File name:

Urget Contract Action.eml

Full analysis: https://app.any.run/tasks/02f3db22-52df-4018-9f52-3763118f6d7e
Verdict: Malicious activity
Analysis date: March 11, 2025, 14:49:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-exe
webdav
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with CRLF line terminators
MD5:

048C02E929690BCB0A537D08E71F6B50

SHA1:

E35F34239708F1D2AC63DC88366DCB3686D0D1EB

SHA256:

C5FE32E5DE97A1C0FF01C7BCBC99D7086A485B6DF9AC7CDB37E906F6E1D01DA3

SSDEEP:

12288:G35ETPjPNu1JoTIIu4Q3H3KNgrYq/6lm2pNRs/P7IunP9m4QSmWveSI:PPDkreIItQqev/Qmofs/TdnPvPpeB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Urgent Contract Action.pdf.exe (PID: 5624)
      • Urgent Contract Action.pdf.exe (PID: 7836)
      • Urgent Contract Action.pdf.exe (PID: 5796)
      • Urgent Contract Action.pdf.exe (PID: 6240)
      • Urgent Contract Action.pdf.exe (PID: 4868)
      • Urgent Contract Action.pdf.exe (PID: 3796)
      • Urgent Contract Action.pdf.exe (PID: 7872)
      • Urgent Contract Action.pdf.exe (PID: 4868)
      • Urgent Contract Action.pdf.exe (PID: 6028)
      • Urgent Contract Action.pdf.exe (PID: 3028)
      • Urgent Contract Action.pdf.exe (PID: 7100)
      • Urgent Contract Action.pdf.exe (PID: 7008)
      • Urgent Contract Action.pdf.exe (PID: 2780)
      • Urgent Contract Action.pdf.exe (PID: 3800)
      • Urgent Contract Action.pdf.exe (PID: 240)
      • Urgent Contract Action.pdf.exe (PID: 7872)
      • Urgent Contract Action.pdf.exe (PID: 3248)
      • Urgent Contract Action.pdf.exe (PID: 7000)
      • Urgent Contract Action.pdf.exe (PID: 5668)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 496)
      • cmd.exe (PID: 5048)

    • WebDav connection (SURICATA)

      • rundll32.exe (PID: 2664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Urgent Contract Action.pdf.exe (PID: 7836)
      • Urgent Contract Action.pdf.exe (PID: 5796)
      • rundll32.exe (PID: 2664)
      • Urgent Contract Action.pdf.exe (PID: 3028)
      • Urgent Contract Action.pdf.exe (PID: 3796)
      • Urgent Contract Action.pdf.exe (PID: 4868)
      • Urgent Contract Action.pdf.exe (PID: 7008)
      • Urgent Contract Action.pdf.exe (PID: 2780)
      • Urgent Contract Action.pdf.exe (PID: 7872)
      • Urgent Contract Action.pdf.exe (PID: 3248)
      • Urgent Contract Action.pdf.exe (PID: 5668)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 1116)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 2664)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 456)

    • Starts application with an unusual extension

      • rundll32.exe (PID: 2664)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 2664)

    • Connects to the server without a host name

      • rundll32.exe (PID: 2664)
      • svchost.exe (PID: 8016)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 8016)

  • INFO

    • Email with attachments

      • OUTLOOK.EXE (PID: 7532)

    • Manual execution by a user

      • msedge.exe (PID: 960)
      • Urgent Contract Action.pdf.exe (PID: 3796)
      • Urgent Contract Action.pdf.exe (PID: 4868)
      • Urgent Contract Action.pdf.exe (PID: 7872)
      • Urgent Contract Action.pdf.exe (PID: 4868)
      • Urgent Contract Action.pdf.exe (PID: 7100)
      • Urgent Contract Action.pdf.exe (PID: 7008)
      • Urgent Contract Action.pdf.exe (PID: 2780)
      • Urgent Contract Action.pdf.exe (PID: 240)
      • Urgent Contract Action.pdf.exe (PID: 3800)
      • Urgent Contract Action.pdf.exe (PID: 7872)
      • Urgent Contract Action.pdf.exe (PID: 3248)
      • Urgent Contract Action.pdf.exe (PID: 5668)
      • Urgent Contract Action.pdf.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7448)
      • BackgroundTransferHost.exe (PID: 208)
      • BackgroundTransferHost.exe (PID: 7736)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7736)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7736)
      • slui.exe (PID: 6208)
      • rundll32.exe (PID: 2664)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7736)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 960)
      • msedge.exe (PID: 4428)

    • Checks supported languages

      • 4E23.tmp (PID: 6724)
      • ShellExperienceHost.exe (PID: 1116)

