicator: "facebook.com")
"http://www.facebook.com/connect/login_success.html" (Indicator: "facebook.com")
"https://www.facebook.com/login.php" (Indicator: "facebook.com")
"http://www.facebook.com/login.php" (Indicator: "facebook.com")
"https://www.facebook.com/connect/uiserver.php" (Indicator: "facebook.com")
"http://www.facebook.com/connect/uiserver.php" (Indicator: "facebook.com")
"https://www.facebook.com/dialog/permissions.request" (Indicator: "facebook.com")
"http://www.facebook.com/dialog/permissions.request" (Indicator: "facebook.com")
"https://www.facebook.com/checkpoint/" (Indicator: "facebook.com")
"http://www.facebook.com/checkpoint/" (Indicator: "facebook.com")
"https://www.facebook.com/dialog/oauth" (Indicator: "facebook.com")
"http://www.facebook.com/dialog/oauth" (Indicator: "facebook.com")
"https://www.facebook.com/dialog/apprequests" (Indicator: "facebook.com") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "uTorrent.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "uTorrent.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"a173724f05cb681baffca788273a1759e6c73e13d8aa3ee2e3de51e36d11dcbb.bin" was detected as "VC8 -> Microsoft Corporation"
"3.5.5_45776.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
uTorrent.exe
- Filename
- uTorrent.exe
- Size
- 5MiB (5191064 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a173724f05cb681baffca788273a1759e6c73e13d8aa3ee2e3de51e36d11dcbb
- MD5
- 0db533955de9009c746402baa2065764
- SHA1
- 4148f5a3d00faaa0c7b97e37482c8bf6fd33abd5
- ssdeep
- 98304:TzPuC/D41jZxTvqjdeqPSzkt4bkC8QVsMgtrh:TruCb4bxwVUah
- imphash
- 9d10082878173b4288042403d0f59e4d
- authentihash
- d7e397a1673ef69fff8f8262e0c4f2eb4e08fa364736e3782eddfa7f84361141
- Compiler/Packer
- VC8 -> Microsoft Corporation
Version Info
- LegalCopyright
- 2020 BitTorrent, Inc. All Rights Reserved.
- InternalName
- uTorrent.exe
- FileVersion
- 3.5.5.45776
- CompanyName
- BitTorrent Inc.
- SpecialBuild
- stable34 stable
- ProductName
- Torrent
- ProductVersion
- 3.5.5.45776
- FileDescription
- Torrent
- OriginalFilename
- uTorrent.exe
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 45.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 39.3% (.EXE) UPX compressed Win32 Executable
- 6.5% (.EXE) Win32 Executable (generic)
- 2.9% (.EXE) OS/2 Executable (generic)
- 2.9% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .CPP Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 30729)
- 16 .C Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 30729)
- 203 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24215)
- 35 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 24215)
- 4 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 1 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 44 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 124 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 26 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 24123)
- 2 .OBJ Files linked with ALIASOBJ.EXE 11.00 (Internal OLDNAMES.LIB Tool) (build: 41118)
- 2 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23013)
- File contains C++ code
- File contains Visual Basic code
- File contains assembly code
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (57 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: A certificate was explicitly revoked by its issuer. (0x800b010c)
Download Certificate File (10KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=上海域联软件技术有限公司, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=上海域联软件技术有限公司, L=Shanghai, ST=Shanghai, C=CN | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 5f78149eb4f75eb17404a8143aaeaed7 |
03/23/2011 00:00:00 03/22/2012 23:59:59 |
40:3D:F4:4E:CE:C0:F0:83:F3:46:6F:1E:ED:4C:DF:5D 31:E5:38:0E:1E:0E:1D:D8:41:F0:C1:74:1B:38:55:6B:25:2E:62:31 |
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Serial: 611993e400000000001c |
02/22/2011 19:25:17 02/22/2021 19:35:17 |
8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4 57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B |
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 5200e5aa2556fc1a86ed96c9d44b33c7 |
02/08/2010 00:00:00 02/07/2020 23:59:59 |
4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total (System Resource Monitor).
