File name:

scp_visual.exe.zip

Full analysis: https://app.any.run/tasks/24b64194-e30a-4bc4-b3b0-2fbfbaf67963
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 11, 2024, 08:46:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
evasion
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

6CCFC286DCF77A37A9B2AE41036A8CE6

SHA1:

381DD90D2D1C1DFE6C55DB559839DC17FA3F5C81

SHA256:

108BAAC62A51AC89C781568BB728385949812F0D7F9B3C8E5FE570A45FA71313

SSDEEP:

768:3+NbgPurrzjEy6V8mkNevM+gVOcmoZvKSzAybdH9om0Cieqln:BPcoDkn+5oZvKSzH9omvjg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6476)

    • Deletes shadow copies

      • cmd.exe (PID: 4592)

    • Renames files like ransomware

      • scp_visual.exe (PID: 6176)

    • Starts CMD.EXE for self-deleting

      • scp_visual.exe (PID: 6176)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • scp_visual.exe (PID: 4264)
      • scp_visual.exe (PID: 6176)

    • Application launched itself

      • scp_visual.exe (PID: 4264)

    • Starts CMD.EXE for commands execution

      • scp_visual.exe (PID: 6176)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6260)
      • wbengine.exe (PID: 7140)
      • vds.exe (PID: 6360)

    • Start notepad (likely ransomware note)

      • scp_visual.exe (PID: 6176)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2324)

    • Checks for external IP

      • scp_visual.exe (PID: 6176)
      • svchost.exe (PID: 2192)

    • Checks Windows Trust Settings

      • scp_visual.exe (PID: 6176)

    • Sets range of bytes to zero

      • fsutil.exe (PID: 2744)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6476)

    • Reads the machine GUID from the registry

      • scp_visual.exe (PID: 4264)
      • OfficeClickToRun.exe (PID: 6816)
      • scp_visual.exe (PID: 6176)

    • Manual execution by a user

      • scp_visual.exe (PID: 4264)

    • Reads the computer name

      • scp_visual.exe (PID: 4264)
      • OfficeClickToRun.exe (PID: 6816)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6476)
      • scp_visual.exe (PID: 4264)
      • scp_visual.exe (PID: 6176)

    • Checks supported languages

      • scp_visual.exe (PID: 4264)
      • scp_visual.exe (PID: 6176)
      • OfficeClickToRun.exe (PID: 6816)

    • Process checks computer location settings

      • scp_visual.exe (PID: 4264)
      • scp_visual.exe (PID: 6176)

    • Reads Windows Product ID

      • scp_visual.exe (PID: 6176)

    • Sends debugging messages

      • wbadmin.exe (PID: 6732)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 6816)

    • Checks proxy server information

      • OfficeClickToRun.exe (PID: 6816)
      • scp_visual.exe (PID: 6176)

    • Creates files in the program directory

      • scp_visual.exe (PID: 6176)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4724)
      • notepad.exe (PID: 2380)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 6816)

    • Reads the software policy settings

      • scp_visual.exe (PID: 6176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2024:11:21 21:47:30
ZipCRC: 0x98ab0491
ZipCompressedSize: 31768
ZipUncompressedSize: 50688
ZipFileName: scp_visual.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs scp_visual.exe no specs scp_visual.exe cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs wbadmin.exe wbengine.exe no specs vdsldr.exe no specs vds.exe no specs wmic.exe no specs officeclicktorun.exe notepad.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs ping.exe no specs fsutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324C:\WINDOWS\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\admin\Downloads\scp_visual.exe" & del /q /f "C:\Users\admin\Downloads\scp_visual.exe"C:\Windows\SysWOW64\cmd.exescp_visual.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2380"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\+README-WARNING+.txtC:\Windows\SysWOW64\notepad.exescp_visual.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2744fsutil file setZeroData offset=0 length=131072 "C:\Users\admin\Downloads\scp_visual.exe" C:\Windows\SysWOW64\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
fsutil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4264"C:\Users\admin\Downloads\scp_visual.exe" C:\Users\admin\Downloads\scp_visual.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\scp_visual.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4592"C:\WINDOWS\system32\cmd.exe"C:\Windows\System32\cmd.exescp_visual.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
4724wmic shadowcopy deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5576C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
5 208
Read events
5 178
Write events
17
Delete events
13

Modification events

(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\scp_visual.exe.zip
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(6476) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
1
Suspicious files
304
Text files
72
Unknown types
6

Dropped files

PID
Process
Filename
Type
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:50FFF4F35970915EA7190E873AAEABBE
SHA256:C379DFF4B9670FDA2FD480E237A5A161C6E46B244366D708CBC434E5E903CEB3
6176scp_visual.exeC:\$WinREAgent\Backup\location.txt.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:35CB149CC8BA3EE36E200325E218D129
SHA256:9C56D371A18A7248BECA56D6EBA7DE148338556BBF0A754CEE8E3C50DB074321
6176scp_visual.exeC:\Users\admin\Downloads\thankssign.jpg.[C8E7DCE6].[studiocp25@hotmail.com].scpmp3
MD5:34C6CF9CCAF1BDF8913BD0E80DDBE472
SHA256:5BF74C90BAF019409A8774EA3ECB047C24C54D0C5611188407BA12CB3AAD3C43
6176scp_visual.exeC:\$WinREAgent\Rollback.xml.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:9135B96F32ED2DC29C61E81890C35096
SHA256:C55FF36AA9CD7AC66A279A415A6765CC9ECA35AFBE33F02712936C0E9293E4CA
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.016.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpgpg
MD5:D532F0FC4A797BC5380EC0AEE6ABB311
SHA256:161D8B845E421AF7A231EEE328F45FFF0C45AC74D94231D0942217C5F77A31FB
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.049.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:3360F93F4442E4D9616DBDDAFEEE96D6
SHA256:E35495ECCC7F9B3F42947CD9A397C42EF26E0D1EA0941475A7F31CD8D1DD2133
6476WinRAR.exeC:\Users\admin\Downloads\scp_visual.exeexecutable
MD5:605F80F837E82C891C7FE7BBEA34F5C8
SHA256:1B242153C890019BC4AC43FD4FA3D685BC8E634B98F64587736D7E3B00BAD1DE
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.055.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:733E9634D85718BDEEACEFA41498056E
SHA256:188F746CA842B73DC66575DA9943D13FD864E3B577DFA3BF430BF2F87911278E
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.048.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:A84A8A969C024225B39FCB9A804263AA
SHA256:3D864E209A65F623A2092CBD000165B06CC16CF46102D3A4B388AAC6BA5A0744
6176scp_visual.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.058.etl.[C8E7DCE6].[studiocp25@hotmail.com].scpbinary
MD5:16E3E67603C13ABA19E07179077FA4C8
SHA256:FDEC255380FC8427419F7FA7FA3934DB6919309A3761441F46A8DCD1A76ED788
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
36
DNS requests
22
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6704
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6288
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6288
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6176
scp_visual.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4536
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4536
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.16.204.149:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.16.204.149
  • 2.16.204.150
  • 2.16.204.160
  • 2.16.204.158
  • 2.16.204.157
  • 2.16.204.148
  • 2.16.204.152
  • 2.16.204.132
  • 2.16.204.147
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.2
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
6176
scp_visual.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
1 ETPRO signatures available at the full report
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
scp_visual.exe.zip