Malware Analysis Report

2024-10-16 05:00

Sample ID 240727-w53e7ssgrn
Target goodbyedpi-0.2.2.zip
SHA256 00a2f8b99cd817f8c7fc4c449033015f039d18af213de78cb66bf202277c0628
Tags
discovery dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

00a2f8b99cd817f8c7fc4c449033015f039d18af213de78cb66bf202277c0628

Threat Level: Likely malicious

The file goodbyedpi-0.2.2.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper

Download via BitsAdmin

Drops file in System32 directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 18:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:45

Platform

win10v2004-20240709-en

Max time kernel

426s

Max time network

445s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\1_russia_blacklist_dnsredir.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe
PID 4828 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\1_russia_blacklist_dnsredir.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

goodbyedpi.exe -5 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4292-0-0x00007FF6EE230000-0x00007FF6EE24B000-memory.dmp

memory/4292-1-0x0000000062800000-0x000000006280D000-memory.dmp

memory/4292-4-0x00007FF6EE230000-0x00007FF6EE24B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:46

Platform

win10v2004-20240709-en

Max time kernel

432s

Max time network

437s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\2_any_country_dnsredir.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe
PID 3100 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\2_any_country_dnsredir.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

goodbyedpi.exe -5 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3300-0-0x00007FF7F33E0000-0x00007FF7F33FB000-memory.dmp

memory/3300-1-0x0000000062800000-0x000000006280D000-memory.dmp

memory/3300-2-0x00007FF7F33E0000-0x00007FF7F33FB000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:51

Platform

win10v2004-20240709-en

Max time kernel

411s

Max time network

444s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3868-0-0x0000000000010000-0x000000000001E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:54

Platform

win10v2004-20240709-en

Max time kernel

423s

Max time network

434s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:35

Platform

win10v2004-20240709-en

Max time kernel

200s

Max time network

206s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\0_russia_update_blacklist_file.cmd"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86\goodbyedpi.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133665787692847960" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4648 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 116 wrote to memory of 2272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 2272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 372 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 3792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 3792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4736 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\0_russia_update_blacklist_file.cmd"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://antizapret.prostovpn.org/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\russia-blacklist.txt"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff0891cc40,0x7fff0891cc4c,0x7fff0891cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1952 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2116 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2340 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4412 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4852 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4972 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=240,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3364,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3252,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5444 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5224,i,4265260795918522493,9928880294531295133,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3136 /prefetch:8

C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe"

C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.2\x86\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 antizapret.prostovpn.org udp
LV 195.123.208.131:443 antizapret.prostovpn.org tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 131.208.123.195.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
FR 142.250.178.142:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
FR 142.250.178.142:443 clients2.google.com tcp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
FR 172.217.20.170:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 170.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns-tunnel-check.googlezip.net udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 157.34.239.216.in-addr.arpa udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
FR 142.250.179.110:443 consent.google.com tcp
US 8.8.8.8:53 110.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
FR 172.217.20.170:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
FR 172.217.20.170:443 content-autofill.googleapis.com udp
US 140.82.114.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp

Files

\??\pipe\crashpad_116_ISYYDLPVYPDKPVGG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 e635a25546e0255c503d3036e71c8d84
SHA1 596909fa659c8abc41d4be19c6524092444ca048
SHA256 a093ea9f3a5395ed0f5068563fddba6bef28b52a76c92043319e3160277ff355
SHA512 d362e41addb7e2894432463adee408f61573ae3f49251b6770ea9f26c52cae58ebba8ab9c95fb4c2309be66442c5d798d58131c1b293c91d30cee3a8d7909792

