Malware analysis WMSPLUSDB2_2025-02-25_15_45_32.424.zip Malicious activity

Add for printing

File name:	WMSPLUSDB2_2025-02-25_15_45_32.424.zip
Full analysis:	https://app.any.run/tasks/a3b44d51-ef4d-48c5-9e75-b5d727a851f1
Verdict:	Malicious activity
Threats:	Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	February 25, 2025, 15:53:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lynx ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:	F1B14D8C5ABC51B9F46FFBD018BEF76E
SHA1:	5273FB89C74BBE1D107D62484A327A772CC4096B
SHA256:	384EC4FDC26248FBDFFB078471501DC182D506A5563DBA92B9ECE2A64B5F958E
SSDEEP:	1536:Nx3oo9KBlyxQY2vaio6XgYWNLEtQYYob3QNPnzwBgIYs+lWR+L/:33oo0BlyxQTvHH1QAugTCk1+cR+b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LYNX has been detected
  - svhost.exe (PID: 5204)
  - svhost.exe (PID: 4620)
- RANSOMWARE has been detected
  - svhost.exe (PID: 4620)
- Renames files like ransomware
  - svhost.exe (PID: 4620)
- Unusual execution from MS Office
  - ONENOTE.EXE (PID: 1272)
SUSPICIOUS
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 4200)
- The process executes via Task Scheduler
  - powershell.exe (PID: 5640)
- Creates file in the systems drive root
  - svhost.exe (PID: 5204)
  - svhost.exe (PID: 4620)
- Executes as Windows Service
  - FXSSVC.exe (PID: 1748)
INFO
- Reads the computer name
  - TextInputHost.exe (PID: 3332)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 5640)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4200)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 6028)
  - BackgroundTransferHost.exe (PID: 456)
  - BackgroundTransferHost.exe (PID: 3868)
  - BackgroundTransferHost.exe (PID: 1568)
- Reads the software policy settings
  - BackgroundTransferHost.exe (PID: 1568)
- Checks proxy server information
  - BackgroundTransferHost.exe (PID: 1568)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 1568)
- Checks supported languages
  - TextInputHost.exe (PID: 3332)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 5640)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 5640)
- Creates files in the program directory
  - svhost.exe (PID: 5204)
  - svhost.exe (PID: 4620)
- Create files in a temporary directory
  - svhost.exe (PID: 4620)
  - OfficeC2RClient.exe (PID: 456)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0801
ZipCompression:	Deflated
ZipModifyDate:	1980:00:00 00:00:00
ZipCRC:	0x565025a6
ZipCompressedSize:	91963
ZipUncompressedSize:	168960
ZipFileName:	Device/HarddiskVolume3/svhost/svhost.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

163

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

456

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

456

OfficeC2RClient.exe /error PID=1272 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

ONENOTE.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run Client

Exit code:

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

1096

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

1272

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1272

/insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\{A548EE31-0F98-41DA-B22B-93D31A94AF61}.xps" 133849725820710000

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

—

printfilterpipelinesvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft OneNote

Exit code:

3221225794

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\onenote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll

1568

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

1748

C:\WINDOWS\system32\fxssvc.exe

C:\Windows\System32\FXSSVC.exe

—

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Fax Service

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\fxssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll

2600

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3332

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

3868

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

20 197

Read events

20 111

Write events

Delete events

Modification events


(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\WMSPLUSDB2_2025-02-25_15_45_32.424.zip
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4200) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3868) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3868) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

