URL:

https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file

Full analysis: https://app.any.run/tasks/3841283a-a139-4b84-a9a1-32f72e460de1
Verdict: Malicious activity
Analysis date: February 22, 2024, 02:41:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

13CE3E4C213CEF50484B960D2CD8B815

SHA1:

319AA483F6B456AFEB63869FE38EF15AEE6E7882

SHA256:

AAAD185C0C23CC8107C59B37766C3EAA7D7D2B83A18FF1F8D726F0CC4997AAC4

SSDEEP:

3:N8DSLw3eGUodlewDBN9OWr1:2OLw3eGpUwDBNwWR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 3912)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3912)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3912)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3656)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3912)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3656)
      • WinRAR.exe (PID: 3912)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3656)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe

Process information

PID
CMD
Path
Indicators
Parent process
3656"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3720"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3656 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\AndroidServiceTool_Pass_12345678.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
31 814
Read events
31 616
Write events
144
Delete events
54

Modification events

(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31089976
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31089976
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3656) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
29
Suspicious files
45
Text files
90
Unknown types
27

Dropped files

PID
Process
Filename
Type
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D8A2FB2804FB2D2C91F0531F55F52CBA
SHA256:5F8D346AAC0CF1E79D2D6BE57EB2C890DDF7C91D736FCF349EFC7DED0FD14B4D
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:2CDEA405E4DBE5D0B8C7C223AC2A1F22
SHA256:457E0EBB2CDFBE5CE12B9C9679E522883CA7EBA355DECA0BE73985C4BEBB7F26
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:72381FFEFECFDBFA34AD5E42504F2BF7
SHA256:CD743996BDD9629F11B56BDC559827FC43A57BAFBD094051DFEE6A95BEE3D96B
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BHEU5Y8V.txttext
MD5:985CEB9629A0E881F64155B22D8AAC29
SHA256:687AD2CDEF23A242F9C8A8B2F1C1114F87673B39E3446756C5FEFC36C6724959
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\375RQGMT.txttext
MD5:7A3E38FBF690D5E0F83907FD78162DAA
SHA256:98775841F2F875C45FD07965F52B5BC9A232ED4DF1FE37BF8A5A991A1E016298
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XTH45033.txttext
MD5:21A9FC8C0DC1099315DDEC4A1D11F55F
SHA256:43FACBA0C9A0797D60AF63D97FAF5B6B2AAE56E71530CF6C6EB0010CC45D3E3A
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:213D07FD2410DC18129E8C4226EC8BC6
SHA256:11ACA4E3C9C04E6A70D545557B2C89BF393B88E50F84DC591934E4EC65EF490E
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F3UCA0S0.txttext
MD5:72205E0EBA9B8233A3189F2176D474C0
SHA256:EE395666E978A532B705F87512EB0E825D82412329F3C7634893A392A466BB5D
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:C72660F6E7CE9103EA02F54C13DC2D19
SHA256:224A9D5D37D0B54963CE24E47609FACFF96E9F79AC644941371292970F0CF035
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\v84a3a4012de94ce1a686ba8c167c359c1696973893317[1].jstext
MD5:DD1D068FDB5FE90B6C05A5B3940E088C
SHA256:6153D13804862B0FC1C016CF1129F34CB7C6185F2CF4BF1A3A862EECDAB50101
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
89
DNS requests
45
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3720
iexplore.exe
GET
304
95.101.54.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a08f35fbea17b647
unknown
unknown
3720
iexplore.exe
GET
304
95.101.54.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6
unknown
unknown
3720
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
3720
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
unknown
binary
2.18 Kb
unknown
3720
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3720
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3720
iexplore.exe
104.16.113.74:443
www.mediafire.com
CLOUDFLARENET
unknown
3720
iexplore.exe
95.101.54.128:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3720
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3720
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3720
iexplore.exe
172.67.199.186:443
the.gatekeeperconsent.com
CLOUDFLARENET
US
unknown
3720
iexplore.exe
142.250.185.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3720
iexplore.exe
172.67.41.60:443
btloader.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
www.mediafire.com
  • 104.16.113.74
  • 104.16.114.74
shared
ctldl.windowsupdate.com
  • 95.101.54.128
  • 95.101.54.113
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
the.gatekeeperconsent.com
  • 172.67.199.186
  • 104.21.42.32
unknown
www.googletagmanager.com
  • 142.250.185.72
whitelisted
btloader.com
  • 172.67.41.60
  • 104.22.75.216
  • 104.22.74.216
whitelisted
www.ezojs.com
  • 172.64.128.8
  • 172.64.129.8
unknown
translate.google.com
  • 142.250.184.206
whitelisted
static.cloudflareinsights.com
  • 104.16.56.101
  • 104.16.57.101
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/obl596c2gzmjm43/AndroidServiceTool_Pass_12345678.zip/file