download:

/details/winxp.horror.destructive

Full analysis: https://app.any.run/tasks/230d05bc-d215-47a0-a9f2-3ba2ffb6f711
Verdict: Malicious activity
Analysis date: May 09, 2024, 16:02:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 text, with very long lines (3252)
MD5:

2C8C5C872D9F28BAF481833E58721AF3

SHA1:

CD10AA956CC07FF8536490673F902E5C3008D089

SHA256:

F4656B0B3A633E9343BE673629B2366A91A168EE5C58CB507139BE52B6B3D832

SSDEEP:

1536:8HeW6aVNSad8mkVuzK4DCeqR4DOllzPODm30vD932ns4DNaP+OLwwemtfQDRdV6D:8HebdmBKtxllrvDPa9Lwe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1292)

    • Application launched itself

      • iexplore.exe (PID: 3980)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1292)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

Title: Windows XP Horror Edition (Destructive & Peaceful) WobbyChip : Free Download, Borrow, and Streaming : Internet Archive
Viewport: width=device-width, initial-scale=1.0
GoogleSiteVerification: bpjKvUvsX0lxfmjg19TLblckWkDpnptZEYsBntApxUk
Description: The Peaceful Version won't destroy your computer.But the Destructive Version Will.
Monetization: $ilp.uphold.com/D7BwPKMQzBiD
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1292"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\winxp.horror.destructive.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3980 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 253
Read events
13 070
Write events
122
Delete events
61

Modification events

(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31105578
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31105578
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
18
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9F996389-0E1D-11EF-9E36-12A9866C77DE}.datbinary
MD5:A1DC341E31EAC2C2A466E366E4E2C2EA
SHA256:CFF07FA56394DBEB5BA6C3E05BB4276D76427D6C0B8E707D75914176DCD873E9
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A8E0227FFABCACA986369EFE89AED7AD_4591C3474D361E5F4B44A32E0DFAF2CEder
MD5:9633AB6B6A254C0D191B084C4AE0AC98
SHA256:668CB0ABCD4FF4A2D1D0D5B917E7F97506F0B362AACC61A90ECC7028F2E2A398
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:76CE9255B7B483DE3A3D3D26161EE9EC
SHA256:69267554BC2580E2CA56937D03403264620EAD7CB4251EDF9F4C82BFAB826486
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A8E0227FFABCACA986369EFE89AED7AD_4591C3474D361E5F4B44A32E0DFAF2CEbinary
MD5:95F908CA997C3CCB99A15557D4CD06D8
SHA256:FED4F3AC6AFDAAC8C3B2DF7BCCFDFE338687E1E04F4EFECA2A5C4DD36C33F383
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9F99638B-0E1D-11EF-9E36-12A9866C77DE}.datbinary
MD5:DB22C8729F7A47000A5B497510446668
SHA256:5CA2226185DAD32BA350A271D9C3A94D37B172EBE53F3C38C491EB4E3D223CA9
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:2E69AB29929E637801A9BF12744D0827
SHA256:53EB8726CF08F1A16B157B9E2DC95E01A628703D91B480D302E08269B7BAAE35
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\polyfill.min[1].jsbinary
MD5:48B45F07EDB2FD87D64FA8F6230C4FDC
SHA256:4D512E8BEC11531E9B0D1C23C395E6F596CFF69AED6DB904B59857B9BD1B7008
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Ader
MD5:7538BD861A4ECDA56F31B86345272E18
SHA256:23ADCEA01982D94CAFF7BC5B4FF3097C150EFF131CDFC5752C57D1D384BB59A0
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:0D600E65B0EF8F23FDED579D3E41CD5A
SHA256:DE9F4AD97FEC32F5AA5C796F7D5F64D1BD5177976725C09B3C4C0A5AEC34D1AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
iexplore.exe
GET
304
95.101.74.222:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?098b2ca3f74ef2d4
unknown
4040
iexplore.exe
GET
304
95.101.74.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1fc3241a5fb83c4
unknown
4040
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
unknown
3980
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
4040
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCBK8svF0vc0%2F
unknown
4040
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
4
System
207.241.224.2:445
archive.org
INTERNET-ARCHIVE
US
unknown
4040
iexplore.exe
207.241.239.241:443
polyfill.archive.org
INTERNET-ARCHIVE
US
unknown
4040
iexplore.exe
95.101.74.222:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
4040
iexplore.exe
95.101.74.219:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
4040
iexplore.exe
192.124.249.23:80
ocsp.godaddy.com
SUCURI-SEC
US
unknown
3980
iexplore.exe
95.101.74.52:443
www.bing.com
Akamai International B.V.
NL
unknown
3980
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
archive.org
  • 207.241.224.2
unknown
polyfill.archive.org
  • 207.241.239.241
unknown
ctldl.windowsupdate.com
  • 95.101.74.222
  • 95.101.74.219
unknown
ocsp.godaddy.com
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.36
unknown
api.bing.com
  • 13.107.5.80
unknown
www.bing.com
  • 95.101.74.52
  • 95.101.74.53
  • 95.101.74.57
  • 95.101.74.56
  • 95.101.74.55
  • 95.101.74.48
  • 95.101.74.51
  • 95.101.74.46
  • 95.101.74.50
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/details/winxp.horror.destructive