Suspicious files

1 173

Text files

377

Unknown types

Dropped files

PID	Process	Filename		Type
1568	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3e704edf-53c9-497e-a813-fa3d6aedfc87.down_data		—
		MD5:—	SHA256:—
1568	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:8DDD7C6D4A3AB775235E44297C251885	SHA256:9AB98597EE66662FE13E1D1ABDFA73756608C345060DA9D7842C851EDE3D7992
1568	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\03647b5b-db97-4f5f-afb6-235e674b3391.d34cc7de-d825-4e62-accc-ae6eea3f552c.down_meta		binary
		MD5:C0C23B0D09A7D11F1F474E7E5A76F6D7	SHA256:27F885800E8B2ACFE950FCC103F0F7AEFA0BD3AF69032109D8BD999B25C3A783
1568	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3e704edf-53c9-497e-a813-fa3d6aedfc87.d34cc7de-d825-4e62-accc-ae6eea3f552c.down_meta		binary
		MD5:C0C23B0D09A7D11F1F474E7E5A76F6D7	SHA256:27F885800E8B2ACFE950FCC103F0F7AEFA0BD3AF69032109D8BD999B25C3A783
1568	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\03647b5b-db97-4f5f-afb6-235e674b3391.up_meta_secure		binary
		MD5:8DCA234727943FB48A6D9F7A1D8B610A	SHA256:68EBEF95BEE23C1A4F57D38D030C3EF434E920EEFF3526C466FCFC2C0BF0EF3A
5640	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N5GAF0IIVTO8357TYUP9.temp		binary
		MD5:9EE31A9DC3ADED2FE291AA5F745FF91F	SHA256:F507DB79FF0CD8D7265205E946B887BB1DE47A492EF57DEDC3D25F0058E83FF9
5640	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kmyp5q3w.enj.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4200	WinRAR.exe	C:\Users\admin\Desktop\WMSPLUSDB2_2025-02-25_15_45_32.424\Device\HarddiskVolume3\svhost\svhost.exe		executable
		MD5:74912F6FD40FB0E979824EA56C08E867	SHA256:7C263FB11953E2A8C2F697522FF83491D73E28A1D5BEC030B529A0B3C7C2A69D
4200	WinRAR.exe	C:\Users\admin\Desktop\WMSPLUSDB2_2025-02-25_15_45_32.424\manifest.json		text
		MD5:106CB16998EFBCBBBADABA0C2DF80564	SHA256:8D2AE39DA4E05426F0505F3CAA042382DD93941F68BAD5CB6EC9EA5576931D32
5640	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13dff3.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1568	BackgroundTransferHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5556	SIHClient.exe	GET	200	23.37.13.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5556	SIHClient.exe	GET	200	23.37.13.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3096	backgroundTaskHost.exe	104.126.37.123:443	www.bing.com	Akamai International B.V.	DE	whitelisted
6876	backgroundTaskHost.exe	20.223.35.26:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
5056	svchost.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6208	backgroundTaskHost.exe	20.199.58.43:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.238	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
login.live.com	20.190.160.130 20.190.160.132 40.126.32.68 20.190.160.65 20.190.160.14 20.190.160.3 20.190.160.5 40.126.32.134 20.190.160.17 20.190.160.4 40.126.32.140	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
www.bing.com	104.126.37.123 104.126.37.128 104.126.37.171 104.126.37.185 104.126.37.178 104.126.37.186 104.126.37.177 104.126.37.129 104.126.37.179 104.126.37.146 104.126.37.154 104.126.37.145 104.126.37.162 104.126.37.155 104.126.37.153 104.126.37.147	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
arc.msn.com	20.199.58.43	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

WMSPLUSDB2_2025-02-25_15_45_32.424.zip

F1B14D8C5ABC51B9F46FFBD018BEF76E

5273FB89C74BBE1D107D62484A327A772CC4096B

384EC4FDC26248FBDFFB078471501DC182D506A5563DBA92B9ECE2A64B5F958E

1536:Nx3oo9KBlyxQY2vaio6XgYWNLEtQYYob3QNPnzwBgIYs+lWR+L/:33oo0BlyxQTvHH1QAugTCk1+cR+b

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LYNX has been detected

RANSOMWARE has been detected

Renames files like ransomware

Unusual execution from MS Office

SUSPICIOUS

The process creates files with name similar to system file names

The process executes via Task Scheduler

Creates file in the systems drive root

Executes as Windows Service

INFO

Reads the computer name

Checks current location (POWERSHELL)

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the software policy settings

Checks proxy server information

Creates files or folders in the user directory

Checks supported languages

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Creates files in the program directory

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings