File name:

Death-Calculator.EXE.zip

Full analysis: https://app.any.run/tasks/66289c3f-2254-49aa-bc88-5359e6b74ac6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 03, 2024, 11:40:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B4196C8ACAEB08256266AD34436759F4

SHA1:

FE4D8AAA7407D6A5BB74F298D8EA988D0DDB689E

SHA256:

B36FD0CCFCB30B1007038632C91F5E6AF0225104DB1753D8EC25C6FBE4A0ABFE

SSDEEP:

12:5jCZxpR/gWpf1Yfu1zDCu/Ey/cCLuc2JuT7KTdG71erJMV2qRZ1abX:90x/Z1Mu3VYuT7KKV2qjcX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 2260)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 2260)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 3352)
      • wscript.exe (PID: 1124)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3892)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 3892)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3620)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1652)
      • WinRAR.exe (PID: 532)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2852)
      • powershell.exe (PID: 3776)
      • cmd.exe (PID: 2620)

    • Application launched itself

      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2620)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 532)
      • cmd.exe (PID: 1392)
      • powershell.exe (PID: 3776)
      • cmd.exe (PID: 2620)

    • Reads the Internet Settings

      • cmd.exe (PID: 1652)
      • powershell.exe (PID: 2028)
      • wscript.exe (PID: 1124)
      • powershell.exe (PID: 3776)
      • wscript.exe (PID: 3352)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 3528)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 2852)
      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)
      • cmd.exe (PID: 3528)

    • Get information on the list of running processes

      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 3528)

    • Unusual connection from system programs

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3708)
      • powershell.exe (PID: 2260)

    • Powershell scripting: start process

      • cmd.exe (PID: 2852)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1808)
      • cmd.exe (PID: 2852)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1808)

    • The process executes VB scripts

      • cmd.exe (PID: 1808)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 1124)
      • wscript.exe (PID: 3352)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3352)
      • wscript.exe (PID: 1124)

    • Checks for external IP

      • powershell.exe (PID: 3708)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3892)

    • Adds/modifies Windows certificates

      • powershell.exe (PID: 3708)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3620)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2628)

    • Manual execution by a user

      • explorer.exe (PID: 2648)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2620)

    • Checks supported languages

      • cvtres.exe (PID: 3476)
      • csc.exe (PID: 3620)

    • Reads the machine GUID from the registry

      • cvtres.exe (PID: 3476)
      • csc.exe (PID: 3620)

    • Create files in a temporary directory

      • csc.exe (PID: 3620)
      • cvtres.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:02:03 16:57:26
ZipCRC: 0x1bcb970e
ZipCompressedSize: 294
ZipUncompressedSize: 520
ZipFileName: Death-Calculator.EXE.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
75
Malicious processes
6
Suspicious processes
9

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs powershell.exe no specs cmd.exe taskkill.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs timeout.exe no specs wscript.exe no specs wscript.exe no specs taskkill.exe no specs powershell.exe powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
452schtasks /create /sc minute /mo 10 /tn "MyTasks\4" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\scr.vbs\"" /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
532"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Death-Calculator.EXE.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
604"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1356,i,1775770437805197525,3971121047821123476,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
784SCHTASKS /Create /SC DAILY /TN "MyTasks\6" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\scr.vbs\"" /ST 15:33 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
796SCHTASKS /Create /SC DAILY /TN "MyTasks\9" /TR "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /ST 15:01 /RU "admin"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
880SCHTASKS /Create /SC ONSTART /TN "MyTasks\1" /TR "cmd.exe /C \"C:\Users\admin\AppData\Local\webs\updates.bat\"" /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1124wscript.exe "C:\Users\admin\AppData\Local"\webs\scr.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1220"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1356,i,1775770437805197525,3971121047821123476,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1392C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\update.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1544SCHTASKS /Create /SC DAILY /TN "MyTasks\2" /TR "cmd.exe /C \"C:\Users\admin\AppData\Local\webs\updates.bat\"" /ST 16:33 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
14 763
Read events
14 673
Write events
89
Delete events
1

Modification events

(PID) Process:(532) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
5
Suspicious files
106
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF164f5d.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF164f5d.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF164f7c.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF164fab.TMP
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF164f5d.TMPtext
MD5:A9B940DA81B2E13D048EBB32E79FA414
SHA256:9061129705411EA6CFDD34177BF841CC85EB857BA909D3C4AA69BE8A5C59A8B0
2628msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF164f5d.TMPtext
MD5:BC5665331C6B5366D725CB1970BD7406
SHA256:5D33599D48DC5F3D65BA548DDBAE25868B979EABA17BC310F0D2C7543341F80D
2032msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
45
DNS requests
46
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2028
powershell.exe
GET
200
188.114.97.3:80
http://ps.c-0.uk/in.mp3
unknown
text
9.84 Kb
unknown
3708
powershell.exe
GET
200
23.32.238.224:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?43e803369ec1b5e7
unknown
compressed
65.2 Kb
unknown
3708
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
binary
5.99 Kb
unknown
2260
powershell.exe
GET
200
188.114.97.3:80
http://ps.c-0.uk/in.mp3
unknown
text
9.84 Kb
unknown
3708
powershell.exe
POST
172.67.200.221:80
http://dll.lat//in.php
unknown
unknown
3708
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
binary
5.99 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3436
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2628
msedge.exe
239.255.255.250:1900
unknown
3436
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3436
msedge.exe
66.94.98.36:443
life2vec.io
CONTABO
US
unknown
3436
msedge.exe
151.101.2.137:443
code.jquery.com
FASTLY
US
unknown
3436
msedge.exe
142.250.186.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3436
msedge.exe
142.250.186.110:443
fundingchoicesmessages.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
whitelisted
life2vec.io
  • 66.94.98.36
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
fundingchoicesmessages.google.com
  • 142.250.186.110
whitelisted
pagead2.googlesyndication.com
  • 142.250.186.162
whitelisted
www.googletagmanager.com
  • 142.250.186.72
whitelisted
code.jquery.com
  • 151.101.2.137
  • 151.101.66.137
  • 151.101.130.137
  • 151.101.194.137
whitelisted
seatedsaintinsist.com
  • 172.240.253.132
  • 172.240.108.68
  • 172.240.108.76
  • 192.243.61.225
  • 192.243.61.227
  • 192.243.59.20
  • 172.240.108.84
  • 172.240.108.92
unknown
drivers.ink
  • 188.114.96.3
  • 188.114.97.3
unknown
www.bing.com
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.148
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.149
  • 2.23.209.182
whitelisted

Threats

PID
Process
Class
Message
3436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
2028
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
3708
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
3708
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
3708
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
3708
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2028
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Gen.Powershell.Downloader.Script
2028
powershell.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
2028
powershell.exe
Misc activity
ET INFO Powershell Base64 Decode Command Inbound
2028
powershell.exe
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Death-Calculator.EXE.zip