File name:

Death-Calculator.EXE.zip

Full analysis: https://app.any.run/tasks/66289c3f-2254-49aa-bc88-5359e6b74ac6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 03, 2024, 11:40:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B4196C8ACAEB08256266AD34436759F4

SHA1:

FE4D8AAA7407D6A5BB74F298D8EA988D0DDB689E

SHA256:

B36FD0CCFCB30B1007038632C91F5E6AF0225104DB1753D8EC25C6FBE4A0ABFE

SSDEEP:

12:5jCZxpR/gWpf1Yfu1zDCu/Ey/cCLuc2JuT7KTdG71erJMV2qRZ1abX:90x/Z1Mu3VYuT7KKV2qjcX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 2260)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 2260)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 3892)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3892)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3620)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 532)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2852)
      • powershell.exe (PID: 3776)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 1652)

    • Application launched itself

      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2620)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 3528)

    • Unusual connection from system programs

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2736)
      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 3528)

    • Get information on the list of running processes

      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 3528)

    • Reads the Internet Settings

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3776)
      • wscript.exe (PID: 3352)
      • wscript.exe (PID: 1124)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)
      • cmd.exe (PID: 1652)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 1392)
      • powershell.exe (PID: 3776)
      • WinRAR.exe (PID: 532)
      • cmd.exe (PID: 2620)

    • Powershell scripting: start process

      • cmd.exe (PID: 2852)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1808)
      • cmd.exe (PID: 2852)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1808)

    • The process executes VB scripts

      • cmd.exe (PID: 1808)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)

    • Checks for external IP

      • powershell.exe (PID: 3708)

    • Adds/modifies Windows certificates

      • powershell.exe (PID: 3708)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3892)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3620)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2628)

    • Manual execution by a user

      • cmd.exe (PID: 1392)
      • explorer.exe (PID: 2648)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2620)

    • Checks supported languages

      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 3476)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 3476)

    • Create files in a temporary directory

      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:02:03 16:57:26
ZipCRC: 0x1bcb970e
ZipCompressedSize: 294
ZipUncompressedSize: 520
ZipFileName: Death-Calculator.EXE.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
75
Malicious processes
6
Suspicious processes
9

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs powershell.exe no specs cmd.exe taskkill.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs timeout.exe no specs wscript.exe no specs wscript.exe no specs taskkill.exe no specs powershell.exe powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
452schtasks /create /sc minute /mo 10 /tn "MyTasks\4" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\scr.vbs\"" /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
532"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Death-Calculator.EXE.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
604"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1356,i,1775770437805197525,3971121047821123476,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
784SCHTASKS /Create /SC DAILY /TN "MyTasks\6" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\scr.vbs\"" /ST 15:33 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
796SCHTASKS /Create /SC DAILY /TN "MyTasks\9" /TR "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /ST 15:01 /RU "admin"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
880SCHTASKS /Create /SC ONSTART /TN "MyTasks\1" /TR "cmd.exe /C \"C:\Users\admin\AppData\Local\webs\updates.bat\"" /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1124wscript.exe "C:\Users\admin\AppData\Local"\webs\scr.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1220"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1356,i,1775770437805197525,3971121047821123476,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1392C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\update.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1544SCHTASKS /Create /SC DAILY /TN "MyTasks\2" /TR "cmd.exe /C \"C:\Users\admin\AppData\Local\webs\updates.bat\"" /ST 16:33 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
14 763
Read events
14 673
Write events
89
Delete events
1

Modification events

(PID) Process:(532) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
5
Suspicious files
106
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF164f5d.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF164f5d.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF164f7c.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF164fab.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa532.46401\Death-Calculator.EXE.battext
MD5:53DA0DE154F787B2398F975D1ADF976D
SHA256:2720CC8979840138E66298F21B407485B2DEE0B0EB5B8941DBDD674C3C0BCA6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
45
DNS requests
46
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
powershell.exe
GET
200
23.32.238.224:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?43e803369ec1b5e7
unknown
compressed
65.2 Kb
unknown
2028
powershell.exe
GET
200
188.114.97.3:80
http://ps.c-0.uk/in.mp3
unknown
text
9.84 Kb
unknown
3708
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
binary
5.99 Kb
unknown
3708
powershell.exe
POST
172.67.200.221:80
http://dll.lat//in.php
unknown
unknown
2260
powershell.exe
GET
200
188.114.97.3:80
http://ps.c-0.uk/in.mp3
unknown
text
9.84 Kb
unknown
3708
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
binary
5.99 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3436
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2628
msedge.exe
239.255.255.250:1900
unknown
3436
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3436
msedge.exe
66.94.98.36:443
life2vec.io
CONTABO
US
unknown
3436
msedge.exe
151.101.2.137:443
code.jquery.com
FASTLY
US
unknown
3436
msedge.exe
142.250.186.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3436
msedge.exe
142.250.186.110:443
fundingchoicesmessages.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
life2vec.io
  • 66.94.98.36
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
fundingchoicesmessages.google.com
  • 142.250.186.110
whitelisted
pagead2.googlesyndication.com
  • 142.250.186.162
whitelisted
www.googletagmanager.com
  • 142.250.186.72
whitelisted
code.jquery.com
  • 151.101.2.137
  • 151.101.66.137
  • 151.101.130.137
  • 151.101.194.137
whitelisted
seatedsaintinsist.com
  • 172.240.253.132
  • 172.240.108.68
  • 172.240.108.76
  • 192.243.61.225
  • 192.243.61.227
  • 192.243.59.20
  • 172.240.108.84
  • 172.240.108.92
unknown
drivers.ink
  • 188.114.96.3
  • 188.114.97.3
unknown
www.bing.com
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.148
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.149
  • 2.23.209.182
whitelisted

Threats

PID
Process
Class
Message
3436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
2028
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
3708
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3708
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
3708
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
3708
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2028
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Gen.Powershell.Downloader.Script
2028
powershell.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
2028
powershell.exe
Misc activity
ET INFO Powershell Base64 Decode Command Inbound
2028
powershell.exe
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Death-Calculator.EXE.zip