File name:

Win8.Horror.Destructive 1.0.exe

Full analysis: https://app.any.run/tasks/6cbf297f-e1ed-467d-b6ba-795ed09b4499
Verdict: Malicious activity
Analysis date: January 18, 2024, 22:50:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

846D847D9B1247C57824D5D2601A7FAF

SHA1:

2119DCCEE1E98AF31FD193CF38BBFD8614F183BB

SHA256:

BA8FA2C240EDFC35C3078FCF31B87C0E1AF4404DFC1F52E0D5640EDB061355FC

SSDEEP:

393216:aoFns8VCLkTHRE2DHTwOQVAQZTN79BLaSaumPNC:a474IS2g/VTZPBuRPNC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 980)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)

    • Reads the Internet Settings

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)
      • wscript.exe (PID: 1832)
      • wscript.exe (PID: 980)
      • cmd.exe (PID: 1784)

    • The process executes VB scripts

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)
      • cmd.exe (PID: 1784)

    • The executable file from the user directory is run by the CMD process

      • TrashMBR.exe (PID: 1636)
      • HorrorGui.exe (PID: 2260)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 1784)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 1784)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 1832)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1832)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1832)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1784)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1784)
      • HorrorGui.exe (PID: 2260)

  • INFO

    • Checks supported languages

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)
      • TrashMBR.exe (PID: 1636)
      • HorrorGui.exe (PID: 2260)

    • Reads the computer name

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)

    • Manual execution by a user

      • Win8.Horror.Destructive 1.0.exe (PID: 1624)

    • Create files in a temporary directory

      • Win8.Horror.Destructive 1.0.exe (PID: 2084)
      • Win8.Horror.Destructive 1.0.exe (PID: 1624)

    • Checks proxy server information

      • wscript.exe (PID: 980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (30.9)
.scr | Windows screen saver (14.6)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:01 21:46:09+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 66048
InitializedDataSize: 12926464
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.6.6.6
ProductVersionNumber: 6.6.6.6
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 6.6.6.6
ProductVersion: 6.6.6.6
ProductName: Win8.Horror.Destructive
InternalName: Malware
FileDescription: Windows 8 Horror Edition
CompanyName: HorrorTrojans
LegalCopyright: 2012-2021
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
24
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start win8.horror.destructive 1.0.exe wscript.exe no specs win8.horror.destructive 1.0.exe wscript.exe no specs cmd.exe no specs reg.exe no specs bcdedit.exe no specs trashmbr.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs wscript.exe no specs horrorgui.exe no specs taskkill.exe no specs win8.horror.destructive 1.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188takeown /f C:\Windows\system32\taskmgr.exeC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
452icacls C:\Windows\system32\logonui.exe /grant "everyone":FC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
796icacls C:\Windows\system32\taskmgr.exe /grant admin:FC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
980"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\2FB6.tmp\music.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1380"C:\Windows\system32\wscript.exe" C:\Users\admin\AppData\Local\Temp\B.tmp\C.tmp\D.vbs //Nologo C:\Windows\System32\wscript.exeWin8.Horror.Destructive 1.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1384taskkill /f /im explorer.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1544bcdedit /delete {current}C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1624"C:\Users\admin\Desktop\Win8.Horror.Destructive 1.0.exe" C:\Users\admin\Desktop\Win8.Horror.Destructive 1.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\win8.horror.destructive 1.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
1636TrashMBR.exe C:\Users\admin\AppData\Local\Temp\2FB6.tmp\TrashMBR.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\2fb6.tmp\trashmbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1740reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
3 442
Read events
3 370
Write events
42
Delete events
30

Modification events

(PID) Process:(2084) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2084) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2084) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2084) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1624) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1624) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1624) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1624) Win8.Horror.Destructive 1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1832) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1832) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
4
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2084Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\B.tmp\clingclang.wav
MD5:
SHA256:
1624Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\2FB6.tmp\clingclang.wav
MD5:
SHA256:
1636TrashMBR.exe\Device\Harddisk0\DR0
MD5:
SHA256:
1624Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\2FB6.tmp\music.vbstext
MD5:8B703F9C48EB3724348AF746E7610061
SHA256:E8CD555C43973E3B2E6FA0E80D602ABC3D7C43A17BC51A6D0BA08E20EA3FEADD
1624Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\2FB6.tmp\TrashMBR.exeexecutable
MD5:87F09F4A202BF9C0ADCF6FED942AA703
SHA256:ACF8ABE9BD2F61840A247B4796EBEDAD20F69A85DBDF8A4100F5D7D306B064B1
1624Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\2FB6.tmp\Horror8.battext
MD5:36FCF85EC52716F5FD8EA625A11C13C6
SHA256:3ABA2D676284209730FF20B28A8415A3C41C88F402301B14437040BF2BAEBE0C
2084Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\B.tmp\HorrorGui.exeexecutable
MD5:B2653AA06A2253E8155EB81535B20E6A
SHA256:B4E106E22C4D3E51C87D3D5853298210572AB2834F5E2A0BEAF1DF7D96C57D29
2084Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\B.tmp\C.tmp\D.vbsbinary
MD5:3BAFC447CF86B66198F84690CB592ADB
SHA256:B96A442ADC718E9E0981B1C3BEA2C8172F6C5B2C8C1FECDA5C311C95728BAFFF
2084Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\B.tmp\TrashMBR.exeexecutable
MD5:87F09F4A202BF9C0ADCF6FED942AA703
SHA256:ACF8ABE9BD2F61840A247B4796EBEDAD20F69A85DBDF8A4100F5D7D306B064B1
2084Win8.Horror.Destructive 1.0.exeC:\Users\admin\AppData\Local\Temp\B.tmp\music.vbstext
MD5:8B703F9C48EB3724348AF746E7610061
SHA256:E8CD555C43973E3B2E6FA0E80D602ABC3D7C43A17BC51A6D0BA08E20EA3FEADD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Win8.Horror.Destructive 1.0.exe