Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Feb. 18, 2025, 5:23 p.m.	Feb. 18, 2025, 5:26 p.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`66e88723258eb66e6831fa451494efe3`
SHA256	`f1f7c3f9ff5b1861c0b0056795e5b39f660f87ad32e750129cfdae423ed32501`
CRC32	`9A23DBC1`
ssdeep	`98304:UfyPR3cFFaec4eie3FIt0HVf9tg/Cyo2ErtfGh:USR3l15It0HVICxrt2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file

utorrent_installer.exe "C:\Users\test22\AppData\Local\Temp\utorrent_installer.exe"
3024
- utorrent.exe "C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\utorrent.exe"
  2104

Name	Response	Post-Analysis Lookup
router.bittorrent.com	A 67.215.246.10	67.215.246.10
router.utorrent.com	A 82.221.103.244	82.221.103.244
i-6000.b-47194.ut.bench.utorrent.com	A 3.211.110.147 A 34.232.215.82 A 52.206.117.199 A 44.198.7.177 CNAME bench.utp.st A 52.86.119.244 CNAME com-utorrent-prod-bench-bt-vpc-868333863.us-east-1.elb.amazonaws.com A 18.214.172.131 A 44.217.60.159 A 54.165.124.111	44.217.60.159
legacy.utorrent.com	A 67.215.246.34	67.215.246.34
utorrent.com	A 34.201.157.226	34.201.157.226
update.utorrent.com	A 82.221.103.246 A 82.221.103.245	82.221.103.245
i-21.b-47194.ut.bench.utorrent.com	A 3.211.110.147 A 34.232.215.82 A 52.206.117.199 A 44.198.7.177 CNAME bench.utp.st A 52.86.119.244 CNAME com-utorrent-prod-bench-bt-vpc-868333863.us-east-1.elb.amazonaws.com A 18.214.172.131 A 44.217.60.159 A 54.165.124.111	44.217.60.159

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.211.110.147	Active	Moloch
34.201.157.226	Active	Moloch
67.215.246.34	Active	Moloch
82.221.103.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 67.215.246.34:80	2012247	ET P2P BTWebClient UA uTorrent in use	Potential Corporate Privacy Violation
TCP 192.168.56.102:49168 -> 67.215.246.34:80	2012247	ET P2P BTWebClient UA uTorrent in use	Potential Corporate Privacy Violation
TCP 192.168.56.102:49163 -> 3.211.110.147:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 34.201.157.226:80	2012247	ET P2P BTWebClient UA uTorrent in use	Potential Corporate Privacy Violation
TCP 192.168.56.102:49169 -> 34.201.157.226:80	2012247	ET P2P BTWebClient UA uTorrent in use	Potential Corporate Privacy Violation
TCP 192.168.56.102:49172 -> 82.221.103.245:80	2011706	ET P2P Bittorrent P2P Client User-Agent (uTorrent)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49178 -> 82.221.103.245:80	2011706	ET P2P Bittorrent P2P Client User-Agent (uTorrent)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49181 -> 82.221.103.245:80	2011706	ET P2P Bittorrent P2P Client User-Agent (uTorrent)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptGenKey Feb. 12, 2025, 8:15 p.m.	crypto_handle: 0x00ed4920 algorithm_identifier: 0x00000001 () flags: 16385 key: provider_handle: 0x00ef2bd0	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed47a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: ¤RSA1Ó¤õ®í²ðîÄûK`±ìbêØÓbúÐÜ^Âe'£}mExw,=µ¢Éj.©5«ozÎs¡¿¿ÈÞqJ?Ô-Â «4o9Ôf4ísAiKO=ÙµÃ1sPHAÍò@o¨[oùvMbÃâ crypto_handle: 0x00ed47a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed47a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: ¤RSA1Ó¤õ®í²ðîÄûK`±ìbêØÓbúÐÜ^Âe'£}mExw,=µ¢Éj.©5«ozÎs¡¿¿ÈÞqJ?Ô-Â «4o9Ôf4ísAiKO=ÙµÃ1sPHAÍò@o¨[oùvMbÃâ crypto_handle: 0x00ed47a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Feb. 12, 2025, 8:15 p.m.	buffer: ¤RSA2Ó¤õ®í²ðîÄûK`±ìbêØÓbúÐÜ^Âe'£}mExw,=µ¢Éj.©5«ozÎs¡¿¿ÈÞqJ?Ô-Â «4o9Ôf4ísAiKO=ÙµÃ1sPHAÍò@o¨[oùvMbÃâ7Á¹VÉ´{i»ã_/ÝÑ$yM¤ä¡WA6]öAÓLÆSR7ó>Â>ú¥íPXÓòE¼Nvì¥ö÷pªÍøºD4V¯½ðX¨p}n¶åRíWà?Kß'Ã JaIÿ8l\éUîå$)lB½ç$tH(Aä{Ù»ä[ÃßvkìXìê?Å?éø3ÇHÖ¢áiËÔ£nÈh§ÇRêAl½H«ÝË2:ÒË½M,æÀóÈè£!NâË,ÏDìÑ¢ú>"p¢)/K ´ÙÎÿÎ:¢f8¥;+_°Û(üiP¯-y©Ï¥y8¿¼O¢s§D{Tá«G/Ï!3"fuAzÔ/qÖòî<¿£Æþ-³ByüÞµÊ> ì¬K: ¾²×ÜÙ7åÊükÿ¬²+$ÂÔ£.¨msêï¶S.Cäo7Á¶é ÂVÎ¯éggéï½Â4©¨ßÆo(HHÐ4 GhÐç½h×yÞðX#;c!éN¡³» crypto_handle: 0x00ed4a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 12, 2025, 8:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://i-6000.b-47194.ut.bench.utorrent.com/e?i=6000
suspicious_features	POST method with no referer header				suspicious_request	POST http://i-21.b-47194.ut.bench.utorrent.com/e?i=21

