File name:

godwin.exe

Full analysis: https://app.any.run/tasks/4dd2ad35-3b0b-40bc-a0f2-18c610865215
Verdict: Malicious activity
Analysis date: December 09, 2023, 05:47:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FFBA4F757FFCD3482B3F805BE48EC648

SHA1:

81E1B8C43291A3C0E223656A8522CFB57247E45E

SHA256:

011772096DA82FD28889B4D5BD5F2A3302CD941EC1BE761A734692215D33DCB4

SSDEEP:

6144:rgY4VjjZVVVwFjZUINVVVd4b1zsleyMU+pWDezwy7cPMl9lHRasmjUzfA:rJ4VjjZVVV4jTVVVdOutapkLyDmjN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 4012)

    • Creates a writable file in the system directory

      • cmd.exe (PID: 4012)
      • notepad.exe (PID: 3148)
      • printfilterpipelinesvc.exe (PID: 2864)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 4012)
      • net.exe (PID: 3992)
      • net.exe (PID: 2744)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 4012)
      • net.exe (PID: 1416)

  • SUSPICIOUS

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2920)
      • cmd.exe (PID: 2072)
      • cmd.exe (PID: 4012)

    • Reads the Internet Settings

      • godwin.exe (PID: 1996)
      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)
      • cmd.exe (PID: 4012)
      • mshta.exe (PID: 3736)

    • Starts CMD.EXE for commands execution

      • godwin.exe (PID: 1996)
      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2920)
      • cmd.exe (PID: 2072)
      • cmd.exe (PID: 4012)

    • Executing commands from a ".bat" file

      • godwin.exe (PID: 1996)
      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)

    • The process executes VB scripts

      • cmd.exe (PID: 4012)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4012)

  • INFO

    • Checks supported languages

      • godwin.exe (PID: 1996)
      • mode.com (PID: 2620)
      • godwin.exe (PID: 2520)
      • mode.com (PID: 4088)
      • White0ut.exe (PID: 2808)
      • ONENOTE.EXE (PID: 3156)

    • Reads the computer name

      • godwin.exe (PID: 1996)
      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)
      • ONENOTE.EXE (PID: 3156)

    • Create files in a temporary directory

      • godwin.exe (PID: 1996)
      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)
      • notepad.exe (PID: 3148)
      • ONENOTE.EXE (PID: 3156)

    • Manual execution by a user

      • godwin.exe (PID: 2520)
      • White0ut.exe (PID: 2808)

    • Creates files in the program directory

      • cmd.exe (PID: 4012)

    • Creates files or folders in the user directory

      • printfilterpipelinesvc.exe (PID: 2864)

    • Reads Environment values

      • ONENOTE.EXE (PID: 3156)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3736)

    • Reads the time zone

      • net1.exe (PID: 924)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 3156)

    • Reads the machine GUID from the registry

      • ONENOTE.EXE (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (30.9)
.scr | Windows screen saver (14.6)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:07:30 18:14:56+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 28160
InitializedDataSize: 203776
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
133
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start godwin.exe no specs cmd.exe no specs mode.com no specs attrib.exe no specs reg.exe no specs reg.exe no specs godwin.exe cmd.exe no specs mode.com no specs attrib.exe no specs reg.exe no specs reg.exe no specs white0ut.exe cmd.exe no specs attrib.exe no specs attrib.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs attrib.exe no specs attrib.exe no specs taskkill.exe no specs taskkill.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs xcopy.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs notepad.exe no specs printfilterpipelinesvc.exe no specs attrib.exe no specs wscript.exe no specs onenote.exe no specs tskill.exe no specs attrib.exe no specs mshta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\White0ut.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
292tskill /A ESAFE C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
304tskill /A ewid* C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
664Attrib White0ut.vbs +H +R C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668tskill /A mghtml C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
732tskill /A msmp* C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
752Attrib "C:\Users\AnonLoad\AppData\Roaming\Check Point Software Technologies LTD" -r -s -hC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
824tskill /A outpost C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
844tskill /A cpd* C:\Windows\System32\tskill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
916Attrib C:\Windows\White0ut.exe +H +RC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
4 674
Read events
4 590
Write events
84
Delete events
0

Modification events

(PID) Process:(1996) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1996) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1996) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1996) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2520) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2520) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2520) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2520) godwin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2808) White0ut.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2808) White0ut.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
16
Suspicious files
2
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
2808White0ut.exeC:\Users\admin\AppData\Local\Temp\361E.tmp\White0ut.battext
MD5:F632C6E188930BFB10825B57DDEE294D
SHA256:A8DB2F83691E9311B17EFAEACE4F5CF9525728D7D6B985C67463FE8F1B9FB142
1996godwin.exeC:\Users\admin\AppData\Local\Temp\FBE8.tmp\godwin.bathtml
MD5:CF46FA79CEC2E4C6B9474DE386C1AAFA
SHA256:F469EEB8ABD2200AACDB7A81B0659DD93FEB670792C27BC93A26D431FF37023E
2520godwin.exeC:\Users\admin\AppData\Local\Temp\4303.tmp\godwin.bathtml
MD5:CF46FA79CEC2E4C6B9474DE386C1AAFA
SHA256:F469EEB8ABD2200AACDB7A81B0659DD93FEB670792C27BC93A26D431FF37023E
4012cmd.exeC:\Error.vbstext
MD5:B2BA6753110A1E9986C60FA34B878C9C
SHA256:98BEAA169B35775EE0531B96159ADE7FF9EF9626448A110DF0926EF87FFE2063
4012cmd.exeC:\Windows\System32\drivers\etc\hoststext
MD5:412DE842DB54EC98CB38C5C8441360C4
SHA256:309B045D83C3506B33911106A2A8B5949C51782DE711BD79F20A375A962E8948
2920cmd.exeC:\godwin\Error.vbstext
MD5:B2BA6753110A1E9986C60FA34B878C9C
SHA256:98BEAA169B35775EE0531B96159ADE7FF9EF9626448A110DF0926EF87FFE2063
4012cmd.exeC:\Users\admin\AppData\Local\Temp\White0ut.exeexecutable
MD5:2686DA8406740D51A4A72BAB8D65FE7B
SHA256:3A626D8213CAB1DC8E4AAE38BD35EC7CCFD7532FDB7A99E0E696722770FC23E1
4012cmd.exeC:\Program Files\White0ut.exeexecutable
MD5:2686DA8406740D51A4A72BAB8D65FE7B
SHA256:3A626D8213CAB1DC8E4AAE38BD35EC7CCFD7532FDB7A99E0E696722770FC23E1
4012cmd.exeC:\Users\admin\Music\White0ut.exeexecutable
MD5:2686DA8406740D51A4A72BAB8D65FE7B
SHA256:3A626D8213CAB1DC8E4AAE38BD35EC7CCFD7532FDB7A99E0E696722770FC23E1
4012cmd.exeC:\Users\admin\AppData\White0ut.exeexecutable
MD5:2686DA8406740D51A4A72BAB8D65FE7B
SHA256:3A626D8213CAB1DC8E4AAE38BD35EC7CCFD7532FDB7A99E0E696722770FC23E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
godwin.exe