File name:

GoodbyeDPI0.2.3rc3-Launcher9.1.zip

Full analysis: https://app.any.run/tasks/89aaea65-9326-4e38-8a36-288e11252b61
Verdict: Malicious activity
Analysis date: October 16, 2024, 07:05:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

F08666F948AD6882C7FB3FC2F70A3CAA

SHA1:

F0966A3DAA4434123774EC062A0976246AC6B1F2

SHA256:

5D270C0AEA0A7D9ECE474F92CCF23CBB8CAB6B1B88209A3CC72B65BFABBE83D5

SSDEEP:

98304:3gL+Yw/vLkBqrMjeQK2LIWMjSdY67Dh24zbn4H+xrDVkXHsTCkBxMhatGSjcSDJX:8JLRGOm+P2o3M0qeQa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • OpenWith.exe (PID: 6284)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 4088)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5580)
      • cmd.exe (PID: 4088)
      • cmd.exe (PID: 4340)

    • The process executes VB scripts

      • cmd.exe (PID: 4340)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4088)

  • INFO

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6284)

    • Manual execution by a user

      • cmd.exe (PID: 5580)
      • goodbyedpi.exe (PID: 6408)
      • cmd.exe (PID: 4088)
      • goodbyedpi.exe (PID: 3532)
      • Launcher for GoodbyeDPI.exe (PID: 6596)
      • goodbyedpi.exe (PID: 4808)
      • wscript.exe (PID: 700)
      • goodbyedpi.exe (PID: 7116)
      • Launcher for GoodbyeDPI.exe (PID: 5596)
      • cmd.exe (PID: 4340)

    • Checks supported languages

      • chcp.com (PID: 700)
      • chcp.com (PID: 6768)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5580)
      • cmd.exe (PID: 4088)
      • cmd.exe (PID: 4340)

    • Checks operating system version

      • cmd.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zan | BlueEyes Animation (41.5)
.xpi | Mozilla Firefox browser extension (24.6)
.zip | ZIP compressed archive (12.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:10:16 10:04:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: GoodbyeDPI 0.2.3rc3 - Launcher 9.1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
22
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start openwith.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs fsutil.exe no specs goodbyedpi.exe no specs goodbyedpi.exe conhost.exe no specs goodbyedpi.exe no specs goodbyedpi.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs wscript.exe no specs launcher for goodbyedpi.exe no specs launcher for goodbyedpi.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
700chcp 1251C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
700"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\elevator.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1784wscript elevator.vbs cmd /c "C:\Users\admin\Desktop\Config.cmd"C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegoodbyedpi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2272fsutil dirty query C: C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
fsutil.exe
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
2312\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegoodbyedpi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2888C:\WINDOWS\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3532"C:\Users\admin\Desktop\goodbyedpi.exe" C:\Users\admin\Desktop\goodbyedpi.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\goodbyedpi.exe
c:\windows\system32\ntdll.dll
4088C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\GoodCheck.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
1 408
Read events
1 339
Write events
69
Delete events
0

Modification events

(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Autostart
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Traybar
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Lang
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Trayanim
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Trayclose
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:Autounblock
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:BOSSkey
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:RNDbar
Value:
1
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:BLupdt
Value:
0
(PID) Process:(5596) Launcher for GoodbyeDPI.exeKey:HKEY_CURRENT_USER\SOFTWARE\GoodbyeDPILauncher
Operation:writeName:UPDhide
Value:
0
Executable files
0
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4088cmd.exeC:\Users\admin\Desktop\Logs\Log_GoodCheck_Wed_10-16-2024_07-06-15.txttext
MD5:47E02A8FB34A209692F96FD10559D904
SHA256:767DE545E7B4CD9F979376548E4EBB8192C30A919A6E4AFBD8CA24556F62F958
5596Launcher for GoodbyeDPI.exeC:\Users\admin\AppData\Local\Temp\~DFB9E9DABC7375CC8F.TMPbinary
MD5:B9346490A1EA2C4A54EA8DF1259FA309
SHA256:D0934CFED2FDFAB62080947C10C6B8F7B9442D527BECE2261911EC14FF62FC48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3524
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3524
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3524
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3524
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3524
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.69.116.109
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GoodbyeDPI0.2.3rc3-Launcher9.1.zip