-
uTorrent.exe
(PID: 2356)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"
(PID: 1320)
14/68
-
uTorrent.exe
"/RECOVER" "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"
(PID: 2184)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.9948.dmp"
(PID: 3920)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.afcd.dmp"
(PID: 3528)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.7b8d.dmp"
(PID: 3452)
14/68
- uTorrent.exe /RECOVER "%APPDATA%\uTorrent\45776-utorrent.f3c6.dmp" (PID: 1984) 14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.7b8d.dmp"
(PID: 3452)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.afcd.dmp"
(PID: 3528)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.9948.dmp"
(PID: 3920)
14/68
-
uTorrent.exe
"/RECOVER" "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"
(PID: 2184)
14/68
-
uTorrent.exe
/RECOVER "%APPDATA%\uTorrent\45776-utorrent.fb6a.dmp"
(PID: 1320)
14/68
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
_ldap._tcp.dc._msdcs.scl3.dc | - | - | - |
i-21.b-45776.ut.bench.utorrent.com
OSINT |
54.197.251.114
TTL: 299 |
- | United States |
i-41.b-45776.bench.utorrent.com |
23.23.215.82
TTL: 299 |
- | United States |
i-50.b-000.xyz.bench.utorrent.com
OSINT |
23.23.215.82
TTL: 299 |
- | United States |
isatap.scl3.dc | - | - | - |
router.bittorrent.com
OSINT |
67.215.246.10
TTL: 1081 |
NetEarth One, Inc.
Organization: BitTorrent Inc Name Server: DNS-02.BITTORRENT.COM Creation Date: Mon, 13 Aug 2001 00:00:00 GMT |
United States |
router.utorrent.com
OSINT |
82.221.103.244
TTL: 586 |
- | Iceland |
update.utorrent.com
OSINT |
67.215.246.203
TTL: 564 |
- | United States |
wpad.scl3.dc | - | - | - |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
23.23.85.1 |
80
TCP |
utorrent.exe PID: 2356 |
United States |
23.21.92.252 |
80
TCP |
utorrent.exe PID: 2356 |
United States |
67.215.246.203 |
80
TCP |
utorrent.exe PID: 2356 utorrent.exe PID: 1320 utorrent.exe PID: 2184 utorrent.exe PID: 3920 utorrent.exe PID: 3528 utorrent.exe PID: 3452 utorrent.exe PID: 1984 |
United States |
54.235.208.27 |
80
TCP |
utorrent.exe PID: 2356 |
United States |
23.23.215.82 |
80
TCP |
utorrent.exe PID: 1320 utorrent.exe PID: 2184 utorrent.exe PID: 3452 utorrent.exe PID: 1984 |
United States |
54.243.113.215 |
80
TCP |
utorrent.exe PID: 2184 |
United States |
23.21.139.158 |
80
TCP |
utorrent.exe PID: 3920 utorrent.exe PID: 3528 |
United States |
54.225.194.96 |
80
TCP |
utorrent.exe PID: 3920 utorrent.exe PID: 3528 |
United States |
54.197.251.114 |
80
TCP |
utorrent.exe PID: 3452 utorrent.exe PID: 1984 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 234 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 276 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 277 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 245 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 264 More Details |
23.23.85.1:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 243 More Details |
23.21.92.252:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 273 More Details |
23.21.92.252:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 278 More Details |
23.21.92.252:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 394 More Details |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=2356&ca... | GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=2356&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=2356&cau... | GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=2356&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=2356&cau... | GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showinstall&pid=2356&cau=0&au=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtorrentoffer&pid=235... | GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtorrentoffer&pid=2356&cau=0&toroffer=0&torofferid=<NULL>&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | GET | update.utorrent.com/installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&wizardcomplete&pid=2356&... | GET /installstats.php?cl=uTorrent&v=111915728&h=ZHAl8jBnueZvoJRP&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&wizardcomplete&pid=2356&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(45776105433.5.5