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0b903edd2767ba3ab9320548e76f2993
SHA1 426999745f55c151e0b8d51f5634cf86b0c08870
SHA256 0a98fdaeaa4b1873dcd125ecebe6fdbed146069f4a0e1215e7b17ce358a99090
SHA512 4bc369c2add0fc415baaf22d25a87b9e12c4988456237346ee0dd7be78d1f74a1bf658c05f7f378e10159812ebfdae037dd2a6738e0d8d956c549e08ca76935c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 64b1ee21e7bc1ae40197bd406c695c2c
SHA1 7212c3e2b3b5124f994a9e04ed064b1bff9264ca
SHA256 9f70b8d0da7c65e11df2bcf9f3c3a557a7f7978e3b55f65ecd62ff33ac60d975
SHA512 840fb56951f8a1f622a7bc9794c5fed5f4a37d12881ad9081e75765904c7f9a6275b0a05ff9dd9a299dc1b420d435bbb9435ffd6133ef7f56927a8924a9bfa24

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 85255969cbc8cd2ca42217103125c627
SHA1 ffee25a2e960fe6efefac1e8bd1fc07a2adf542f
SHA256 c8b047d2908c34584f7847208e4aaeb7dfdde605d7e05c7070cf575df68ac38c
SHA512 68fd8414491481250ce1ce22a3e7de8746a311e8f6acbdb9181add5952a8f25452cd159f2310350b854d20b356b0c9855d40a2555ab2195c8e3d1d815cea0716

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 cb68a228bcb2c6af19a6d16a9c2d89d7
SHA1 677b29e5b88cde496809e8b68fcc1f2d5f1806f5
SHA256 f71314f12f6a3df4e289a0f752aa33433dfa3e9f6a71038a1594b0c41d62319b
SHA512 b06191af71930635ab302a40c554a86b0f0f1688829bf4db39bdc52f8920dc7faf0c92e94453903df9b5056507dade4132164a9f4140c5a1c7152bc99ae0ec59

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ab48d70154d50a14e5b17dd64e112fad
SHA1 6fc6227195d6eb3b2df82e3b8e3488fb8c752484
SHA256 a8d02c684c19e452b4a98ce9172945443bf736c401d7838024ee13bd8ea534b7
SHA512 900177119d33dea0a56343a0cbca9a54e7d8a38b28ed99ef1ca80ee9584305a0684b9280f37e087cf7bae5a74292d313102cb6dfc66c67bbed3a2aa5f04fc4b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f9538c1881993c88977df528292f0e8f
SHA1 627e91f60f317ebfdfa6a9a77a97e00c15b2ebc7
SHA256 b9a8199f2c1118803906fcd41cd8db40fed903e5fcc81eae927b33bb3ca922ba
SHA512 b6b7c17da6c17133d34829b79feb5b919a0b66db952e4e6c3f28222c74dc0893b98f6be7ee87509cb3464de8ea9f01d5ae3bad9d36464188d4646b33118df3cb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 5ac828ee8e3812a5b225161caf6c61da
SHA1 86e65f22356c55c21147ce97903f5dbdf363649f
SHA256 b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7
SHA512 87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 dfcd0771ff1b34307b71277b1eb22d66
SHA1 31fd2695fed65b93fd1b6d9778c0c1e1d35e8073
SHA256 700829e600d930da7fa5c960bd37c764f01d62c951c13ec29c73fa739baef3e5
SHA512 7be9cdeb689884b41758ff8bbdb99c48bf057048040cd20709a2dc0a519f38990869f39bb1a23e57020a2ad788e100fd7c0b9d112ea39a4a7af52cbe6a294e72

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a6d422f3038ea1c45d08b10104ec3d8d
SHA1 0b912e6a7b347ae59c148baab54dd32d304ce7a5
SHA256 3edf9b2007451cac3bc607221b025dda20fd0f7da95f66eeda94b8cbcac4b758
SHA512 289225dae13569425c86e35d021e816a4f9ee3c7cf14a55fb65da057a45910d5ebb465c6cb6ea8d50d6bdbac5e26f45849f0e6b92e0f9b748b5648d62ff46206

