File name:

Virus.9X.WinNuke.exe

Full analysis: https://app.any.run/tasks/c6e08f94-de3e-43f5-9c97-2945b4bf8af6
Verdict: Malicious activity
Analysis date: February 13, 2024, 16:03:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EB9324121994E5E41F1738B5AF8944B1

SHA1:

AA63C521B64602FA9C3A73DADD412FDAF181B690

SHA256:

2F1F93EDE80502D153E301BAF9B7F68E7C7A9344CFA90CFAE396AAC17E81CE5A

SSDEEP:

384:4cr14oKDP9KDviKDeTngwz9zmDAQE4KDJKDv5KDPP4vWeh:92FgwBzMAbb3k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Virus.9X.WinNuke.exe (PID: 1384)
      • csc.exe (PID: 3092)
      • csc.exe (PID: 3960)
      • csc.exe (PID: 2408)
      • csc.exe (PID: 1784)
      • csc.exe (PID: 2172)

    • Starts Visual C# compiler

      • sdiagnhost.exe (PID: 120)
      • sdiagnhost.exe (PID: 712)

  • SUSPICIOUS

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • pcwrun.exe (PID: 3460)

    • Process drops legitimate windows executable

      • msdt.exe (PID: 2332)

    • Reads settings of System Certificates

      • msdt.exe (PID: 2332)

    • Reads the Internet Settings

      • sdiagnhost.exe (PID: 120)
      • msdt.exe (PID: 2332)
      • sdiagnhost.exe (PID: 712)

    • Uses .NET C# to load dll

      • sdiagnhost.exe (PID: 120)
      • sdiagnhost.exe (PID: 712)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3092)
      • csc.exe (PID: 3960)
      • csc.exe (PID: 2408)
      • csc.exe (PID: 1784)
      • csc.exe (PID: 2172)

    • Uses RUNDLL32.EXE to load library

      • msdt.exe (PID: 2332)

    • The process executes via Task Scheduler

      • Virus.9X.WinNuke.exe (PID: 1824)
      • Virus.9X.WinNuke.exe (PID: 980)
      • Virus.9X.WinNuke.exe (PID: 3400)
      • Virus.9X.WinNuke.exe (PID: 2148)
      • Virus.9X.WinNuke.exe (PID: 2644)
      • Virus.9X.WinNuke.exe (PID: 2900)
      • Virus.9X.WinNuke.exe (PID: 1340)
      • Virus.9X.WinNuke.exe (PID: 1864)
      • Virus.9X.WinNuke.exe (PID: 880)
      • Virus.9X.WinNuke.exe (PID: 1772)

  • INFO

    • Manual execution by a user

      • explorer.exe (PID: 2160)
      • pcwrun.exe (PID: 3460)
      • Virus.9X.WinNuke.exe (PID: 2308)

    • Create files in a temporary directory

      • msdt.exe (PID: 2332)
      • pcwrun.exe (PID: 3460)
      • sdiagnhost.exe (PID: 120)
      • csc.exe (PID: 3092)
      • cvtres.exe (PID: 2572)
      • csc.exe (PID: 3960)
      • cvtres.exe (PID: 3940)
      • csc.exe (PID: 2408)
      • cvtres.exe (PID: 2896)
      • sdiagnhost.exe (PID: 712)
      • csc.exe (PID: 1784)
      • cvtres.exe (PID: 1728)
      • csc.exe (PID: 2172)
      • cvtres.exe (PID: 1232)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 2332)
      • sdiagnhost.exe (PID: 120)
      • sdiagnhost.exe (PID: 712)

    • Reads the software policy settings

      • msdt.exe (PID: 2332)

    • Drops the executable file immediately after the start

      • msdt.exe (PID: 2332)

    • Checks supported languages

      • csc.exe (PID: 3092)
      • cvtres.exe (PID: 2572)
      • csc.exe (PID: 3960)
      • cvtres.exe (PID: 3940)
      • csc.exe (PID: 2408)
      • cvtres.exe (PID: 2896)
      • csc.exe (PID: 1784)
      • cvtres.exe (PID: 1728)
      • csc.exe (PID: 2172)
      • cvtres.exe (PID: 1232)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3092)
      • cvtres.exe (PID: 2572)
      • csc.exe (PID: 3960)
      • cvtres.exe (PID: 3940)
      • csc.exe (PID: 2408)
      • cvtres.exe (PID: 2896)
      • csc.exe (PID: 1784)
      • csc.exe (PID: 2172)
      • cvtres.exe (PID: 1728)
      • cvtres.exe (PID: 1232)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 2332)
      • sdiagnhost.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 5 (83)
.exe | Win64 Executable (generic) (10.4)
.dll | Win32 Dynamic Link Library (generic) (2.4)
.exe | Win32 Executable (generic) (1.7)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1999:04:08 11:12:43+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 4.2
CodeSize: 17920
InitializedDataSize: 18432
UninitializedDataSize: -
EntryPoint: 0x1138
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Ksc-Wimol Internet Branch
ProductName: WinNuke 98 Attacking
FileVersion: 1
ProductVersion: 1
InternalName: WinNuke98
OriginalFileName: WinNuke98.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
81
Monitored processes
32
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start virus.9x.winnuke.exe no specs explorer.exe no specs pcwrun.exe no specs msdt.exe no specs sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs virus.9x.winnuke.exe no specs virus.9x.winnuke.exe rundll32.exe no specs virus.9x.winnuke.exe no specs virus.9x.winnuke.exe rundll32.exe no specs virus.9x.winnuke.exe no specs rundll32.exe no specs virus.9x.winnuke.exe virus.9x.winnuke.exe no specs virus.9x.winnuke.exe rundll32.exe no specs virus.9x.winnuke.exe no specs virus.9x.winnuke.exe sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs virus.9x.winnuke.exe