    • The sample compiled with english language support

      • msedge.exe (PID: 960)
      • msedge.exe (PID: 4428)

    • Application launched itself

      • msedge.exe (PID: 960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 7) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
295
Monitored processes
125
Malicious processes
4
Suspicious processes
18

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs msedge.exe no specs rundll32.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs 4e23.tmp no specs conhost.exe no specs schtasks.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs shellexperiencehost.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs msedge.exe no specs rundll32.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs msedge.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs svchost.exe msedge.exe msedge.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs msedge.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs msedge.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs urgent contract action.pdf.exe no specs urgent contract action.pdf.exe conhost.exe no specs rundll32.exe no specs msedge.exe no specs system

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
208"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUrgent Contract Action.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240"C:\Users\admin\Downloads\Urgent Contract Action.pdf.exe" C:\Users\admin\Downloads\Urgent Contract Action.pdf.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 27.0 r0
Exit code:
3221226540
Version:
27,0,0,170
Modules
Images
c:\users\admin\downloads\urgent contract action.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
456schtasks /Delete /F /TN rhaegalC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
496/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\WINDOWS\system32\shutdown.exe /r /t 0 /f" /ST 15:10:00C:\Windows\SysWOW64\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
680"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3476 --field-trial-handle=2372,i,10147810855887157067,7129869109266173936,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe4E23.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
900"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2372,i,10147810855887157067,7129869109266173936,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4324 --field-trial-handle=2372,i,10147810855887157067,7129869109266173936,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
26 262
Read events
25 615
Write events
551
Delete events
96

Modification events

(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7532
Operation:writeName:0
Value:
0B0E1030DE870D709F334F9D0A5D160E5DF25D230046AEE390B5CCD2E4ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511EC3AD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(7532) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
61
Suspicious files
920
Text files
111
Unknown types
0

Dropped files

PID
Process
Filename
Type
7532OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7532OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:9A83641666E0BC9E44CB5F581188B275
SHA256:FFB5F81DB5C7F93637973252E322D8257AADFD480B95701FF1BCDB827AE20102
7532OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:CA44A55CD12F4597D8626304DC2A3827
SHA256:5E8D07094B53CD60834FB553689B6DA19C970B0FEA85DAB99DA1DBCABF1681FA
7532OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:3853AB4330CC08D926A274FE4DB1BB6B
SHA256:1C6219F5332EF5EDBDA6C136A98FC158B0B1831638632F5933660AF30C301EB1
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10dc19.TMP
MD5:
SHA256:
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10dc29.TMP
MD5:
SHA256:
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10dc29.TMP
MD5:
SHA256:
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
960msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10dc0a.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
79
TCP/UDP connections
309
DNS requests
222
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7532
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
7532
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
US
binary
471 b
whitelisted
7772
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
7736
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
7184
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
QA
binary
419 b
whitelisted
7184
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
QA
binary
408 b
whitelisted
5328
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1741806581&P2=404&P3=2&P4=aYzYuNkS2aCf15L9ukLiDvRuY9fgfTq1kPY%2baw3S2%2flG5Yc0TTGZNE0vVq8A1%2brmnivUK3Aqdd74p4SBRDn3ow%3d%3d
US
whitelisted
5328
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1741806581&P2=404&P3=2&P4=aYzYuNkS2aCf15L9ukLiDvRuY9fgfTq1kPY%2baw3S2%2flG5Yc0TTGZNE0vVq8A1%2brmnivUK3Aqdd74p4SBRDn3ow%3d%3d
US
binary
182 b
whitelisted
5328
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1741806581&P2=404&P3=2&P4=aYzYuNkS2aCf15L9ukLiDvRuY9fgfTq1kPY%2baw3S2%2flG5Yc0TTGZNE0vVq8A1%2brmnivUK3Aqdd74p4SBRDn3ow%3d%3d
US
binary
1.09 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7532
OUTLOOK.EXE
52.123.243.86:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7532
OUTLOOK.EXE
52.109.89.19:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7532
OUTLOOK.EXE
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
ecs.office.com
  • 52.123.243.86
  • 52.123.243.201
  • 52.123.243.79
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.73
  • 40.126.31.2
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.67
  • 40.126.31.3
  • 40.126.31.130
  • 40.126.31.1
  • 20.190.159.4
  • 40.126.31.129
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
roaming.officeapps.live.com
  • 52.109.89.19
whitelisted
omex.cdn.office.net
  • 23.50.131.87
  • 23.50.131.86
whitelisted
messaging.lifecycle.office.com
  • 52.111.240.11
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
2664
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Urget Contract Action.eml