Performs some HTTP requests (7 events)

request	POST http://i-6000.b-47194.ut.bench.utorrent.com/e?i=6000
request	GET http://utorrent.com/download/langpacks/dl.php?build=47194&ref=client&client=utorrent&sys_l=ko&sel_l=28523&tk=release
request	GET http://legacy.utorrent.com/scripts/dl.php?build=47194&ref=client&client=utorrent&sys_l=ko&sel_l=28523&tk=release
request	GET http://update.utorrent.com/installoffer.php?h=NCCsadz1MhCI1sDI&v=113293402&w=1DB10106&l=ko&c=KR&w64=1&db=ie&cl=uTorrent&tsub=1&svp=4
request	POST http://i-21.b-47194.ut.bench.utorrent.com/e?i=21
request	GET http://update.utorrent.com/installstats.php?cl=uTorrent&v=113293402&h=NCCsadz1MhCI1sDI&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=2104&cau=0&lunv=0&tbe=0&view=win32
request	GET http://update.utorrent.com/installstats.php?cl=uTorrent&v=113293402&h=NCCsadz1MhCI1sDI&w=1DB10106&bu=0&pr=0&cmp=0&ocmp=0&showwarning&pid=2104&cau=0&lunv=0&view=win32

Sends data using the HTTP POST Method (2 events)

request	POST http://i-6000.b-47194.ut.bench.utorrent.com/e?i=6000
request	POST http://i-21.b-47194.ut.bench.utorrent.com/e?i=21

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 12, 2025, 8:15 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 8:15 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 8:15 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 8:15 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 8:15 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73823000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 116 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115475968 free_bytes_available: 9115475968 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115471872 free_bytes_available: 9115471872 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115471872 free_bytes_available: 9115471872 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115471872 free_bytes_available: 9115471872 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115471872 free_bytes_available: 9115471872 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115480064 free_bytes_available: 9115480064 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115459584 free_bytes_available: 9115459584 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115111424 free_bytes_available: 9115111424 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115111424 free_bytes_available: 9115111424 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9115045888 free_bytes_available: 9115045888 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:15 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9113784320 free_bytes_available: 9113784320 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108717568 free_bytes_available: 9108717568 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Feb. 12, 2025, 8:16 p.m.	total_number_of_free_bytes: 9108721664 free_bytes_available: 9108721664 root_path: C:\Users\test22\AppData\Roaming\uTorrent\share total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\utorrent.exe
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\nsisFirewall.dll
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\INetC.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\utorrent.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\nsisFirewall.dll
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\utorrent.exe
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp\INetC.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (34 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: services.exe process_identifier: 444	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 740	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 352	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: SearchFilterHost.exe process_identifier: 2064	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: tvnserver.exe process_identifier: 2592	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: tvnserver.exe process_identifier: 2672	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: pw.exe process_identifier: 2704	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: taskhost.exe process_identifier: 2844	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: utorrent_installer.exe process_identifier: 3024	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: utorrent.exe process_identifier: 2104	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: taskhost.exe process_identifier: 284	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: cmd.exe process_identifier: 1624	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: conhost.exe process_identifier: 1628	1	1
Process32NextW Feb. 12, 2025, 8:16 p.m.	snapshot_handle: 0x000003b8 process_name: pw.exe process_identifier: 1604	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 12, 2025, 8:15 p.m.	flags: 46 family: 2		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001c600', u'virtual_address': u'0x00050000', u'entropy': 7.209826701068137, u'name': u'.rsrc', u'virtual_size': u'0x0001c600'}

entropy

7.20982670107

description

A section with a high entropy has been found

entropy

0.780068728522

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 12, 2025, 8:15 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1	0

Queries for potentially installed applications (3 events)

Time & API	Arguments	Return
RegOpenKeyExW Feb. 12, 2025, 8:15 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent	2
RegOpenKeyExW Feb. 12, 2025, 8:16 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent	2
RegOpenKeyExW Feb. 12, 2025, 8:16 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent	2

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsa2AB5.tmp

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Feb. 12, 2025, 8:16 p.m.	key_handle: 0x000004ec regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Feb. 12, 2025, 8:16 p.m.	key_handle: 0x000004ec regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Network activity contains more than one unique useragent (2 events)

process	utorrent_installer.exe				useragent	NSIS_Inetc (Mozilla)
process	utorrent.exe				useragent	uTorrent(47194105433.6

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

utorrent_installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All