Process information

PID
CMD
Path
Indicators
Parent process
120C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
712C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
880C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe
taskeng.exe
User:
admin
Company:
Ksc-Wimol Internet Branch
Integrity Level:
HIGH
Exit code:
3221225781
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\virus.9x.winnuke.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
980C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exetaskeng.exe
User:
admin
Company:
Ksc-Wimol Internet Branch
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\virus.9x.winnuke.exe
c:\windows\system32\ntdll.dll
1232C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES93DF.tmp" "c:\Users\admin\AppData\Local\Temp\CSC93CF.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1340C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe
taskeng.exe
User:
admin
Company:
Ksc-Wimol Internet Branch
Integrity Level:
HIGH
Exit code:
3221225781
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\virus.9x.winnuke.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1384"C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe" C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exeexplorer.exe
User:
admin
Company:
Ksc-Wimol Internet Branch
Integrity Level:
MEDIUM
Exit code:
3221225781
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\virus.9x.winnuke.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1576"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe"C:\Windows\System32\rundll32.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1728C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES9372.tmp" "c:\Users\admin\AppData\Local\Temp\CSC9371.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1772C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exetaskeng.exe
User:
admin
Company:
Ksc-Wimol Internet Branch
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\virus.9x.winnuke.exe
c:\windows\system32\ntdll.dll
Total events
10 231
Read events
10 174
Write events
57
Delete events
0

Modification events

(PID) Process:(2332) msdt.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(120) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(120) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(120) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(120) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(120) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Users\admin\AppData\Local\Temp\Virus.9X.WinNuke.exe
Value:
# WINXPSP2
(PID) Process:(2332) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2332) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2332) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2332) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
9
Suspicious files
17
Text files
43
Unknown types
10

Dropped files

PID
Process
Filename
Type
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\en-US\DiagPackage.dll.muiexecutable
MD5:C31BD28AB34E75BC65A5458AC8D37539
SHA256:5FB9E280013D58043C5689478F9DCFAD3212F4681534627EB33998DDD6F63308
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\en-US\CL_LocalizationData.psd1text
MD5:863DC7FD9D5E14BB639EAAF596D64416
SHA256:97EB6F256A278FF10B200FA6E248B7A89BA956D9F533D138302C7F3721A95D8E
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\VF_ProgramCompatibilityWizard.ps1text
MD5:C219205ABF50BB950B93D0824D483780
SHA256:5284D805B918F161565150EC64B787E4EA681DE69B1AD832F316F94DB6DBCB75
120sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\zlahgo-g.cmdlinetext
MD5:F1EA44BA117798051715F0CCA7689186
SHA256:E873796A7EE66265E6DA549D5877E04EAAD927DAEE6B8A5E574240414015BD57
3460pcwrun.exeC:\Users\admin\AppData\Local\Temp\PCW5CF0.xmlxml
MD5:80681B26E76818EC8BB3F99F3C1B1D97
SHA256:B32857E34DD8099890EC37E3D642C8738D942DEBA5FB85C0EDCB09FADCB7F0C2
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\RS_ProgramCompatibilityWizard.ps1text
MD5:367FE5F4C6DB87E1600F46687E5AAC54
SHA256:177625AC9B07BBFFCBBB47101C2D1121F47B03B42226861BFD7974B9CEBC0C98
120sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\8qtckfk8.cmdlinetext
MD5:FDA956BE896DBA9913AD26926BC16DC2
SHA256:7D97630C8F021E85E0C862A646C7F2AC175A3CDEF1BA3DEA43ABE2F09972C6A6
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\TS_ProgramCompatibilityWizard.ps1text
MD5:46E22C2582B54BE56D80D7A79FEC9BB5
SHA256:459AF2960B08E848573D45A7350223657ADB2115F24A3C37E69FFE61DEA647F9
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\DiagPackage.diagpkghtml
MD5:18A906A43C1C3E27064DB30C81505234
SHA256:041430D1F0AE14300C46BDCD917C882F4850DA3D6010E3FBF692023655BC406E
2332msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_2ebb98b0-002f-4153-8b06-854a2285cd42\result\results.xslxml
MD5:310E1DA2344BA6CA96666FB639840EA9
SHA256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Virus.9X.WinNuke.exe