File name:

Re CANKO DMC IMPORT ENQUIRY.msg

Full analysis: https://app.any.run/tasks/ff31bb1b-c61c-49e6-baea-56b7d0337952
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 13, 2024, 12:17:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
spam
xworm
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

810F85E399D73558776854E1D54AD28D

SHA1:

2438231A042315FCBA963A11E9A39118956C674A

SHA256:

C69B8BA6243B7DF5BBF6BBDC501ADB7FD0C9E1BCFA577EDD29A79FA2B1112521

SSDEEP:

768:iWS4eLgAsKmdK1307lBTVDpM6CuoDsKXohxK1V4Lg/23KkFy3BTut5ykbvOv:NUF+z7jFClD2CV4Lgct5nD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)

    • Create files in the Startup directory

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)

    • XWORM has been detected (YARA)

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)

    • Drops the executable file immediately after the start

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)

  • SUSPICIOUS

    • Non-standard symbols in registry

      • OUTLOOK.EXE (PID: 1384)

    • Reads the Internet Settings

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)

    • Executable content was dropped or overwritten

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)

    • Process drops legitimate windows executable

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • WinRAR.exe (PID: 3456)

    • Reads security settings of Internet Explorer

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • WinRAR.exe (PID: 3456)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • WinRAR.exe (PID: 2736)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)

    • Application launched itself

      • WinRAR.exe (PID: 2736)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)

    • Starts a Microsoft application from unusual location

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1864)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1796)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3484)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1792)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3032)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3872)

    • Connects to unusual port

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2232)

    • Reads the machine GUID from the registry

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1864)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1796)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3484)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1792)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3032)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3872)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2736)
      • msedge.exe (PID: 3272)

    • Checks supported languages

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1864)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3484)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1796)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1792)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3032)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3872)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3456)

    • Reads the computer name

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1864)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1796)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3484)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 1792)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3032)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3872)

    • Create files in a temporary directory

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2360)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3216)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2296)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)

    • Creates files or folders in the user directory

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3748)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3492)

    • Manual execution by a user

      • CANKO DMC IMPORT ENQUIRY.exe (PID: 2912)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 900)
      • CANKO DMC IMPORT ENQUIRY.exe (PID: 3052)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(3748) CANKO DMC IMPORT ENQUIRY.exe
C2zafar12.duckdns.org:4444
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
MutexSCbxtPTfWRZJjjUi
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
44
Malicious processes
6
Suspicious processes
6

Behavior graph

Click at the process to see the details
start outlook.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe canko dmc import enquiry.exe msedge.exe no specs msedge.exe no specs schtasks.exe no specs #XWORM canko dmc import enquiry.exe canko dmc import enquiry.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs canko dmc import enquiry.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs schtasks.exe no specs canko dmc import enquiry.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
796"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1324 --field-trial-handle=1344,i,15728392432636236941,9648075290390777763,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
844"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3336 --field-trial-handle=1344,i,15728392432636236941,9648075290390777763,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
864"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzUFPjhHTe" /XML "C:\Users\admin\AppData\Local\Temp\tmpD0F8.tmp"C:\Windows\System32\schtasks.exeCANKO DMC IMPORT ENQUIRY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
900"C:\Users\admin\Desktop\CANKO DMC IMPORT ENQUIRY.exe" C:\Users\admin\Desktop\CANKO DMC IMPORT ENQUIRY.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internal Bluetooth
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\canko dmc import enquiry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1112"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2208 --field-trial-handle=1344,i,15728392432636236941,9648075290390777763,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1264"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\x9dgrz.gz"C:\program files\WinRAR\WinRAR.exemsedge.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1384"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Re CANKO DMC IMPORT ENQUIRY.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1608"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzUFPjhHTe" /XML "C:\Users\admin\AppData\Local\Temp\tmp3951.tmp"C:\Windows\System32\schtasks.exeCANKO DMC IMPORT ENQUIRY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1740"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1344,i,15728392432636236941,9648075290390777763,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1784"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1344,i,15728392432636236941,9648075290390777763,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
38 381
Read events
37 657
Write events
681
Delete events
43

Modification events

(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(1384) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
7
Suspicious files
19
Text files
68
Unknown types
35

Dropped files

PID
Process
Filename
Type
1384OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF8A8.tmp.cvr
MD5:
SHA256:
1384OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF182e4e.TMP
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF182e6e.TMP
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF182e9c.TMP
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
2232msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
1384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A94A62FA.datimage
MD5:44A9EC149DA9E3E0A07E0A68E4BE757F
SHA256:D7338BE8693FAF91BB2F8C5EFD209CE2FCE4EB8544B32B5E6068E897CD4C5636
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
76
DNS requests
24
Threats
12

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1384
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1740
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2232
msedge.exe
239.255.255.250:1900
unknown
1740
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1740
msedge.exe
108.181.20.35:443
files.catbox.moe
TELUS Communications
CA
unknown
1740
msedge.exe
2.19.96.8:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
files.catbox.moe
  • 108.181.20.35
malicious
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.bing.com
  • 2.19.96.8
  • 2.19.96.18
  • 2.19.96.120
  • 2.19.96.16
  • 2.19.96.128
  • 2.19.96.88
  • 2.19.96.107
  • 2.19.96.130
  • 2.19.96.91
  • 2.19.96.9
  • 2.19.96.26
  • 2.19.96.19
  • 2.19.96.123
  • 2.19.96.115
  • 2.23.209.160
  • 2.23.209.179
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.156
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.185
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
zafar12.duckdns.org
  • 194.147.140.134
malicious
self.events.data.microsoft.com
  • 52.168.117.171
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1740
msedge.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
1740
msedge.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Re CANKO DMC IMPORT ENQUIRY.msg