File name:

test.txt

Full analysis: https://app.any.run/tasks/381cfc6a-7b0a-4a7f-b314-8b5d46b70aaf
Verdict: Malicious activity
Analysis date: April 05, 2024, 14:45:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

098F6BCD4621D373CADE4E832627B4F6

SHA1:

A94A8FE5CCB19BA61C4C0873D391E987982FBBD3

SHA256:

9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08

SSDEEP:

3:Hn:Hn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iTunes(12.10.9.3).exe (PID: 2780)
      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • The process creates files with name similar to system file names

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Process drops legitimate windows executable

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • The process drops C-runtime libraries

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Creates a software uninstall entry

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Reads security settings of Internet Explorer

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Reads the Internet Settings

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Process requests binary or script from the Internet

      • 3uTools.exe (PID: 2772)

    • Reads settings of System Certificates

      • 3uTools.exe (PID: 2772)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 2552)

  • INFO

    • Manual execution by a user

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2748)
      • explorer.exe (PID: 2716)
      • WinRAR.exe (PID: 2972)
      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)

    • Reads the computer name

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)
      • 3uTools.exe (PID: 2772)
      • msiexec.exe (PID: 1412)
      • msiexec.exe (PID: 1500)

    • Checks supported languages

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)
      • 3uTools.exe (PID: 2772)
      • updater.exe (PID: 2924)
      • 3uViewer.exe (PID: 2524)
      • iTunes(12.10.9.3).exe (PID: 2780)
      • 3uViewer.exe (PID: 1672)
      • msiexec.exe (PID: 1500)
      • msiexec.exe (PID: 1412)

    • Creates files in the program directory

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)
      • 3uTools.exe (PID: 2772)
      • updater.exe (PID: 2924)

    • Create files in a temporary directory

      • 3uTools_v3.09.006_Setup_x86.exe (PID: 2840)
      • 3uTools.exe (PID: 2772)
      • iTunes(12.10.9.3).exe (PID: 2780)

    • Reads the machine GUID from the registry

      • 3uTools.exe (PID: 2772)
      • msiexec.exe (PID: 1412)
      • msiexec.exe (PID: 1500)

    • Process checks computer location settings

      • 3uTools.exe (PID: 2772)

    • Creates files or folders in the user directory

      • 3uTools.exe (PID: 2772)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2552)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2552)

    • Application launched itself

      • msiexec.exe (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs explorer.exe no specs winrar.exe no specs 3utools_v3.09.006_setup_x86.exe no specs 3utools_v3.09.006_setup_x86.exe 3utools.exe updater.exe no specs 3uviewer.exe no specs 3uviewer.exe no specs itunes(12.10.9.3).exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412C:\Windows\system32\MsiExec.exe -Embedding 5EA4D49F740EA74EDE15FC86DD275324 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1500C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
16723uViewer.exe /reg 1C:\Program Files (x86)\3uToolsV3\x86\3uViewer.exe3uTools.exe
User:
admin
Company:
Shenzhen Aidapu Network Technology Co.,Ltd.
Integrity Level:
HIGH
Description:
Image Viewer
Exit code:
0
Version:
1.0.3.0
Modules
Images
c:\program files (x86)\3utoolsv3\x86\3uviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1856"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\test.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
25243uViewer.exe /reg 2C:\Program Files (x86)\3uToolsV3\x86\3uViewer.exe3uTools.exe
User:
admin
Company:
Shenzhen Aidapu Network Technology Co.,Ltd.
Integrity Level:
HIGH
Description:
Image Viewer
Exit code:
0
Version:
1.0.3.0
Modules
Images
c:\program files (x86)\3utoolsv3\x86\3uviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2552"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\IXP618.TMP\iTunes64.msi" INSTALL_SUPPORT_PACKAGES=1C:\Windows\System32\msiexec.exeiTunes(12.10.9.3).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2716"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2748"C:\Users\admin\Downloads\3uTools_v3.09.006_Setup_x86.zip\3uTools_v3.09.006_Setup_x86.exe" C:\Users\admin\Downloads\3uTools_v3.09.006_Setup_x86.zip\3uTools_v3.09.006_Setup_x86.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\3utools_v3.09.006_setup_x86.zip\3utools_v3.09.006_setup_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2772"C:\Program Files (x86)\3uToolsV3\x86\3uTools.exe" C:\Program Files (x86)\3uToolsV3\x86\3uTools.exe
3uTools_v3.09.006_Setup_x86.exe
User:
admin
Company:
Shenzhen Aidapu Network Technology Co.,Ltd.
Integrity Level:
HIGH
Description:
3uTools
Version:
3.09.006.0
Modules
Images
c:\program files (x86)\3utoolsv3\x86\3utools.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2780"C:\3uToolsV3\Other\iTunes(12.10.9.3).exe" C:\3uToolsV3\Other\iTunes(12.10.9.3).exe3uTools.exe
User:
admin
Company:
Apple Inc.
Integrity Level:
HIGH
Description:
iTunes Installer
Version:
12.10.10.2
Modules
Images
c:\3utoolsv3\other\itunes(12.10.9.3).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
14 637
Read events
13 361
Write events
1 272
Delete events
4

