File name:

AndroidSideloader v2.26.exe

Full analysis: https://app.any.run/tasks/de9eb848-2913-4699-83fe-f9f2ecbc940c
Verdict: Malicious activity
Analysis date: December 10, 2023, 22:23:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

1158E107E5A5FB9BF3AE7BCC8276F429

SHA1:

EA46F63D51C2C8FB641E9C23C5E206E9CA4FBA6D

SHA256:

6278D167AC356CDAD30CD5A8EA37A7522F823515731AB64F4D1271BF38FB9497

SSDEEP:

98304:CcEQQMDXQmfYGBHkBPUHexnMO93WGY+PF:UY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 7z.exe (PID: 1152)
      • AndroidSideloader v2.26.exe (PID: 280)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AndroidSideloader v2.26.exe (PID: 280)
      • AndroidSideloader v2.26.exe (PID: 3944)

    • Reads settings of System Certificates

      • AndroidSideloader v2.26.exe (PID: 280)

    • Drops 7-zip archiver for unpacking

      • AndroidSideloader v2.26.exe (PID: 280)

    • Application launched itself

      • AndroidSideloader v2.26.exe (PID: 280)
      • adb.exe (PID: 4036)
      • adb.exe (PID: 1872)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2820)
      • wmpnscfg.exe (PID: 2296)

    • Checks supported languages

      • AndroidSideloader v2.26.exe (PID: 280)
      • wmpnscfg.exe (PID: 2820)
      • adb.exe (PID: 3080)
      • 7z.exe (PID: 3964)
      • 7z.exe (PID: 1152)
      • adb.exe (PID: 4036)
      • adb.exe (PID: 3388)
      • rclone.exe (PID: 3204)
      • rclone.exe (PID: 2608)
      • AndroidSideloader v2.26.exe (PID: 3944)
      • adb.exe (PID: 1064)
      • adb.exe (PID: 1872)
      • adb.exe (PID: 3408)
      • adb.exe (PID: 2584)
      • adb.exe (PID: 2972)
      • adb.exe (PID: 3716)
      • adb.exe (PID: 3724)
      • adb.exe (PID: 3560)
      • adb.exe (PID: 1452)
      • adb.exe (PID: 3844)
      • adb.exe (PID: 1604)
      • adb.exe (PID: 3400)
      • adb.exe (PID: 2028)
      • adb.exe (PID: 1248)
      • adb.exe (PID: 2472)
      • adb.exe (PID: 1612)
      • wmpnscfg.exe (PID: 2296)
      • adb.exe (PID: 2884)
      • adb.exe (PID: 1028)
      • adb.exe (PID: 3280)
      • adb.exe (PID: 1160)
      • adb.exe (PID: 2512)
      • adb.exe (PID: 3824)
      • adb.exe (PID: 2672)
      • adb.exe (PID: 3476)
      • adb.exe (PID: 680)
      • adb.exe (PID: 2480)
      • adb.exe (PID: 1760)
      • adb.exe (PID: 3628)
      • adb.exe (PID: 3120)
      • adb.exe (PID: 3444)
      • adb.exe (PID: 2648)
      • adb.exe (PID: 2936)
      • adb.exe (PID: 1128)

    • Create files in a temporary directory

      • AndroidSideloader v2.26.exe (PID: 280)
      • 7z.exe (PID: 3964)
      • adb.exe (PID: 3388)
      • AndroidSideloader v2.26.exe (PID: 3944)

    • Reads Environment values

      • AndroidSideloader v2.26.exe (PID: 280)
      • AndroidSideloader v2.26.exe (PID: 3944)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2820)
      • 7z.exe (PID: 1152)
      • 7z.exe (PID: 3964)
      • rclone.exe (PID: 2608)
      • adb.exe (PID: 3388)
      • AndroidSideloader v2.26.exe (PID: 3944)
      • rclone.exe (PID: 3204)
      • AndroidSideloader v2.26.exe (PID: 280)
      • adb.exe (PID: 3408)
      • wmpnscfg.exe (PID: 2296)

    • Reads the machine GUID from the registry

      • AndroidSideloader v2.26.exe (PID: 280)
      • AndroidSideloader v2.26.exe (PID: 3944)

    • Creates files or folders in the user directory

      • AndroidSideloader v2.26.exe (PID: 280)
      • AndroidSideloader v2.26.exe (PID: 3944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2059:02:11 10:21:06+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 3800064
InitializedDataSize: 413184
UninitializedDataSize: -
EntryPoint: 0x3a1ade
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Rookie Sideloader
CompanyName: Rookie.WTF
FileDescription: AndroidSideloader
FileVersion: 2.0.0.0
InternalName: AndroidSideloader.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: AndroidSideloader.exe
ProductName: AndroidSideloader
ProductVersion: 2.0.0.0
AssemblyVersion: 2.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
44
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start androidsideloader v2.26.exe wmpnscfg.exe no specs 7z.exe no specs 7z.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs rclone.exe no specs rclone.exe no specs androidsideloader v2.26.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs wmpnscfg.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs adb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Users\admin\AppData\Local\Temp\AndroidSideloader v2.26.exe" C:\Users\admin\AppData\Local\Temp\AndroidSideloader v2.26.exe
explorer.exe
User:
admin
Company:
Rookie.WTF
Integrity Level:
MEDIUM
Description:
AndroidSideloader
Exit code:
4294967295
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\androidsideloader v2.26.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
680"C:\RSL\platform-tools\adb.exe" shell dfC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1028"C:\RSL\platform-tools\adb.exe" shell dfC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1064"C:\RSL\platform-tools\adb.exe" kill-serverC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1128"C:\RSL\platform-tools\adb.exe" devicesC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1152"7z.exe" x "C:\Users\admin\AppData\Local\Temp\_adb.7z" -y -o"C:\RSL\platform-tools" -bsp1C:\Users\admin\AppData\Local\Temp\7z.exeAndroidSideloader v2.26.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
23.01
Modules
Images
c:\users\admin\appdata\local\temp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1160"C:\RSL\platform-tools\adb.exe" shell dfC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1248"C:\RSL\platform-tools\adb.exe" shell dfC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1452"C:\RSL\platform-tools\adb.exe" devicesC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1604"C:\RSL\platform-tools\adb.exe" shell dumpsys batteryC:\RSL\platform-tools\adb.exeAndroidSideloader v2.26.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
10 998
Read events
10 970
Write events
28
Delete events
0