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 85fd6d69167db233346a41834830f5a9
SHA1 9e5f048d3f981454a67fc845f9ef8101e2696358
SHA256 90ca66d9cb8d9bbe757b01f66821694b2b51417e7ceb0592f6a6cbd38ccb38e0
SHA512 8006558f128b0d5a2d4ad213a9128800832b065d8cd30f2159bfac1d785643cc111bc5ea5dcec08aa50021f3da743aa573ca133da26ade95edf1302d4d157a42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7079fd37dac5f65c68249ac453d3e15d
SHA1 ffa277670df7ff33edf7c8add974930cabddfe71
SHA256 1d823cd95c39f3887411540d15731504b0895dd13a1729f14bd9af449b6c7674
SHA512 2a212aa6ca5ba39bca8a7d44f5a81bb7666a19688395451cc6a4063d51779b047b47b61c0d1b754febdc75adadf11671c06195d2627c1c7a3e0bf35b89021d39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 22210211352f8a3cb28398791a61a486
SHA1 42589aab9ccab9de6d8cec9d68b2fe00517bc3f1
SHA256 1a07a4b3984be44d7eec1115768d8344b0274b41d467a2224c35d7f8f73ecc90
SHA512 df1efd62c0a0261b169c50b81e7d226d09f537a1d0ee5a531cf67484353d92ca2a5b37a8453f7e114068be0777862dcb6ca1f06efdc515cb15a5f53a4aa35082

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 96cc8384b89aabf854fc42f36ebb5e2c
SHA1 1bc0099d41eb3401a9f21f651113ed40b03c0a43
SHA256 0f4a7c048c51e0d5121fe12abbb4a87d0966d908fdeacf2cd72e10bbb3f68370
SHA512 8302741fe9bc705ae5060edf7d71c586bb1d9c1bc31c424fdd0fc039944c5e41b6de935cb1cac84347c2ae5642758aac373afe7cd26a8c9825edeaaccdc5fd3a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0df8e3f3bad084d3ea7e4609e46bee23
SHA1 b03b80bf7cc26af8580d8a821ef8eccf55fa42f9
SHA256 54012c235ba259997db63c07fc43d7457e4ad36f7ce4221310cf2fc4ebf5db45
SHA512 88f4b30d1562bd29bad89ff361b08a22eb7f0dede1cf9cbca34f3449c318e07cb82e6e84dbdec61bae88028a1d30fb996b67812cf97bc946bfda1dc69f996e51

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a366e1dfcc3b265771768647df74a27c
SHA1 dc0c5226558d6c54a66eb77bdad71985ccc5259f
SHA256 6023ce1312a1b7d327aef2a7a69158f012308a7679ae2dd2f4decd1723f8b88f
SHA512 76a295b60b7fd8875936d650b7653a34613158e2083a3e8f1d0d956de800be13847aae879a0661e654f43ad90ab16729d7e4164fb19e4ae1f62f95d9be710e0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bfe0def4079dbb63cdf2f0d6cd3dc932
SHA1 b1322e5dc8401e2b0c6d9eb94ac8f6d5911d183a
SHA256 2a446592aca6472078075432776bea740480006c80f4398032baed72c90fcbd2
SHA512 c8f0653bcf9440823100f0b4f6c4ad6c342d79bac3a60da0e42f0b4a7d834ba069663cf910d8ca037e63ddb94fca902b8ab3e59e37b646cad4bf7a236becc233

C:\Users\Admin\Downloads\goodbyedpi-0.2.2.zip

MD5 6d4ebf84f120505d335b95e7e234a43f
SHA1 61b3541f3c342fd8d709e8b0a781a395a8c41b6a
SHA256 00a2f8b99cd817f8c7fc4c449033015f039d18af213de78cb66bf202277c0628
SHA512 42bd5fe30de433148383d7d9aaf573baaff8d9f3eb14aab3a4f2f4ad19c395d0b54ff9762f05cc5e39abf7c4f555bfe43ec91f6e1b5cf9fe49c6a481431da6df