Host: update.utorrent.com
Cache-Control: no-cache More Details |
54.235.208.27:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 415
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=1320U&pr=0U&s=391937U&svp=4&ov=0&plus=0 | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=1320U&pr=0U&s=391937U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 391937
Cache-Control: no-cache More Details |
23.23.215.82:80 (i-50.b-000.xyz.bench.utorrent.com) | POST | i-50.b-000.xyz.bench.utorrent.com/e?i=50 | POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 263 More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=2184U&pr=0U&s=391937U&svp=4&ov=0&plus=0 | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=2184U&pr=0U&s=391937U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 391937
Cache-Control: no-cache More Details |
54.243.113.215:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393 More Details |
23.23.215.82:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 442
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3920U&pr=0U&s=286553U&svp=4&ov=45776&plu... | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3920U&pr=0U&s=286553U&svp=4&ov=45776&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 286553
Cache-Control: no-cache More Details |
23.21.139.158:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393 More Details |
54.225.194.96:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 435
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3528U&pr=0U&s=292382U&svp=4&ov=0&plus=0 | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3528U&pr=0U&s=292382U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 292382
Cache-Control: no-cache More Details |
23.21.139.158:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393 More Details |
54.225.194.96:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 442
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3452U&pr=0U&s=298646U&svp=4&ov=45776&plu... | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=3452U&pr=0U&s=298646U&svp=4&ov=45776&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 298646
Cache-Control: no-cache More Details |
54.197.251.114:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393 More Details |
23.23.215.82:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 435
Cache-Control: no-cache More Details |
67.215.246.203:80 (update.utorrent.com) | POST | update.utorrent.com/crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=1984U&pr=0U&s=281447U&svp=4&ov=0&plus=0 | POST /crash.php?cl=uTorrent&ver=45776U&full_version=111915728U&h=ZHAl8jBnueZvoJRP&p=1984U&pr=0U&s=281447U&svp=4&ov=0&plus=0 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: update.utorrent.com
Content-Length: 281447
Cache-Control: no-cache More Details |
54.197.251.114:80 (i-21.b-45776.ut.bench.utorrent.com) | POST | i-21.b-45776.ut.bench.utorrent.com/e?i=21 | POST /e?i=21 HTTP/1.1
Host: i-21.b-45776.ut.bench.utorrent.com
User-Agent: ut_core BenchHttp (ver:45776)
Connection: close
Content-Length: 393 More Details |
23.23.215.82:80 (i-41.b-45776.bench.utorrent.com) | POST | i-41.b-45776.bench.utorrent.com/e?i=41 | POST /e?i=41 HTTP/1.1
Content-Type: application/octet-stream
User-Agent: uTorrent/355S
Host: i-41.b-45776.bench.utorrent.com
Content-Length: 449
Cache-Control: no-cache More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 23.23.85.1:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 54.235.208.27:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 23.23.215.82:80 (TCP) | Potential Corporate Privacy Violation | ETPRO P2P uTorrent Hydra Client | 2809605 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 23.23.215.82:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 54.225.194.96:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
