File name:

2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock

Full analysis: https://app.any.run/tasks/87a4498b-00c0-40a1-9971-b8abd04fb0df
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 10:41:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
virlock
ransomware
auto-reg
nsb
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

7EB980A62275733E40D155AF9CF0168E

SHA1:

53000EC131856C338ECFF7D09371E6DFFD44A786

SHA256:

465DF9633083C15AE35F795D5992565302A1AE66BF0FA683162400EBC1AED5D7

SSDEEP:

6144:Ogz5E+DIicjAN5TdOPhoEuyqeTyvWaqyNZke89xXb:OX+0iaq56bxTvaqyNZM3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIRLOCK mutex has been found

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • popapplied.jpg.exe (PID: 2908)
      • weddingcalls.jpg.exe (PID: 872)

    • Changes the autorun value in the registry

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)

    • Executing a file with an untrusted certificate

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • Modifies files in the Chrome extension folder

      • SwoYcckM.exe (PID: 4988)

    • NSB has been detected (SURICATA)

      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)

    • Connects to the CnC server

      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)

    • Process drops legitimate windows executable

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • The executable file from the user directory is run by the CMD process

      • setup.exe (PID: 6540)
      • setup.exe (PID: 5304)
      • setup.exe (PID: 920)

    • Uses REG/REGEDIT.EXE to modify registry

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • lettersapple.jpg.exe (PID: 6108)
      • popapplied.jpg.exe (PID: 2908)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)

    • Connects to unusual port

      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4452)

  • INFO

    • Checks supported languages

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • setup.exe (PID: 920)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • popapplied.jpg.exe (PID: 2908)
      • weddingcalls.jpg.exe (PID: 872)

    • Creates files in the program directory

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)

    • Reads the computer name

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 1188)
      • setup.exe (PID: 920)
      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • popapplied.jpg.exe (PID: 2908)
      • weddingcalls.jpg.exe (PID: 872)

    • Create files in a temporary directory

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)

    • Auto-launch of the file from Registry key

      • 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe (PID: 1228)
      • XWAQAQUE.exe (PID: 1188)
      • SwoYcckM.exe (PID: 4988)
      • XWAQAQUE.exe (PID: 904)
      • SwoYcckM.exe (PID: 4452)

    • Manual execution by a user

      • SwoYcckM.exe (PID: 4452)
      • XWAQAQUE.exe (PID: 904)
      • lettersapple.jpg.exe (PID: 6108)
      • useramong.jpg.exe (PID: 6264)
      • weddingcalls.jpg.exe (PID: 872)
      • popapplied.jpg.exe (PID: 2908)

    • Failed to create an executable file in Windows directory

      • SwoYcckM.exe (PID: 4988)

    • Creates files or folders in the user directory

      • SwoYcckM.exe (PID: 4988)

    • Process checks computer location settings

      • SwoYcckM.exe (PID: 4988)

    • Reads the software policy settings

      • slui.exe (PID: 2772)

    • Checks proxy server information

      • slui.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 00:02:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 441856
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x65b6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
45
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIRLOCK 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe cmd.exe no specs conhost.exe no specs setup.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs setup.exe no specs setup.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe slui.exe #VIRLOCK lettersapple.jpg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK popapplied.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK useramong.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK weddingcalls.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exepopapplied.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872"C:\Users\admin\Downloads\weddingcalls.jpg.exe" C:\Users\admin\Downloads\weddingcalls.jpg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\weddingcalls.jpg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
904C:\ProgramData\usAgAgoI\XWAQAQUE.exeC:\ProgramData\usAgAgoI\XWAQAQUE.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\usagagoi\xwaqaque.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\user32.dll
920"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Setup Bootstrapper
Version:
16.0.4266.1001
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188"C:\ProgramData\usAgAgoI\XWAQAQUE.exe"C:\ProgramData\usAgAgoI\XWAQAQUE.exe
2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\usagagoi\xwaqaque.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
1228"C:\Users\admin\Desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe" C:\Users\admin\Desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exeweddingcalls.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
6 534
Read events
6 528
Write events
6
Delete events
0

