File name:

2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock

Full analysis: https://app.any.run/tasks/e7d88894-de09-4268-941d-290b18325794
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 27, 2025, 04:56:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
virlock
ransomware
auto-reg
nsb
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

873062319B32874EB8DA4E2F01F48EF3

SHA1:

D6C30EA65FCFB20DE47854226D15D73CBD5B66E5

SHA256:

84AA9B51D2699C1AD9A15BC5F7153778F5FBB3C014DC771F02E1A667B2D2198D

SSDEEP:

12288:CD5KH+QX0c5XIo0/k5l3gvjNcFp8hHHfpBCxZRFk0:W5KH+QX0CXI9MzgjNcFp8hHHfpBCx7FD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIRLOCK mutex has been found

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)
      • XWAQAQUE.exe (PID: 7580)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 8048)
      • SwoYcckM.exe (PID: 6108)
      • XWAQAQUE.exe (PID: 7928)

    • Changes the autorun value in the registry

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)
      • XWAQAQUE.exe (PID: 7580)
      • XWAQAQUE.exe (PID: 7928)
      • SwoYcckM.exe (PID: 6108)

    • NSB has been detected (SURICATA)

      • XWAQAQUE.exe (PID: 7580)
      • SwoYcckM.exe (PID: 7564)
      • SwoYcckM.exe (PID: 6108)
      • XWAQAQUE.exe (PID: 7928)

    • Connects to the CnC server

      • XWAQAQUE.exe (PID: 7580)
      • SwoYcckM.exe (PID: 7564)
      • SwoYcckM.exe (PID: 6108)
      • XWAQAQUE.exe (PID: 7928)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)

    • Uses REG/REGEDIT.EXE to modify registry

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)
      • batteryproblems.png.exe (PID: 8168)
      • existingtravel.png.exe (PID: 6256)
      • previouscompany.jpg.exe (PID: 3140)
      • prettywrote.png.exe (PID: 8164)
      • lessproviding.jpg.exe (PID: 6584)
      • poprobert.png.exe (PID: 7672)
      • tommedia.png.exe (PID: 8144)

    • Executing commands from a ".bat" file

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)

    • Starts CMD.EXE for commands execution

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)

    • The process executes VB scripts

      • cmd.exe (PID: 7696)

    • Connects to unusual port

      • SwoYcckM.exe (PID: 7564)
      • SwoYcckM.exe (PID: 6108)
      • XWAQAQUE.exe (PID: 7928)
      • XWAQAQUE.exe (PID: 7580)

  • INFO

    • Checks supported languages

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)
      • XWAQAQUE.exe (PID: 7580)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 8048)
      • XWAQAQUE.exe (PID: 7928)
      • SwoYcckM.exe (PID: 6108)

    • Creates files in the program directory

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • XWAQAQUE.exe (PID: 7580)
      • SwoYcckM.exe (PID: 7564)

    • Reads the computer name

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)
      • XWAQAQUE.exe (PID: 7580)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 8048)
      • SwoYcckM.exe (PID: 6108)
      • XWAQAQUE.exe (PID: 7928)

    • Auto-launch of the file from Registry key

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • SwoYcckM.exe (PID: 7564)
      • XWAQAQUE.exe (PID: 7580)
      • XWAQAQUE.exe (PID: 7928)
      • SwoYcckM.exe (PID: 6108)

    • Create files in a temporary directory

      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7544)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 7660)
      • 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe (PID: 8048)

    • Manual execution by a user

      • XWAQAQUE.exe (PID: 7928)
      • SwoYcckM.exe (PID: 6108)
      • existingtravel.png.exe (PID: 6256)
      • previouscompany.jpg.exe (PID: 3140)
      • prettywrote.png.exe (PID: 8164)
      • batteryproblems.png.exe (PID: 8168)
      • poprobert.png.exe (PID: 7672)
      • tommedia.png.exe (PID: 8144)
      • lessproviding.jpg.exe (PID: 6584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 00:02:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 316416
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x4bc0c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
2 417
Monitored processes
76
Malicious processes
10
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #VIRLOCK 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe cmd.exe no specs conhost.exe no specs reg.exe no specs #VIRLOCK 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs #VIRLOCK 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs #VIRLOCK xwaqaque.exe #VIRLOCK swoycckm.exe slui.exe existingtravel.png.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs previouscompany.jpg.exe no specs prettywrote.png.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs lessproviding.jpg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs poprobert.png.exe no specs batteryproblems.png.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs tommedia.png.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exeprettywrote.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exepoprobert.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1328reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2C:\Windows\SysWOW64\reg.exebatteryproblems.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2908\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3140"C:\Users\admin\Downloads\previouscompany.jpg.exe" C:\Users\admin\Downloads\previouscompany.jpg.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\previouscompany.jpg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
3176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 435
Read events
7 429
Write events
6
Delete events
0

