File name:

2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock

Full analysis: https://app.any.run/tasks/5f2db2e5-07fc-4a6e-b44d-b910eb51bd24
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 06, 2025, 22:33:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
virlock
ransomware
stealer
nsb
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

D4CC2D4AED471A4096F7F3D45DCEBE06

SHA1:

EFC428452637112E34597B3DDDA9E58252FB955B

SHA256:

B9F147E84716E53EB509D314E14ADA540EB22DD97C1F6DA0EFF73E951F316576

SSDEEP:

3072:Sim8+JsQsMS8nH4Vvg4GCWHqtJ3GOaO8fnQ5RzSi3YreJAKTSBFJbpuPSO/ewdMT:9f+Jsv38nHKWOgWRzSiEyAkSFDrf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIRLOCK mutex has been found

      • SwoYcckM.exe (PID: 7372)
      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • XWAQAQUE.exe (PID: 7388)
      • economyfantasy.jpg.exe (PID: 6132)
      • replieszealand.jpg.exe (PID: 5352)
      • programshowever.png.exe (PID: 7872)

    • Changes the autorun value in the registry

      • SwoYcckM.exe (PID: 7372)
      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • XWAQAQUE.exe (PID: 7388)

    • Modifies files in the Chrome extension folder

      • XWAQAQUE.exe (PID: 7388)

    • Actions looks like stealing of personal data

      • XWAQAQUE.exe (PID: 7388)

    • Connects to the CnC server

      • XWAQAQUE.exe (PID: 7388)
      • SwoYcckM.exe (PID: 7372)

    • NSB has been detected (SURICATA)

      • XWAQAQUE.exe (PID: 7388)
      • SwoYcckM.exe (PID: 7372)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • XWAQAQUE.exe (PID: 7388)

    • Uses REG/REGEDIT.EXE to modify registry

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • economyfantasy.jpg.exe (PID: 6132)
      • replieszealand.jpg.exe (PID: 5352)
      • programshowever.png.exe (PID: 7872)

    • The executable file from the user directory is run by the CMD process

      • 7z.exe (PID: 7468)

    • Drops 7-zip archiver for unpacking

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)

    • Starts CMD.EXE for commands execution

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)

    • Connects to unusual port

      • XWAQAQUE.exe (PID: 7388)
      • SwoYcckM.exe (PID: 7372)

    • The process checks if it is being run in the virtual environment

      • XWAQAQUE.exe (PID: 7388)

  • INFO

    • Checks supported languages

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • XWAQAQUE.exe (PID: 7388)
      • 7z.exe (PID: 7468)
      • SwoYcckM.exe (PID: 7372)
      • economyfantasy.jpg.exe (PID: 6132)
      • replieszealand.jpg.exe (PID: 5352)
      • programshowever.png.exe (PID: 7872)

    • Creates files in the program directory

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)
      • XWAQAQUE.exe (PID: 7388)

    • Create files in a temporary directory

      • 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe (PID: 7348)

    • Reads the computer name

      • 7z.exe (PID: 7468)
      • XWAQAQUE.exe (PID: 7388)
      • SwoYcckM.exe (PID: 7372)

    • Creates files or folders in the user directory

      • XWAQAQUE.exe (PID: 7388)

    • Process checks computer location settings

      • XWAQAQUE.exe (PID: 7388)

    • Failed to create an executable file in Windows directory

      • XWAQAQUE.exe (PID: 7388)

    • Manual execution by a user

      • economyfantasy.jpg.exe (PID: 6132)
      • programshowever.png.exe (PID: 7872)
      • replieszealand.jpg.exe (PID: 5352)

    • Checks proxy server information

      • slui.exe (PID: 7552)

    • Reads the software policy settings

      • slui.exe (PID: 7552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 00:02:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 163840
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0x2465a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
34
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VIRLOCK 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exe #VIRLOCK swoycckm.exe #VIRLOCK xwaqaque.exe cmd.exe no specs conhost.exe no specs reg.exe no specs 7z.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs slui.exe #VIRLOCK economyfantasy.jpg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #VIRLOCK replieszealand.jpg.exe no specs #VIRLOCK programshowever.png.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3008reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2C:\Windows\SysWOW64\reg.exeprogramshowever.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4300reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exereplieszealand.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4464reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1C:\Windows\SysWOW64\reg.exeprogramshowever.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5352"C:\Users\admin\Downloads\replieszealand.jpg.exe" C:\Users\admin\Downloads\replieszealand.jpg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\replieszealand.jpg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
5964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6080reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fC:\Windows\SysWOW64\reg.exeprogramshowever.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6132"C:\Users\admin\Downloads\economyfantasy.jpg.exe" C:\Users\admin\Downloads\economyfantasy.jpg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\economyfantasy.jpg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mpr.dll
6632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 520
Read events
5 516
Write events
4
Delete events
0

