File name:

folder-lock-10-0-5.exe

Full analysis: https://app.any.run/tasks/25b51b70-94ea-41b1-bf36-f702c8529eba
Verdict: Malicious activity
Analysis date: October 31, 2024, 17:06:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 13 sections
MD5:

96F0693623D50A1FE5F7AF82C90E8207

SHA1:

778343F3C7504735198F0BA7DEC5D3E829CA0C2E

SHA256:

80D6D25422662584F619034197A15B783FABF2280F8106696E5A34B3D3657CB6

SSDEEP:

98304:GKjkS0nK3YIlOZkGFOma4+afl8l/A0um7hl+OvyY1Wck1uR/7FNsKYkBN9wx874U:UdEKcySGWn81OVfB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • folder-lock-10-0-5.exe (PID: 2648)

    • Executable content was dropped or overwritten

      • folder-lock-10-0-5.exe (PID: 2648)
      • rundll32.exe (PID: 6552)
      • drvinst.exe (PID: 1236)

    • Drops a system driver (possible attempt to evade defenses)

      • folder-lock-10-0-5.exe (PID: 2648)
      • rundll32.exe (PID: 6552)
      • drvinst.exe (PID: 1236)

    • Hides command output

      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 2724)

    • Starts CMD.EXE for commands execution

      • folder-lock-10-0-5.exe (PID: 2648)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 2724)

    • Executes as Windows Service

      • WinFL10S.exe (PID: 2000)

    • Uses RUNDLL32.EXE to load library

      • folder-lock-10-0-5.exe (PID: 2648)

    • Executes application which crashes

      • folder-lock-10-0-5.exe (PID: 2648)

  • INFO

    • Reads the computer name

      • folder-lock-10-0-5.exe (PID: 2648)

    • Process checks whether UAC notifications are on

      • folder-lock-10-0-5.exe (PID: 2648)

    • Checks supported languages

      • folder-lock-10-0-5.exe (PID: 2648)

    • Reads the software policy settings

      • folder-lock-10-0-5.exe (PID: 2648)

    • Create files in a temporary directory

      • folder-lock-10-0-5.exe (PID: 2648)

    • Sends debugging messages

      • folder-lock-10-0-5.exe (PID: 2648)

    • Themida protector has been detected

      • folder-lock-10-0-5.exe (PID: 2648)

    • Application launched itself

      • msedge.exe (PID: 3832)
      • msedge.exe (PID: 7016)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7860)

    • Manual execution by a user

      • msedge.exe (PID: 7016)
      • WINWORD.EXE (PID: 6696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:24 05:33:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 7492096
InitializedDataSize: 5685248
UninitializedDataSize: -
EntryPoint: 0x138e058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.5.0
ProductVersionNumber: 10.0.5.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NewSoftwares LLC
FileDescription: Folder Lock 10 Setup
FileVersion: 10.0.5
InternalName: Folder Lock
LegalCopyright: 2002-2024 © NewSoftwares LLC
LegalTrademarks: Folder Lock ® is a registered trademark
OriginalFileName: FolderLock10.exe
ProductName: Folder Lock
ProductVersion: 10.0.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
81
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT folder-lock-10-0-5.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs dokanctl.exe no specs winfl10s.exe no specs conhost.exe no specs winfl10s.exe no specs winfl10m.exe no specs conhost.exe no specs winfl10m.exe no specs conhost.exe no specs winfl10m.exe no specs conhost.exe no specs rundll32.exe drvinst.exe runonce.exe no specs grpconv.exe no specs folder lock 10.exe msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winword.exe ai.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs folder-lock-10-0-5.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWinFL10M.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1236DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{13076324-4536-5449-aa08-49046f28ddf5}\WinFL10L.inf" "9" "4814e12b7" "00000000000001D4" "WinSta0\Default" "00000000000001E4" "208" "C:\WINDOWS\system32\drivers"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
3758096943
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2000C:\WINDOWS\SysWOW64\WinFL10S.exeC:\Windows\SysWOW64\WinFL10S.exeservices.exe
User:
SYSTEM
Company:
NewSoftwares LLC
Integrity Level:
SYSTEM
Description:
Service Application
Version:
10.0.0.0
Modules
Images
c:\windows\syswow64\winfl10s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2312"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2012 --field-trial-handle=2016,i,6365892924198004321,166745258046923556,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2364"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "0055CF33-DD8A-46EF-BC64-D5C2D87A7B70" "4E1DD661-D95A-4502-8889-34B8CD509EFF" "6696"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2648"C:\Users\admin\AppData\Local\Temp\folder-lock-10-0-5.exe" C:\Users\admin\AppData\Local\Temp\folder-lock-10-0-5.exe
explorer.exe
User:
admin
Company:
NewSoftwares LLC
Integrity Level:
HIGH
Description:
Folder Lock 10 Setup
Exit code:
3221226505
Version:
10.0.5
Modules
Images
c:\users\admin\appdata\local\temp\folder-lock-10-0-5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2724C:\WINDOWS\system32\cmd.exe /c sc delete dokan2 > nul 2>&1C:\Windows\System32\cmd.exefolder-lock-10-0-5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2928C:\WINDOWS\system32\cmd.exe /c sc stop dokan2 > nul 2>&1C:\Windows\System32\cmd.exefolder-lock-10-0-5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2396,i,17694004355044336795,8905611119501978845,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
19 385
Read events
18 989
Write events
344
Delete events
52