local -> 67.215.246.203:80 (TCP) | Potential Corporate Privacy Violation | ET P2P Bittorrent P2P Client User-Agent (uTorrent) | 2011706 |
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 21 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
uTorrent.exe
- Size
- 5MiB (5191064 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "uTorrent.C potentially unwanted" (14/68)
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- 0db533955de9009c746402baa2065764
- SHA1
- 4148f5a3d00faaa0c7b97e37482c8bf6fd33abd5
- SHA256
- a173724f05cb681baffca788273a1759e6c73e13d8aa3ee2e3de51e36d11dcbb
-
3.5.5_45776.exe
- Size
- 5MiB (5191064 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "uTorrent.C potentially unwanted" (14/68)
- Runtime Process
- uTorrent.exe (PID: 2356)
- MD5
- 0db533955de9009c746402baa2065764
- SHA1
- 4148f5a3d00faaa0c7b97e37482c8bf6fd33abd5
- SHA256
- a173724f05cb681baffca788273a1759e6c73e13d8aa3ee2e3de51e36d11dcbb
-
-
Informative Selection 4
-
-
45776-utorrent.7b8d.dmp
- Size
- 292KiB (298646 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- 05427c92a0b70ed8a16d590cad8cce84
- SHA1
- f8e878faa262c7cff19a5d282e2f2b2d9be2202b
- SHA256
- 600e01aa4d686c85ce67869db4e1ea10a29846712fe8f5ef698a20106c514dd4
-
45776-utorrent.9948.dmp
- Size
- 280KiB (286553 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- uTorrent.exe (PID: 3920)
- MD5
- 096aec6f9905bdb6e9168c5c028f54bc
- SHA1
- 8c9af0a2013c28f37d00ff3f6931fb10f1a76699
- SHA256
- ebe2c7e461063a9364094120c14504ce47d13a0cdd755869cc576870aa6cdfb6
-
45776-utorrent.afcd.dmp
- Size
- 286KiB (292382 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- 8864015600596feeadc78fbfffacb9e9
- SHA1
- 27095c9497234b7768dc73d3d51fad0d36c18ece
- SHA256
- 7a8809bcc017480c83c66e14559998e058259bdb2cd0a4622ddaca541c615051
-
45776-utorrent.f3c6.dmp
- Size
- 275KiB (281447 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- uTorrent.exe (PID: 1984)
- MD5
- 79576d811ad8a3688793e933deee04d7
- SHA1
- 6e76b8273f50a08949549035ed7a638be258954f
- SHA256
- c82b61e73c77813c79da1ab48b2346eac6179fab2b1538d30757e41a4902b493
-
-
Informative 17
-
-
1f91d2d17ea675d4c2c3192e241743f9_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.5KiB (1492 bytes)
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- 8ade6b307c729ae920701d821170e623
- SHA1
- d67e6801a1f3596aee0585023006b488887f34aa
- SHA256
- bd484b7fa4fae4226357b416e7a12ec1b6d9f0568b5ea22b78cecc2b10660be7
-
207b3d94baf1465619e055c1420b1e47_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Runtime Process
- uTorrent.exe (PID: 3920)
- MD5
- 916dc028529a23d81c71e17e60f9c733
- SHA1
- ba46402f1433813d30f36ab8ac0a2f757661685c
- SHA256
- 62bafe155dc669bf43b993bae2636547863a147e4c7144b81b18d3ac44f86dd6
-
3b00ffd9ca58087d38ebf87720b255aa_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Type
- data
- Runtime Process
- uTorrent.exe (PID: 1320)
- MD5
- 2ea9f91e88407e1c7b78ab7489120079
- SHA1
- 4fa84eb0353c097f99ca829c4596a2f163a4f046
- SHA256
- 197097db080752f4783da6eb92570c08c9b6aca7e27db24e59efff72eb4d379e
-
53e500adee4625ed618633b9ddd39f32_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Type
- data
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- 63be67f9e00c733db1804e8f17e592ab
- SHA1
- 1f87f393b6bffff1470a0def684c017763eab3fc
- SHA256
- f66fd21622530dc231b3357c63d01f55812f0b99c97bdd9181ca28a07a264f9d
-
85bb304e7143b24a2c430389dc6f738f_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Type
- data
- Runtime Process
- uTorrent.exe (PID: 1984)
- MD5
- abd067d81812313f2137646ed8f988a3
- SHA1
- 6e8b40777fbf7e02cf00718ef939293400bdd484
- SHA256
- 46a3459bb1161d0dcff0f615f5209f12a69eb72b3e9276a953b7b2b2cb6cf30b
-