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f6d330cfc97be226943001811e22bf3c
SHA1 0bcffd215e828e17e40aa09dae129f653ff969f8
SHA256 3f4022b6a71696ddce6a4ab769feef165909badfc127d4d393a085ba7344c7bb
SHA512 ba54612796f526c48d0b7ad0ccb9f19d4d404ac2bef58ce4a631460d3b825cc822732c8d4ca80eb2e1febc9d9c26bf167a30b0e156e6f112f27efefde1c99d48

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f1c7928669426197169ff236b83ef3bf
SHA1 2d30e4142ebb85995c6c5ae8fd533dad05ab5770
SHA256 780306caecc54144665a0be6cdd23bb736fad9453116dd0f2e56766a06cb6f83
SHA512 254b223e6e1ba0cf6e249c67e942daaec82c3c13adc9d35af99515ef1d384998518d9ec2cda1be113f6a6060a75c57f0b1bd5c8caf10b1a4dcdd7b3551a38b93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3dff08601b60d533df0bfa5f11d9862c
SHA1 b817b9dafc67cef3c3f37a7cdb6928a3e50139a0
SHA256 6a4346dfbc01c4db34b5db372a753c26267a5ec6fd3a01cb24810c8896692ab5
SHA512 1638ee2c8fb2771445604798ced58a3d8cda3b5c7dbdd7033d6398a8562b96cb5d093edc97d81a9465fd69c4583d0148bc16930100b4a61b03571c7f986aa29a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4a246f43a397f1e98222f4b371862f5f
SHA1 e48796b91afaf2c66790d391855f33bc0830ca33
SHA256 012864b51565bbbd38c2bd74402def3fb30b0a04d50aa3b3790a7d99fcbfd0a2
SHA512 95fdb3795a64562af7daa7f045583b4de9b4dae8c44a8443060cf4652e5c7558f7e79206693550d20918e312df1b50ab3012c0830f4615705988816e62381da2

memory/548-382-0x00007FF707690000-0x00007FF7076AB000-memory.dmp

memory/548-383-0x0000000062800000-0x000000006280D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2931acd4063e1bd22faba27b440f43ce
SHA1 da76f88dab618b8fdab64543a5c2723b8d7d6092
SHA256 5f5b908fd87d3c754abace61e6d6f39e3b82621bf1e2db54298ebf405063c1ea
SHA512 2533d32cb71cf677cc80943d0733f0617dacd93a7dbe84d7a939f6e30fa35512aa2c4ed5a07fde6483431bd55305f7a6dbf7d490e21398852d27f9eda6e09f55

memory/548-400-0x00007FF707690000-0x00007FF7076AB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0a0638aa34ddf02982bb6ef7cd5b8abc
SHA1 bbcc17537e4c5b198fb0bd205fccba55207ab138
SHA256 a6ce02a0c5abc7c6de2ce8f6a9b3d601b59293a7288d797065520bf3705a80f8
SHA512 f802cba064ff73318905b40fafad8e23a16c6af9c7d80d1f5c44e8b5deda2323dd8d3b082d15fc391a78c3a777385c487b720665ada1cf95e610294a450fd230

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 26ef12b4d90dcd56f8c3faa1bd1daf3f
SHA1 aa3dff99059332cc03d5fea5c93d7fe751ca73bc
SHA256 6351bdd3cf1f3ebd4b690a5ec0eb40e042e9402cfcce69c02fa908971dec058a
SHA512 f5092880c6d3ac50db3e78eef6f36e7c20b662c5607d2c118f83c7654c45ecfb326f34b447912984ee11cb33a6ae28c9ce18cbe0dc3ecf1a9cbc1215e6006d98