Modification events

(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-us
Value:
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\NewSoftware's\Folder Lock 10
Operation:writeName:SetupPath
Value:
C:\Users\admin\AppData\Local\Temp\folder-lock-10-0-5.exe
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Hardware_ID
Operation:writeName:UniqueDeviceID
Value:
10622206300615502071
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Hardware_ID
Operation:writeName:Device Name
Value:
DESKTOP-JGLLJLD
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Folder Lock 10
Operation:writeName:NoModify
Value:
1
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Folder Lock 10
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Folder Lock 10
Operation:writeName:UninstallString
Value:
"C:\ProgramData\winfl_sys\Uninstall.exe" -u
(PID) Process:(2648) folder-lock-10-0-5.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Folder Lock 10
Operation:writeName:displayIcon
Value:
C:\Program Files\NewSoftware's\Folder Lock 10\FolderLock10.ico
Executable files
35
Suspicious files
423
Text files
105
Unknown types
2

Dropped files

PID
Process
Filename
Type
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\WinFL10T.exeexecutable
MD5:A1DD062F794EB12D48C5C717196B41C8
SHA256:5E2FDAE8161EF4DAD4AEA5CFC92E9D029AE25F705A769E59B23D9D252142AA76
2648folder-lock-10-0-5.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exctext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2648folder-lock-10-0-5.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dictext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2648folder-lock-10-0-5.exeC:\Users\admin\AppData\Local\Temp\WinFL10S.jsonbinary
MD5:DFBBEDB6F4EA71B7139BC1276CC7D7EC
SHA256:5447B1D7F4EE5DD64C06C12FB4A0D259347629C1BABF6ACD5C895A3FB824673B
2648folder-lock-10-0-5.exeC:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acltext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\WinFL10S.exeexecutable
MD5:25E103583DD9025A153DCF351D3F45B7
SHA256:AA75F6B1F9F2733BBB35600962ED105B805EF8BDCAFFBDDE00BBB2A3F01B7984
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\flkb.icoimage
MD5:21143670D95A5AEED5FD42AC26CA4DBF
SHA256:36F79A6F5087B4EDE00C5B4A4CC134F1545AF0A8BC952D2ABCF755ABE74F03C0
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\flwa.icoimage
MD5:A916B557B64D0CE466099FB7AEA4FB93
SHA256:8FF85E75C0DFEB8C4A347ECF55DA5DCE7167BE25E2D1DDA6E4D2BE8DF1EFD450
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\flka.icoimage
MD5:BDCA45D50B08BB871C0AC7A9D569DEE8
SHA256:174F1D86771FD2EF4AB412638025563B8136EDBB0561D16EBBA830D142AC421B
2648folder-lock-10-0-5.exeC:\Program Files\NewSoftware's\Folder Lock 10 Temp\dokanctl.exeexecutable
MD5:B51ABE77EE11A6BF7B030FD7B2FE886A
SHA256:A4850A97A54C6B9E867213BB89101F5FEC406064E7E8049BFEF34E10D1570880
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
147
DNS requests
142
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3788
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4812
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2312
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2312
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7528
svchost.exe
HEAD
200
23.48.23.167:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1730975581&P2=404&P3=2&P4=f3yhTGg9rew1gMazBb1w8v3hv3u2TE7Go0%2b%2fpi9FOwUBWeBNSf%2bBKED1bf9qaduqXdSfu%2fjj13K4tEbGS5bZ9A%3d%3d
unknown
whitelisted
6696
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6696
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
92.123.104.46:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1252
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.46
  • 92.123.104.53
  • 92.123.104.58
  • 92.123.104.40
  • 92.123.104.66
  • 92.123.104.59
  • 92.123.104.64
  • 92.123.104.49
  • 92.123.104.44
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.135
  • 2.23.209.189
  • 2.23.209.140
  • 92.123.104.7
  • 92.123.104.61
  • 92.123.104.47
  • 92.123.104.4
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.176
  • 2.16.164.49
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.32.185.131
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.newsoftwares.net
  • 69.16.221.160
malicious
login.live.com
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
th.bing.com
  • 92.123.104.32
  • 92.123.104.18
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.24
  • 92.123.104.21
  • 92.123.104.31
  • 92.123.104.26
whitelisted
go.microsoft.com
  • 23.52.121.103
whitelisted

Threats

PID
Process
Class
Message
4076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4076
msedge.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
Process
Message
folder-lock-10-0-5.exe
<ul> element is not allowed at ((969))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1420))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1495))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1431))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1333))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1446))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1467))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1516))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1535))
folder-lock-10-0-5.exe
<ul> element is not allowed at ((1560))
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
folder-lock-10-0-5.exe