URL:

https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file

Full analysis: https://app.any.run/tasks/3841283a-a139-4b84-a9a1-32f72e460de1
Verdict: Malicious activity
Analysis date: February 22, 2024, 02:41:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

13CE3E4C213CEF50484B960D2CD8B815

SHA1:

319AA483F6B456AFEB63869FE38EF15AEE6E7882

SHA256:

AAAD185C0C23CC8107C59B37766C3EAA7D7D2B83A18FF1F8D726F0CC4997AAC4

SSDEEP:

3:N8DSLw3eGUodlewDBN9OWr1:2OLw3eGpUwDBNwWR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 3912)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3912)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3912)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3656)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3912)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 3912)
      • iexplore.exe (PID: 3656)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3912)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe

Process information

PID
CMD
Path
Indicators
Parent process
3656"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3720"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3656 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\AndroidServiceTool_Pass_12345678.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
31 814
Read events
31 616
Write events
144
Delete events
54

Modification events

(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31089976
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31089976
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
29
Suspicious files
45
Text files
90
Unknown types
27

Dropped files

PID
Process
Filename
Type
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:72381FFEFECFDBFA34AD5E42504F2BF7
SHA256:CD743996BDD9629F11B56BDC559827FC43A57BAFBD094051DFEE6A95BEE3D96B
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F3UCA0S0.txttext
MD5:72205E0EBA9B8233A3189F2176D474C0
SHA256:EE395666E978A532B705F87512EB0E825D82412329F3C7634893A392A466BB5D
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:C72660F6E7CE9103EA02F54C13DC2D19
SHA256:224A9D5D37D0B54963CE24E47609FACFF96E9F79AC644941371292970F0CF035
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:ACB7D9D1FC08579F02510F13B63086F9
SHA256:1E075BC8E391657D475ABA64670466E0C5C65A5FB51DC9FE246E8DE6A68E2D8F
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XTH45033.txttext
MD5:21A9FC8C0DC1099315DDEC4A1D11F55F
SHA256:43FACBA0C9A0797D60AF63D97FAF5B6B2AAE56E71530CF6C6EB0010CC45D3E3A
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:64BD049BEFEB3C23D584D2CE89C0E7C9
SHA256:D49A3A94D284037E7A3963913CCEA499F5541CBEC45841AB8C6CB87C25DBDE94
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\v84a3a4012de94ce1a686ba8c167c359c1696973893317[1].jstext
MD5:DD1D068FDB5FE90B6C05A5B3940E088C
SHA256:6153D13804862B0FC1C016CF1129F34CB7C6185F2CF4BF1A3A862EECDAB50101
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\cmp.min[1].jstext
MD5:FBE92038AA9B8D58FC93CFE47E2987AF
SHA256:66F8ECD359CCF9D79AE9C4AD10312DE1A65DB446344B2667E54D604F25D3165B
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\tag[1].jstext
MD5:9726D2BC333F1A55CE63058032C5D986
SHA256:FD718DD42E580D653A987F9E848AC8C19F8C3751BA1DBF9AC2FC87922C9561E9
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:1E740E6B4C3AB0B87D46FCFBABE18470
SHA256:613CCCE1711958FE858EDBD8C4ABCF7D013122707DECC9728E579D040CD05020
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
89
DNS requests
45
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3720
iexplore.exe
GET
304
95.101.54.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a08f35fbea17b647
unknown
unknown
3720
iexplore.exe
GET
304
95.101.54.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6
unknown
unknown
3720
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
3720
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3720
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
unknown
binary
2.18 Kb
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEH1ZfRmkcbmIEJt1GKpWSOU%3D
unknown
binary
471 b
unknown
3720
iexplore.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
3720
iexplore.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.49 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3720
iexplore.exe
104.16.113.74:443
www.mediafire.com
CLOUDFLARENET
unknown
3720
iexplore.exe
95.101.54.128:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3720
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3720
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3720
iexplore.exe
172.67.199.186:443
the.gatekeeperconsent.com
CLOUDFLARENET
US
unknown
3720
iexplore.exe
142.250.185.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3720
iexplore.exe
172.67.41.60:443
btloader.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
www.mediafire.com
  • 104.16.113.74
  • 104.16.114.74
shared
ctldl.windowsupdate.com
  • 95.101.54.128
  • 95.101.54.113
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
the.gatekeeperconsent.com
  • 172.67.199.186
  • 104.21.42.32
unknown
www.googletagmanager.com
  • 142.250.185.72
whitelisted
btloader.com
  • 172.67.41.60
  • 104.22.75.216
  • 104.22.74.216
whitelisted
www.ezojs.com
  • 172.64.128.8
  • 172.64.129.8
unknown
translate.google.com
  • 142.250.184.206
whitelisted
static.cloudflareinsights.com
  • 104.16.56.101
  • 104.16.57.101
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file