Modification events

(PID) Process:(7564) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(7544) 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(7544) 2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(7580) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(7928) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(6108) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
Executable files
479
Suspicious files
0
Text files
136
Unknown types
0

Dropped files

PID
Process
Filename
Type
7564SwoYcckM.exeC:\Users\admin\lEMYkwoU\SwoYcckM.inftext
MD5:2370D612B6741D0E425BDF2155E67575
SHA256:81042FD90BDB20C71C3805748DE8C0F43FF2E822F60D8ACCCA8CEFAE0C4C10AB
75442025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\ProgramData\usAgAgoI\XWAQAQUE.exeexecutable
MD5:396CF68FC8B3606F4733A47381050749
SHA256:1AE754FF4E09E2CBEF70B7210300340002C48071E90775C6ABC7FF3C8E354D35
7696cmd.exeC:\Users\admin\AppData\Local\Temp\file.vbstext
MD5:4AFB5C4527091738FAF9CD4ADDF9D34E
SHA256:59D889A2BF392F4B117340832B4C73425A7FB1DE6C2F83A1AAA779D477C7C6CC
75442025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\Users\admin\Desktop\2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlockimage
MD5:9ADAF3A844CE0CE36BFED07FA2D7EF66
SHA256:D3E8D47E8C1622EC10ADEF672CA7A8992748C4F0A4E75F877462E7E661069698
7580XWAQAQUE.exeC:\ProgramData\usAgAgoI\XWAQAQUE.inftext
MD5:2370D612B6741D0E425BDF2155E67575
SHA256:81042FD90BDB20C71C3805748DE8C0F43FF2E822F60D8ACCCA8CEFAE0C4C10AB
76602025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\akkwEcoE.battext
MD5:CC0228D2705310E4169A0F385245C40C
SHA256:FF583798AD99DC02FB1D6BD3609CBBE0155D2EB6A75047923282516B6B40E943
75442025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\GkwoEcoE.battext
MD5:BAE1095F340720D965898063FEDE1273
SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
75442025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\Users\admin\lEMYkwoU\SwoYcckM.exeexecutable
MD5:05D5A3F2654397AC747C9E5F58EA3E41
SHA256:679D2B3AD93699FE9B580004B5A706294BD6A17C488087524BD2845AA53894E5
80482025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock.exeC:\Users\admin\AppData\Local\Temp\ZiEEUcoE.battext
MD5:BAE1095F340720D965898063FEDE1273
SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
7564SwoYcckM.exeC:\Users\admin\Desktop\aAcU.icoimage
MD5:8C44504BC8ECFA4C2D02F7668870EA6F
SHA256:C327C0485909F634C456CEA42F7DB6353FA4942EFE43A2C336D3932784C927ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
9
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7564
SwoYcckM.exe
GET
301
142.250.185.238:80
http://google.com/
unknown
whitelisted
2104
svchost.exe
GET
200
92.122.244.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4628
RUXIMICS.exe
GET
200
92.122.244.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7580
XWAQAQUE.exe
GET
301
142.250.185.238:80
http://google.com/
unknown
whitelisted
7928
XWAQAQUE.exe
GET
301
142.250.185.238:80
http://google.com/
unknown
whitelisted
6108
SwoYcckM.exe
GET
301
142.250.185.238:80
http://google.com/
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4628
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7564
SwoYcckM.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
2104
svchost.exe
92.122.244.32:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7580
XWAQAQUE.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
7564
SwoYcckM.exe
142.250.185.238:80
google.com
GOOGLE
US
whitelisted
7580
XWAQAQUE.exe
142.250.185.238:80
google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
malicious
crl.microsoft.com
  • 92.122.244.32
  • 92.122.244.42
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7564
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7580
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7580
XWAQAQUE.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
7928
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7928
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7580
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7564
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
6108
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7928
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7580
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-27_873062319b32874eb8da4e2f01f48ef3_elex_virlock