Modification events

(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_3-win64-mingw.zip
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\3uTools_v3.09.006_Setup_x86.zip.001
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
277
Suspicious files
230
Text files
162
Unknown types
18

Dropped files

PID
Process
Filename
Type
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\temp_userdata.txttext
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Users\admin\AppData\Local\Temp\resource.7z
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\translations\qtwebengine_locales\am.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\resources\locales\am.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\translations\qtwebengine_locales\ar.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\resources\locales\ar.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\translations\qtwebengine_locales\bg.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\resources\locales\bg.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\translations\qtwebengine_locales\bn.pakbinary
MD5:
SHA256:
28403uTools_v3.09.006_Setup_x86.exeC:\Program Files (x86)\3uToolsV3\x86\resources\locales\bn.pakbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
102
DNS requests
17
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/border_14_Yellow.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/option_set/optionset_20180807.json?pc_vs=3.09.006
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/iPhone14Pro.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/border_14Pro_Silver.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/border_14Pro_SpaceBlack.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/border_14Pro_Gold.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/border_14Pro_DeepPurple.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/iWatch.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/more_devices/iPhone15.svg
unknown
unknown
2772
3uTools.exe
GET
200
163.171.128.244:80
http://d.updater.3u.com/3utools/configs/whitelist/whitelist_20160908a.xml?pc_vs=3.09.006
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
239.255.255.250:3702
unknown
4
System
192.168.100.255:137
whitelisted
352
svchost.exe
224.0.0.252:5355
unknown
2772
3uTools.exe
185.23.181.28:443
tools.3u.com
Kaopu Cloud HK Limited
DE
unknown
2772
3uTools.exe
163.171.128.148:443
url.3u.com
QUANTILNETWORKS
DE
unknown
2772
3uTools.exe
163.171.128.244:80
d.updater.3u.com
QUANTILNETWORKS
DE
unknown
2772
3uTools.exe
120.55.197.60:443
app4.i4.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2772
3uTools.exe
47.99.89.159:443
url.i4.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2772
3uTools.exe
18.244.146.89:443
www.zzzplay.bio
US
unknown

DNS requests

Domain
IP
Reputation
tools.3u.com
  • 185.23.181.28
  • 185.23.181.26
unknown
url.3u.com
  • 163.171.128.148
unknown
dl-image.3u.com
  • 185.23.181.28
  • 185.23.181.26
unknown
d.updater.3u.com
  • 163.171.128.244
unknown
app4.i4.cn
  • 120.55.197.60
unknown
url.i4.cn
  • 47.99.89.159
malicious
www.zzzplay.bio
  • 18.244.146.89
  • 18.244.146.113
  • 18.244.146.18
  • 18.244.146.20
unknown
ios-pclog.3u.com
  • 163.171.128.148
unknown
www.3u.com
  • 163.171.128.148
unknown
d.updater.i4.cn
  • 163.171.144.40
unknown

Threats

PID
Process
Class
Message
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
2772
3uTools.exe
Potentially Bad Traffic
ET HUNTING Double User-Agent (User-Agent User-Agent)
8 ETPRO signatures available at the full report
Process
Message
3uTools_v3.09.006_Setup_x86.exe
AdjustTokenPrivileges succed!
3uTools.exe
QWindowsEGLStaticContext::create: Could not initialize EGL display: error 0x3001
3uTools.exe
QWindowsEGLStaticContext::create: When using ANGLE, check if d3dcompiler_4x.dll is available
3uTools.exe
Sandboxing disabled by user.
3uTools.exe
localhost server bind port succed!
3uTools.exe
qt.svg: Cannot read file 'C:/Program Files (x86)/3uToolsV3/x86/cache/tag21.svg', because: Encountered incorrectly encoded content. (line 1)
3uTools.exe
QPixmap::scaled: Pixmap is a null pixmap
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test.txt