Modification events

(PID) Process:(280) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(280) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(280) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(280) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(280) AndroidSideloader v2.26.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3944) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3944) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3944) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3944) AndroidSideloader v2.26.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
16
Suspicious files
93
Text files
1 671
Unknown types
0

Dropped files

PID
Process
Filename
Type
11527z.exeC:\RSL\platform-tools\fastboot.exeexecutable
MD5:D6F80781D3B23EAA83DCB8468965BB0C
SHA256:B19C076410F644525569AA066CFCA99D3D0647C5F41898EE178C906222648FE2
11527z.exeC:\RSL\platform-tools\libwinpthread-1.dllexecutable
MD5:95DECA9CA898F8DAEB3288A06F4A020A
SHA256:6CD4726956F3487453F151B847AFFAD442A81ACFCC4CB816B9BCB5AD5E7B6F7C
11527z.exeC:\RSL\platform-tools\etc1tool.exeexecutable
MD5:29A86ACF93731FA26C2B3AFA6A155B4C
SHA256:4C82EA5A7C50EC482B401AF272FE437AB5861816F10EC8A2584875A853690767
11527z.exeC:\RSL\platform-tools\mke2fs.conftext
MD5:699098CA95F87BA48BB94A3E848549B3
SHA256:AD58A58DCDD24D85055814CA9CAC67DB89D4E67C434E96774BDCE0D0A007D067
280AndroidSideloader v2.26.exeC:\Users\admin\AppData\Local\Temp\7z.exeexecutable
MD5:8F57948E69C82BF98704F129C5460576
SHA256:F00836A63BE7EBF14E1B8C40100C59777FE3432506B330927EA1F1B7FD47EE44
11527z.exeC:\RSL\platform-tools\AdbWinApi.dllexecutable
MD5:ED5A809DC0024D83CBAB4FB9933D598D
SHA256:D60103A5E99BC9888F786EE916F5D6E45493C3247972CB053833803DE7E95CF9
280AndroidSideloader v2.26.exeC:\Users\admin\AppData\Local\Rookie.WTF\AndroidSideloader_v2.26.e_Url_fdmnrxjtcnt05z3kbaycbgbpyzyqwjep\2.0.0.0\ex2p0jgl.newcfgxml
MD5:ADACA2EE75FABFDF08D8C2B21AACDCA7
SHA256:5C0062156176D0DABC42CE0E3C39396A7231EFB0B434DD8EB4527AA509DD32E3
280AndroidSideloader v2.26.exeC:\Users\admin\AppData\Local\Rookie.WTF\AndroidSideloader_v2.26.e_Url_fdmnrxjtcnt05z3kbaycbgbpyzyqwjep\2.0.0.0\aubxisxd.newcfgxml
MD5:3B74CDD40B65BCC98CE28EFF79405E3F
SHA256:7B2C167CE495D91D5E36807FC09201B47316AA89F64960199F42922A06EBDF8F
11527z.exeC:\RSL\platform-tools\adb.exeexecutable
MD5:F6E68C4CC8CC3288FD5A411F54D8CAE2
SHA256:FD488A4E13D4C71ACCE69E209164398A056FBA5A559B7F00C1351390604E5B98
280AndroidSideloader v2.26.exeC:\Users\admin\AppData\Local\Rookie.WTF\AndroidSideloader_v2.26.e_Url_fdmnrxjtcnt05z3kbaycbgbpyzyqwjep\2.0.0.0\user.configxml
MD5:3B74CDD40B65BCC98CE28EFF79405E3F
SHA256:7B2C167CE495D91D5E36807FC09201B47316AA89F64960199F42922A06EBDF8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
11
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
280
AndroidSideloader v2.26.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0cc59c33b578ce14
unknown
compressed
65.2 Kb
unknown
280
AndroidSideloader v2.26.exe
GET
200
172.64.149.23:80
http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt
unknown
binary
905 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
280
AndroidSideloader v2.26.exe
140.82.121.4:443
github.com
GITHUB
US
unknown
280
AndroidSideloader v2.26.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
unknown
280
AndroidSideloader v2.26.exe
95.217.6.16:443
downloads.rclone.org
Hetzner Online GmbH
FI
unknown
280
AndroidSideloader v2.26.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
280
AndroidSideloader v2.26.exe
185.247.224.87:443
vrpirates.wiki
Flokinet Ltd
SC
unknown
280
AndroidSideloader v2.26.exe
172.64.149.23:80
zerossl.crt.sectigo.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.4
shared
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
shared
downloads.rclone.org
  • 95.217.6.16
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
vrpirates.wiki
  • 185.247.224.87
unknown
zerossl.crt.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted

Threats

PID
Process
Class
Message
280
AndroidSideloader v2.26.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AndroidSideloader v2.26.exe