967660d040a3891b02e973ac794917f1_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Runtime Process
- uTorrent.exe (PID: 2184)
- MD5
- 4f463d8bc4d7e8f2c9da7b5d7893b876
- SHA1
- 3e914ab2990a37096e5d0724a4fd2f89edf1ef6e
- SHA256
- 430f869a8e4adf2ffd27e684bdecf4ec3c7924e264a4db7ddad9b1a77aa1a536
-
e956214021594aefd917ecd4c3c71c9f_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1.4KiB (1483 bytes)
- Runtime Process
- uTorrent.exe (PID: 3452)
- MD5
- b0ee7b546efed40c9379b3c3d6d61a6b
- SHA1
- 949df3d65e4b62f60b4ca6a709f606a641badc52
- SHA256
- d54035a29c450f48efabbdd1ea08ef685011e4a55a48672f831b6d831555a38d
-
3VYR1M9U.txt
- Size
- 88B (88 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- df8cd662b912122c2353686b7dd2a529
- SHA1
- 3c9732ab441e9200296fb74d8f79aaed7f92f748
- SHA256
- 7506bf4c0ee1f60ba5215947fad9add6e9279201bdf66361f1d8ab4034a6332e
-
8CL2ETO7.txt
- Size
- 88B (88 bytes)
- Runtime Process
- uTorrent.exe (PID: 3920)
- MD5
- 33d51d864d7331a152e5a160ffa12b69
- SHA1
- 26039ddcb3dbeed394a78c53c28d48781d7e2218
- SHA256
- 91f832ad2307a876c306af261db1b247674d7af507c5d9dde6e58f23fb3fe4a5
-
AHZ3IWU4.txt
- Size
- 89B (89 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- uTorrent.exe (PID: 1984)
- MD5
- 2c9a5cea811142096c340b5ce0a08939
- SHA1
- 4018883210a01f08f1bc0c761f4788b152af3c60
- SHA256
- 8f5940e4ffb83f18ffb1518cb5eb25a8df0ea81c754469a17a728aab405cee58
-
KTK479EL.txt
- Size
- 89B (89 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- uTorrent.exe (PID: 1320)
- MD5
- c7e9f7e7c1cb9995836dad3dd4258670
- SHA1
- c7111665d641f68d0c6448887cc6f9d02c34a24f
- SHA256
- a2f6a46e664a7e20ed247bb2dd9974608e4fd69baf4ebae48eab6cff5088174e
-
M3DXV7AX.txt
- Size
- 89B (89 bytes)
- Runtime Process
- uTorrent.exe (PID: 3528)
- MD5
- de4d07d052ee383a14ebd0aeef8fdbc5
- SHA1
- a1f9001f3585f1b1e9c8ba9239f3b4eae0860779
- SHA256
- ebbbcf009e796c104cf720adf416cf65a28890ba8021c11cc92492ed118dcfde
-
UI51GU1M.txt
- Size
- 89B (89 bytes)
- Runtime Process
- uTorrent.exe (PID: 2356)
- MD5
- 2c33a1d596f814544100ce7981e84bea
- SHA1
- f6e0d26ff37b47399fe8b57c222efe974e23c8a9
- SHA256
- 39606dc0a16244daa19e522f469dca863c0a3d5dd25147212e9a6956d8eb5be6
-
WN9LKG01.txt
- Size
- 88B (88 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- uTorrent.exe (PID: 1984)
- MD5
- 9c84e2fcd0fdd122fbd13ab6562565df
- SHA1
- c7f012093a7a03d64fe26d8adbb10923b983d0d2
- SHA256
- 608f07b2b980d85030d779ed36582a30a2a8118d0b11146c1d65baf773c7211f
-
XKN2V5FN.txt
- Size
- 88B (88 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- uTorrent.exe (PID: 1320)
- MD5
- badf64126a3a3778741a07490df9bd3f
- SHA1
- 0a2a45cbd637ab8ddc20fd4a45e15051f5b9b56f
- SHA256
- 0416506ba79bd71f1a06b2f7c058192a7ca073047411f8757a72ff5abb7c6266
-
45776-utorrent.1671.dmp
- Size
- 291KiB (298467 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- uTorrent.exe (PID: 1984)
- MD5
- 9db0d76d00c080649b0bec0f93e383b4
- SHA1
- af93ad2fab6dd578c8b8694e7f7f724be64bf423
- SHA256
- 3d12738387fb3be4251b25aabbc67be3e5b005eb9f7a242da208222be4b146c5
-
_Torrent.lnk
- Size
- 835B (835 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 13 02:47:59 2020, mtime=Sun Sep 13 02:47:59 2020, atime=Sun Sep 13 02:47:59 2020, length=5191064, window=hide
- MD5
- a05a94857e1c1e32d7f6f37f159f2e6d
- SHA1
- 33da42ee9fc241b444932368f77d54070f6df7b2
- SHA256
- ccd4543162933b7c8bafc6f6b5a687c206c29c01527e654e1414bb3a95747ac9
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Network whitenoise filtering was applied
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "api-37" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-9" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "network-0" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Not all sources for indicator ID "network-4" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-27" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "registry-67" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report