Modification events

(PID) Process:(4988) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(1188) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(1228) 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(1228) 2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(904) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(4452) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
Executable files
482
Suspicious files
0
Text files
130
Unknown types
0

Dropped files

PID
Process
Filename
Type
4988SwoYcckM.exeC:\Users\admin\lEMYkwoU\SwoYcckM.inftext
MD5:6FFF2DD0725E597B23AE39E41BE0A293
SHA256:ED95EF2981C0266CAE119EC9833CAA1FAC4338D926A6900A876F4EAEC4FA3971
12282025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeC:\Users\admin\lEMYkwoU\SwoYcckM.exeexecutable
MD5:7AD79BED914D2E505ABC811970E5598C
SHA256:B247DED6263CA7E3B487123F86760E24811FFF9503CDCA6972B1B51C5936F55C
4988SwoYcckM.exeC:\Users\admin\AppData\Local\VirtualStore\RCXFFC.tmpexecutable
MD5:4E5A1B20A0BBEA79CE9B5B2E8F1CB39F
SHA256:BA752C8EF5B4FF48B7A3B284459B33F9546EF12EFF3DE30787813F4593804022
1188XWAQAQUE.exeC:\ProgramData\usAgAgoI\XWAQAQUE.inftext
MD5:6FFF2DD0725E597B23AE39E41BE0A293
SHA256:ED95EF2981C0266CAE119EC9833CAA1FAC4338D926A6900A876F4EAEC4FA3971
12282025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\accUswwM.battext
MD5:979DDD3B4E1E252B1368834DEBBC1FC7
SHA256:4540E1320E23FE7004FD581A621588392070EDBE26E3F15F5F65603B04D6ABC4
12282025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock.exeC:\ProgramData\usAgAgoI\XWAQAQUE.exeexecutable
MD5:AC551077660FAEDAD96376DF626F5694
SHA256:FEB83DEA793CAD9E1CF8DDC290A2222ECF997CF21B30AC343BF650D82ED480A3
4988SwoYcckM.exeC:\Users\admin\Desktop\nUka.icoimage
MD5:B2A9E20F351B70B21469E4A4BA1D3506
SHA256:0F015363E17B4320AA73BB7DB01A87773BB171120EF59CB9EBDC13C857DF1692
4988SwoYcckM.exeC:\Users\admin\Desktop\csws.icoimage
MD5:8C44504BC8ECFA4C2D02F7668870EA6F
SHA256:C327C0485909F634C456CEA42F7DB6353FA4942EFE43A2C336D3932784C927ED
4988SwoYcckM.exeC:\Users\admin\AppData\Local\VirtualStore\RCX105A.tmpexecutable
MD5:436A4C41BF8EB2E897CD69DCEB4260BF
SHA256:7F1342D5A5FDDFC3BB7C0F48A68875CD277B23BD5E113F35D66E5EACC82DCC29
4988SwoYcckM.exeC:\Users\admin\Desktop\Kswu.exeexecutable
MD5:034070704560F9D7F129B8EBCEF98F8F
SHA256:F58111D1323D88A3ABF3B47C806C5D8D4880B45BAC1B5F44E500F1B666147292
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
66
DNS requests
16
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4988
SwoYcckM.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
904
XWAQAQUE.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
4452
SwoYcckM.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
1188
XWAQAQUE.exe
GET
301
142.250.185.174:80
http://google.com/
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4988
SwoYcckM.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
1188
XWAQAQUE.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
1188
XWAQAQUE.exe
142.250.185.174:80
google.com
GOOGLE
US
whitelisted
4988
SwoYcckM.exe
142.250.185.174:80
google.com
GOOGLE
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 2.16.164.113
  • 2.16.164.33
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.66
  • 20.190.160.5
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.138
  • 20.190.160.131
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
4988
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
4452
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
904
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
1188
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4988
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
904
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4452
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4988
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_7eb980a62275733e40d155af9cf0168e_elex_virlock