memory/804-420-0x00007FF707690000-0x00007FF7076AB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 917505608bc87a9cf96a80c0aba42c4d
SHA1 5cc376ea4dfa41fa8fbd52eb46f6e53f3f248d62
SHA256 0c4d72fda6f9aaa03c887a40e8fc31cf1b4e27db1baa5f9c0bbdbaa788264bd1
SHA512 04bac8b332f5d53b7a13e434613749f704cefeb02fea2aeae97fe5a996726464569c457d94171f5c762c5249c95504bad728469100914bcd4fcf1b8c533d6f2f

memory/2124-431-0x000000003F950000-0x000000003F969000-memory.dmp

memory/2124-432-0x0000000063D40000-0x0000000063D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fafc3e5b117d78c3a171403b63cbf784
SHA1 bf1c5869a65db62254071aefae6f313d9cc74261
SHA256 5884bfb17b0a717db16d9d93789a90926928a372ab7ebb9ff5e64c54f1296a16
SHA512 a2f45d5531fe3dd6bbfcd2aeaf55eeca20e9bd3cf62a94fbc5631ea90ae0eae65d696d9e5bbfa3bf9321e014aa3c5fb1a3c3dcd3cc837217263de8b0e018f638

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:44

Platform

win10v2004-20240709-en

Max time kernel

432s

Max time network

437s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\1_russia_blacklist.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe
PID 1552 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\1_russia_blacklist.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

goodbyedpi.exe -5 --blacklist ..\russia-blacklist.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/1892-0-0x00007FF66B3B0000-0x00007FF66B3CB000-memory.dmp

memory/1892-1-0x0000000062800000-0x000000006280D000-memory.dmp

memory/1892-2-0x00007FF66B3B0000-0x00007FF66B3CB000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:46

Platform

win10v2004-20240709-en

Max time kernel

417s

Max time network

430s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_install_russia_blacklist_dnsredir.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_install_russia_blacklist_dnsredir.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:47

Platform

win10v2004-20240709-en

Max time kernel

426s

Max time network

431s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_remove.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_remove.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:48

Platform

win10v2004-20240709-en

Max time kernel

435s

Max time network

442s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert32.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert32.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert32.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert32.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/3648-0-0x0000000000010000-0x000000000001B000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:54

Platform

win10v2004-20240709-en

Max time kernel

433s

Max time network

440s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert64.sys

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\WinDivert64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/3164-0-0x0000000000010000-0x000000000001E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:55

Platform

win10v2004-20240709-en

Max time kernel

428s

Max time network

442s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/4948-0-0x00007FF7DE290000-0x00007FF7DE2AB000-memory.dmp

memory/4948-1-0x0000000062800000-0x000000006280D000-memory.dmp

memory/4948-2-0x00007FF7DE290000-0x00007FF7DE2AB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:45

Platform

win10v2004-20240709-en

Max time kernel

435s

Max time network

441s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\2_any_country.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe
PID 3504 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\2_any_country.cmd"

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86_64\goodbyedpi.exe

goodbyedpi.exe -5

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1472-0-0x00007FF61A1B0000-0x00007FF61A1CB000-memory.dmp

memory/1472-1-0x0000000062800000-0x000000006280D000-memory.dmp

memory/1472-2-0x00007FF61A1B0000-0x00007FF61A1CB000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:45

Platform

win10v2004-20240709-en

Max time kernel

428s

Max time network

437s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_install_russia_blacklist.cmd"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\service_install_russia_blacklist.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:47

Platform

win10v2004-20240709-en

Max time kernel

424s

Max time network

428s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\WinDivert.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-27 18:31

Reported

2024-07-27 18:54

Platform

win10v2004-20240709-en

Max time kernel

420s

Max time network

446s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\goodbyedpi.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\goodbyedpi.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\goodbyedpi.exe

"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.2\x86\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/1700-0-0x000000003F500000-0x000000003F519000-memory.dmp

memory/1700-1-0x0000000063D40000-0x0000000063D4B000-memory.dmp

memory/1700-4-0x000000003F500000-0x000000003F519000-memory.dmp