Modification events

(PID) Process:(7348) 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(7348) 2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:(7372) SwoYcckM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SwoYcckM.exe
Value:
C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:(7388) XWAQAQUE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XWAQAQUE.exe
Value:
C:\ProgramData\usAgAgoI\XWAQAQUE.exe
Executable files
476
Suspicious files
0
Text files
126
Unknown types
0

Dropped files

PID
Process
Filename
Type
7388XWAQAQUE.exeC:\Users\admin\Desktop\uQEE.exeexecutable
MD5:B132C5EEEC27566090E2E93A1DF648AC
SHA256:9B23D660B4E5DCB08DCC152F6525EEEACDD0D2731DF6E8C1F06A974E0387E967
73482025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exeC:\ProgramData\usAgAgoI\XWAQAQUE.exeexecutable
MD5:280FE39AF7DA5AC0A5D8980850A1890F
SHA256:045ABE35EF8178F0E330C0035EDA8B3CBDB18BC6241FD67240B090798FA574A4
7388XWAQAQUE.exeC:\Users\admin\Desktop\IEYC.exeexecutable
MD5:7D84C7700E8EB1C326DB360268B7A1BF
SHA256:019278B39CFA785C4955406B54A2BD9975B9B5F371F23A3209F8E5836BD7F6F0
7388XWAQAQUE.exeC:\Users\admin\Desktop\OQEE.icoimage
MD5:8C44504BC8ECFA4C2D02F7668870EA6F
SHA256:C327C0485909F634C456CEA42F7DB6353FA4942EFE43A2C336D3932784C927ED
7388XWAQAQUE.exeC:\Users\admin\Desktop\pMQg.exeexecutable
MD5:7F5A9036C5A029547857586C2D0CF9C6
SHA256:F7D7FCD99633D448835CB63B06D1294D468E1A07B423BDD3D6C1285C7FDC2B28
7388XWAQAQUE.exeC:\Users\admin\AppData\Local\VirtualStore\RCX1700.tmpexecutable
MD5:35E24197F936AF442011BD514BF40BEE
SHA256:9B3526C0927FBB1E9F9531ECAF6D83E4D4670856C7D532279772CCE2C447ECC0
7388XWAQAQUE.exeC:\Users\admin\Desktop\VEUu.icoimage
MD5:B2A9E20F351B70B21469E4A4BA1D3506
SHA256:0F015363E17B4320AA73BB7DB01A87773BB171120EF59CB9EBDC13C857DF1692
7388XWAQAQUE.exeC:\Users\admin\Desktop\UIQm.icoimage
MD5:B2A9E20F351B70B21469E4A4BA1D3506
SHA256:0F015363E17B4320AA73BB7DB01A87773BB171120EF59CB9EBDC13C857DF1692
7388XWAQAQUE.exeC:\Users\admin\AppData\Local\VirtualStore\RCX1C90.tmpexecutable
MD5:15C973A4C1E775E94F04565B6CA80939
SHA256:FD3FC1CD06196B14FC67840A78EDD8ECE06C5EFADEFCE1E6C1639F953716FBB1
73482025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock.exeC:\Users\admin\AppData\Local\Temp\7z.exeexecutable
MD5:B0879906C12211847BD47D82AF78CBD0
SHA256:C8CFFFF93071BFA75A90A029518F67B2D3F454C7E367383681738EB43C11DFB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
57
DNS requests
18
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7388
XWAQAQUE.exe
GET
301
142.250.186.46:80
http://google.com/
unknown
whitelisted
4784
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7372
SwoYcckM.exe
GET
301
142.250.186.46:80
http://google.com/
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8160
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8160
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8160
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8160
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4784
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7388
XWAQAQUE.exe
200.87.164.69:9999
Entel S.A. - EntelNet
BO
unknown
3216
svchost.exe
20.7.1.246:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7388
XWAQAQUE.exe
142.250.186.46:80
google.com
GOOGLE
US
whitelisted
7372
SwoYcckM.exe
142.250.186.46:80
google.com
GOOGLE
US
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 20.7.1.246
  • 20.10.31.115
  • 20.198.162.78
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.3
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.76
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted

Threats

PID
Process
Class
Message
7388
XWAQAQUE.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7372
SwoYcckM.exe
A Network Trojan was detected
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7372
SwoYcckM.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
7388
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7388
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7388
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7372
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7388
XWAQAQUE.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7372
SwoYcckM.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-06_d4cc2d4aed471a4096f7f3d45dcebe06_virlock