File name:

HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.7z

Full analysis: https://app.any.run/tasks/9afff590-d6f1-4b77-99e7-c6e422df3597
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 08, 2025, 17:31:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
olader
loader
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

068507397850C1952AE700A96CFF28F2

SHA1:

EA61F186B0067F5884094B869797DE32C6F015A7

SHA256:

06BBADDD7153B1D8D5E4714DC19181B5404E4D2FB3FA899540503E024A2582F8

SSDEEP:

98304:rB0H7e0kAQbxzIjFGBlmxzqPGXCG6jrBqmKRuGiwuuabcJo/RzAikXfm8Q0iV3el:+wZds0q2BOGs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • OLADER has been detected

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)

    • Create files in the Startup directory

      • remedy.exe (PID: 5352)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 6044)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 6044)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 3768)
      • wscript.exe (PID: 6044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)
      • remedy.exe (PID: 5352)

    • Process drops legitimate windows executable

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)

    • Reads the BIOS version

      • simityvp.exe (PID: 7308)
      • remedy.exe (PID: 5352)
      • IntelRapid.exe (PID: 7244)

    • Starts itself from another location

      • remedy.exe (PID: 5352)

    • Reads security settings of Internet Explorer

      • simityvp.exe (PID: 7308)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • simityvp.exe (PID: 7308)
      • wscript.exe (PID: 6044)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)
      • wscript.exe (PID: 6044)

    • The process executes VB scripts

      • simityvp.exe (PID: 7308)

  • INFO

    • Checks supported languages

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)
      • remedy.exe (PID: 5352)
      • simityvp.exe (PID: 7308)
      • IntelRapid.exe (PID: 7244)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7420)

    • Create files in a temporary directory

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)
      • simityvp.exe (PID: 7308)

    • Manual execution by a user

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)

    • Creates files in the program directory

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)
      • simityvp.exe (PID: 7308)

    • The sample compiled with english language support

      • HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe (PID: 7232)

    • Process checks whether UAC notifications are on

      • remedy.exe (PID: 5352)
      • simityvp.exe (PID: 7308)
      • IntelRapid.exe (PID: 7244)

    • Reads the computer name

      • simityvp.exe (PID: 7308)
      • remedy.exe (PID: 5352)

    • Checks proxy server information

      • simityvp.exe (PID: 7308)
      • wscript.exe (PID: 6044)

    • Reads the machine GUID from the registry

      • simityvp.exe (PID: 7308)

    • Reads the software policy settings

      • simityvp.exe (PID: 7308)

    • Creates files or folders in the user directory

      • simityvp.exe (PID: 7308)
      • remedy.exe (PID: 5352)

    • Process checks computer location settings

      • simityvp.exe (PID: 7308)

    • Reads CPU info

      • simityvp.exe (PID: 7308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:10:26 12:03:44+00:00
ArchivedFileName: HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
10
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe #OLADER heur-trojan-dropper.win32.scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe remedy.exe simityvp.exe intelrapid.exe no specs svchost.exe wscript.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3768"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\bejvmjtwm.vbs" C:\Windows\SysWOW64\wscript.exesimityvp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5352"C:\Users\admin\AppData\Local\Temp\lizard\remedy.exe"C:\Users\admin\AppData\Local\Temp\lizard\remedy.exe
HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\lizard\remedy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6044"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\jjqjihedf.vbs" C:\Windows\SysWOW64\wscript.exe
simityvp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7232"C:\Users\admin\Desktop\HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe" C:\Users\admin\Desktop\HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\heur-trojan-dropper.win32.scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7244"C:\Users\admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\admin\AppData\Roaming\Intel Rapid\IntelRapid.exeremedy.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\intel rapid\intelrapid.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7308"C:\Users\admin\AppData\Local\Temp\lizard\simityvp.exe"C:\Users\admin\AppData\Local\Temp\lizard\simityvp.exe
HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\lizard\simityvp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7420"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\9afff590-d6f1-4b77-99e7-c6e422df3597.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7524C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7556"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 181
Read events
4 154
Write events
27
Delete events
0

Modification events

(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\9afff590-d6f1-4b77-99e7-c6e422df3597.7z
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7420) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
8
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb7420.38578\HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exeexecutable
MD5:B1FDB02F9A318CDFF5CD3A4A38FE7037
SHA256:A24784CC4BD53F7D3CA9700802DD60D01BF245128E95800CCD60841F1E1075F4
7232HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exeC:\Program Files (x86)\foler\olader\acledit.dllexecutable
MD5:8D96CB171B4138F43A754317BE9E982C
SHA256:727B96DCA0363F7CD5767F94BF72E0655EF1D00F44B27D496DEB733EB32BE12B
7232HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exeC:\Program Files (x86)\foler\olader\acppage.dllexecutable
MD5:290075961DD4856211078377D14942C8
SHA256:949FD56C5A63D3F1C20769BC2285AC5517C4CA84250C807F18247A2D93EFC1A4
7308simityvp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
7308simityvp.exeC:\Users\admin\AppData\Local\Temp\jjqjihedf.vbstext
MD5:BAB2D9F01AD15BE52E1C3ED3F6E8BBA5
SHA256:DAFB5E6B0CB37B253B1DD464293A57D1EE664A3AB19B94D9DAA3434EDDFEF6B3
7308simityvp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:A046F0A42BACFEEBACEDC0B160C780A0
SHA256:95E0DAE1DA655C052941D0343D725D86CF847BEA0043414CF2C4A1337D3A6042
7308simityvp.exeC:\Users\admin\AppData\Local\Temp\F00F.tmpbinary
MD5:CBDEE20AF99E8674E1A1DE4B40689EF1
SHA256:0F3DE653D0769F4A6CC53E1E2CD0E059927835F5A0AD087A6C15B64743D0DBBB
7232HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exeC:\Users\admin\AppData\Local\Temp\lizard\simityvp.exeexecutable
MD5:9F466FA2A0A30AC516F46D4880B22619
SHA256:A26355756D9F2C768EE490A0C8E639B26B3A48A3AA4A1D3FF0AA0BAD97B385F4
7232HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.exeC:\Program Files (x86)\foler\olader\adprovider.dllexecutable
MD5:F981199C82A40CF638D313C4498ECAB9
SHA256:338287DDB5FDBF0F7540DAC8AE8A3F02643F7B45F3B401A9DFA6447E39043049
7308simityvp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:EAD53BF9430C62358BA1231B848CCF72
SHA256:FF4FFCBCC7EF55CDFAF159BB14639F20E3864916F6750F5221D167700301C0D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
17
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7308
simityvp.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7628
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7308
simityvp.exe
GET
200
142.250.186.131:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7308
simityvp.exe
GET
200
142.250.186.131:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7084
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7628
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7628
backgroundTaskHost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.4
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
2no.co
  • 172.67.149.76
  • 104.21.79.229
whitelisted
c.pki.goog
  • 142.250.186.131
whitelisted
monthypaitonproject.com
unknown

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Potential Corporate Privacy Violation
ET INFO IP Check Domain (iplogger .org in DNS Lookup)
Potential Corporate Privacy Violation
ET INFO IP Check Domain (iplogger .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Dropper.Win32.Scrop.pef-a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4.7z