File name:

2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock

Full analysis: https://app.any.run/tasks/87a4498b-00c0-40a1-9971-b8abd04fb0df
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 10:41:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
virlock
ransomware
auto-reg
nsb
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

7EB980A62275733E40D155AF9CF0168E

SHA1:

53000EC131856C338ECFF7D09371E6DFFD44A786

SHA256:

465DF9633083C15AE35F795D5992565302A1AE66BF0FA683162400EBC1AED5D7

SSDEEP:

6144:Ogz5E+DIicjAN5TdOPhoEuyqeTyvWaqyNZke89xXb:OX+0iaq56bxTvaqyNZM3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)

    • VIRLOCK mutex has been found

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • popapplied.jpg.exe (PID: 2908)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)

    • Executing a file with an untrusted certificate

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • Modifies files in the Chrome extension folder

      • SwoYcckM.exe (PID: 4988)

    • NSB has been detected (SURICATA)

      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)

    • Connects to the CnC server

      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • The executable file from the user directory is run by the CMD process

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • Uses REG/REGEDIT.EXE to modify registry

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • popapplied.jpg.exe (PID: 2908)
      • weddingcalls.jpg.exe (PID: 872)

    • Process drops legitimate windows executable

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Connects to unusual port

      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)

  • INFO

    • Creates files in the program directory

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)

    • Reads the computer name

      • SwoYcckM.exe (PID: 4988)
      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • setup.exe (PID: 920)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)
      • lettersapple.jpg.exe (PID: 6108)
      • popapplied.jpg.exe (PID: 2908)

    • Checks supported languages

      • SwoYcckM.exe (PID: 4988)
      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)
      • setup.exe (PID: 920)
      • XWAQAQUE.exe (PID: 904)
      • popapplied.jpg.exe (PID: 2908)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)

    • Create files in a temporary directory

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Auto-launch of the file from Registry key

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)

    • Manual execution by a user

      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • lettersapple.jpg.exe (PID: 6108)
      • popapplied.jpg.exe (PID: 2908)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)

    • Creates files or folders in the user directory

      • SwoYcckM.exe (PID: 4988)

    • Failed to create an executable file in Windows directory

      • SwoYcckM.exe (PID: 4988)

    • Process checks computer location settings

      • SwoYcckM.exe (PID: 4988)

    • Checks proxy server information

      • slui.exe (PID: 2772)

    • Reads the software policy settings

      • slui.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 00:02:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 441856
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x65b6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
45
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIRLOCK 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe cmd.exe no specs conhost.exe no specs setup.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs setup.exe no specs setup.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe slui.exe #VIRLOCK lettersapple.jpg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK popapplied.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK useramong.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK weddingcalls.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepopapplied.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872"C:\Users\admin\Downloads\weddingcalls.jpg.exe" C:\Users\admin\Downloads\weddingcalls.jpg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\weddingcalls.jpg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
904C:\ProgramData\usAgAgoI\XWAQAQUE.exeC:\ProgramData\usAgAgoI\XWAQAQUE.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\usagagoi\xwaqaque.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\user32.dll
920"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Setup Bootstrapper
Version:
16.0.4266.1001
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188"C:\ProgramData\usAgAgoI\XWAQAQUE.exe"C:\ProgramData\usAgAgoI\XWAQAQUE.exe
2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\usagagoi\xwaqaque.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
1228"C:\Users\admin\Desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe" C:\Users\admin\Desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exeweddingcalls.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
6 534
Read events
6 528
Write events
6
Delete events
0

Modification events

(PID) Process:(4988) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(1188) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(1228) 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(1228) 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(904) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(4452) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
Executable files
482
Suspicious files
0
Text files
130
Unknown types
0

Dropped files

PID
Process
Filename
Type
12282025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\setup.exeexecutable
MD5:6F581A41167D2D484FCBA20E6FC3C39A
SHA256:3EB8D53778EAB9FB13B4C97AEAB56E4BAD2A6EA3748D342F22EAF4D7AA3185A7
4988SwoYcckM.exeC:\Users\admin\lEMYkwoU\SwoYcckM.inftext
MD5:6FFF2DD0725E597B23AE39E41BE0A293
SHA256:ED95EF2981C0266CAE119EC9833CAA1FAC4338D926A6900A876F4EAEC4FA3971
1188XWAQAQUE.exeC:\ProgramData\usAgAgoI\XWAQAQUE.inftext
MD5:6FFF2DD0725E597B23AE39E41BE0A293
SHA256:ED95EF2981C0266CAE119EC9833CAA1FAC4338D926A6900A876F4EAEC4FA3971
4988SwoYcckM.exeC:\Users\admin\Desktop\csws.icoimage
MD5:8C44504BC8ECFA4C2D02F7668870EA6F
SHA256:C327C0485909F634C456CEA42F7DB6353FA4942EFE43A2C336D3932784C927ED
4988SwoYcckM.exeC:\Users\admin\Desktop\xowu.icoimage
MD5:B2A9E20F351B70B21469E4A4BA1D3506
SHA256:0F015363E17B4320AA73BB7DB01A87773BB171120EF59CB9EBDC13C857DF1692
4988SwoYcckM.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:6586C1CCFD3FD8A655E407298105872E
SHA256:0EDB68D1324B5A33BF7A0805287CF8E517FC824D487CF2E25B349F3C78B381CA
4988SwoYcckM.exeC:\Users\admin\Desktop\Kswu.exeexecutable
MD5:034070704560F9D7F129B8EBCEF98F8F
SHA256:F58111D1323D88A3ABF3B47C806C5D8D4880B45BAC1B5F44E500F1B666147292
4988SwoYcckM.exeC:\Users\admin\AppData\Local\VirtualStore\RCXE74.tmpexecutable
MD5:6586C1CCFD3FD8A655E407298105872E
SHA256:0EDB68D1324B5A33BF7A0805287CF8E517FC824D487CF2E25B349F3C78B381CA
4988SwoYcckM.exeC:\Users\admin\Desktop\XUkc.exeexecutable
MD5:DAB1D86185F86652F592035B9C5D479B
SHA256:2EFC9A2354790C80C6631DB3BBDE24E75607F16594121DEF5335BBC52C872FE0
12282025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\accUswwM.battext
MD5:979DDD3B4E1E252B1368834DEBBC1FC7
SHA256:4540E1320E23FE7004FD581A621588392070EDBE26E3F15F5F65603B04D6ABC4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
66
DNS requests
16
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4988
SwoYcckM.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
1188
XWAQAQUE.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4452
SwoYcckM.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
904
XWAQAQUE.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4988
SwoYcckM.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
1188
XWAQAQUE.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
1188
XWAQAQUE.exe
142.250.185.174:80
google.com
GOOGLE
US
whitelisted
4988
SwoYcckM.exe
142.250.185.174:80
google.com
GOOGLE
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 2.16.164.113
  • 2.16.164.33
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.66
  • 20.190.160.5
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.138
  • 20.190.160.131
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
4988
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
4452
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
904
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4988
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
904
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4452
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4988
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock