Analysis Overview
SHA256
e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Threat Level: Likely malicious
The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Drops file in System32 directory
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 11:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:47
Platform
win11-20240730-en
Max time kernel
1733s
Max time network
1164s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2803179037-308240136-4183858629-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2356 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2356 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-windivert.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-windivert.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1525s
Max time network
1529s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1791s
Max time network
1762s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1365s
Max time network
1147s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:28
Platform
win11-20240730-en
Max time kernel
1859s
Max time network
1834s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133669881792092586" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb0e3cc40,0x7ffdb0e3cc4c,0x7ffdb0e3cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1808 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2128 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2232 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3124,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4516 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4704 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4896 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3768,i,14833626939717706271,13712835148968647412,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4960 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| NL | 142.250.102.139:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.102.139:443 | clients2.google.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e85faf22338b9b13579c143310c023c7 |
| SHA1 | e5a67eaf951c4fee1d0a23f2fcf3f41b338b5ac9 |
| SHA256 | f2961462069e7b0c0dd9d21df89841617d877d2c27d737c4014273dc2df4cf69 |
| SHA512 | da2ea333ef6d69e213f782f52e658daf91e89d1bd36306a2a70ad576176b51038bda48f51b143b8e1c7e5cddc245d72e2195576fac33fc48af0d0b6f3545f5cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bca54cbb76098ff4790bc77829a9cb98 |
| SHA1 | d4d15a564c10995dc48aa5e6b26339c2aae320a1 |
| SHA256 | 2c9b335f726edddd96571ca8db0c1b212566f88563f28728bbd4771400f0e3a8 |
| SHA512 | 146655cd6ae3a4d4e6dcafdca552f950d395278ff548042c6a1d331e2bb208f478520de07055030f216707e95290e344d94d05c6e88c73fbe88cf7e9f3f2826f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d30c25ca0b76b85f685e3a9a8573f348 |
| SHA1 | 9ec40aa338d21cf1ea9d1f9878a22e06b8fa030e |
| SHA256 | d8acb3271be8d90e9047a1727c00c9e7d16ec541c3e51b23414d7f715bb27e06 |
| SHA512 | 6ae6ac2e97d2610b5642bde13d4d7baff9b95f78b1f509b75fe30e038ceda0b8ba6437db1c5adc34b4321d294f5b3130e9156764ae06a5865ff768447fbb9358 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5268810b6cee9744baf55cf84faf1a09 |
| SHA1 | 770ef391202575654f02b37e95b678fa2116b3d1 |
| SHA256 | 776a17064caaf657f060315c4a7797dff80bed89c127151f6f0158b5dff0ef8f |
| SHA512 | e4e0d6315cfa59c05ea3951b0e6d77d8cf5e593e1b176b532ccd1e6c257d0d13dfcd802b2d06f78eee5b6273cefd5b1ab3a63adb5da4af89eb72b46953167a94 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 411c1dba56c75abed3cd2442142d90ee |
| SHA1 | da5fa477f89e811381695a7e926a14da99075179 |
| SHA256 | a864723504ab41d73b9cb4424a517286a667d503e45c0ec36a1814530c4e989c |
| SHA512 | 184dbe91e0d6278d9a813dbca70424cfb94584aa024fe2ea04d7cb8ff5923d2d9e380a311eb4cf819015306206bcef683513e710c7c0ecf8fd5a7188ec834acf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | db379d4b4688ce1cd5042691ea2a0f8a |
| SHA1 | 869aa241c97506cbe5998cb1564e6fe8b0052225 |
| SHA256 | 26520f2117dc34127763ba6369989d3738b948942d377a6a495125c7ef0ad97f |
| SHA512 | 3ef9382940738d9e22022937f7d55334210e5c0e76dddd7e6f38919d13c4c36565e10da1d754cfb594ea0d007257f451033ddb5b0893e019ad5e7051770d688a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 382df9e49402e5438f320d3a59f076f8 |
| SHA1 | 958c065548616dde64b44abb425e1957c37a7022 |
| SHA256 | 62d92330b3698953081a182852dc092fefd5c4f185cb58d4aaf8f1b874bf59b4 |
| SHA512 | 6397112341e22c71a9250e277032bad5bfee84eb6c9c57449e3e71c2c00e26f33945e571f476c4a4d181d651a9fea3b87474ebf083a230d7b4cd1e77003d56da |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7cbe9eeba6821ef8202027922e474003 |
| SHA1 | 97942b2457664f743e7108155edff022a2ebd376 |
| SHA256 | af1612886b2d421fc88a1947d46fc8087eb7bdcbe58cb8273e471b924a912479 |
| SHA512 | 77bc468508d50795903a51ba95ae6df9fc2c7277f0056787d4d578f8111c9225a758d668c798e890330acb7474b349b3e27176bcd2ea3b56c153e972b5c0c54f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b22b11bddcd8f368e82c0f6049ab7df7 |
| SHA1 | c1589c42a02411874936a2372a18f3bce033fb71 |
| SHA256 | a781f9d5acc1c04f2126a6a09a198e0bd66ef62b93e618b96261e1fe69847bc8 |
| SHA512 | 832f227c4f6c96ec283a6277291599607cf2e249344957ae73e9d879ff95280a7a3b555ba1a5f18046dd71c0801e21ea56a5db85a612d0eff92f24d6e8cefe0f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4183189ff048bd1faba500ab7a8dcdf9 |
| SHA1 | 638a0e9ada7c15824ceab257248213bd999cab14 |
| SHA256 | 7ebd56ccac61cf5df326b28646f17a5b1377f2bf45de75b255d0a2a913285b4f |
| SHA512 | baf0ba64dfe856ca66a977f45878cb75d4fe5385e725f2e6af9ec7e55fce12ae3ff2fc4aba3ce0e019507619bf874d3c231871ed7c9fe077853723baf6618656 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3829217ed6a0d3b241cc51dc145a5231 |
| SHA1 | 76d3672c7a3d2b7d1c197502d65f2d6aeec923f5 |
| SHA256 | af9ae582f43b73df58edd6e6f6ba6a94c9cd6813925c5a7f6c16fd66d66f9e36 |
| SHA512 | 1efd0d5c3f784b144643508d30d19139025c2357df5084fec00fe94b4a6c08da75bcd6a611e82e1dcf5216158c4eb7d6d696bda6460a1a6412b17bf058aae1cc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6e8f076f19e619817b5c39904f477d06 |
| SHA1 | 6da2711ef210eff9805b9da937042bc5163c7511 |
| SHA256 | 16efc52c9d4a59317ee5a58d4805a7e73a0fe564e550c9057320528e4be62137 |
| SHA512 | caae5bbe3f980fb70e9e7f194b9eecc12aab54bc9f65c915b1d617799c441fec7696ecea0dba6c2725cb9a6d24ae4bd7d5ba70a6577e76efeb290483783c0e8b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 621277973323c39b2ac6e674f7263020 |
| SHA1 | efa1393559954b59f5d398a8dfa569346af61662 |
| SHA256 | 95b3cd62b04c6a06b4b5fecb87f694389a48cfb66cc12a3469bb7bc372729ecc |
| SHA512 | 0f7b59fe5c7738ce50f089bcfa2c097e4acfa40eb8d856fe39432f8d4f7a5856a9eb6e4a037819a14a3ad933d33f2a7cdacbf2011353715f697f7a68ab506473 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d1d2e6a40eb9d74b48c22b9d8c8e7ac7 |
| SHA1 | e895b0ed3c2ae9e6aede1e8127d4feaf501c2fce |
| SHA256 | ae2a2b2da4819ae8863937fdd3ed784bf8b55fcf88527dc67509c5d3735e0836 |
| SHA512 | bd0daaa78568cf3e3a4eecd48fcb0b1e315c3eed2dff183c91d1d8d76c6c256f9ded4984e05afe184b10ad9a71b99b2af17c51e925f8c969038bde9c7bf0db79 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 693ece0c08de507147000b3f10a5126a |
| SHA1 | 9751a48ec7ae25d492b99d023e530b0d227323ea |
| SHA256 | 1a915d70b4ee71fb7dfe206d7c3591f4142a6b039a1ae3645896a6b00d3312bb |
| SHA512 | fd96389b0df064528503dfaa2c6955618feaba214444aa752d777ef64d51cc0fdb8bc2ebc0969c81127adc6c5ca2e9750ac58d87c42c758103bc1813dd3983fc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 37c0eda1e9ac9887f3e486b2d0e41f29 |
| SHA1 | 3cdb961daf1a16ca4a914cc49fad183266bd85d6 |
| SHA256 | a796583b54c9148dfd17f1718f0c3fc719f035f3923ef743d22258cb28bc80e3 |
| SHA512 | d8dedee6a8eaf19f1b0d2ea73000dd3c627f2c3a3078180d84be908f21226f491b75564bc987069569ffdc513671b51b1d6f721acb409086bc8c4e4b46e88b49 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 07bd4bcd71d2fc6860466bf276c7665a |
| SHA1 | 8c42bb61ecdc80580446974b57a463141ce6818b |
| SHA256 | 4795bc6132555cadb0266d91a10ed6402d2c62c0bf505c36691cbdb4911c251b |
| SHA512 | 1f4ffb329084f077590017b1e2fd52586a83db0250ef2164398bc6c6fa16ad38eab079885f5318c50802fc859b3d612369d77f44467f951461d53a0112c661a5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 39bfc7b5c900dc4465fed0ec62e6c3ed |
| SHA1 | 9944d103282debef09900de71949553a0f2158f1 |
| SHA256 | 697022ff295437ef36c55c239fa3bdb5608bfa79d89b22f378cf168ac61011da |
| SHA512 | 2110fbf59eee0ef9b46e17d602f19295a1f70ec2ef6ec96c1b033267c3b778be6f5d5dd1a52d0a3f73e2ecc38b731cfa4a030da66a4f48aec76d2836f8783ff5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a0055e957beb1fb36ab2fad56124c86b |
| SHA1 | 535aa7ebd5597143795c4c3589b934d990612d59 |
| SHA256 | c33bde6cb97eacfea4c1ff803ecfc24638d95991be8aa0713ee0d9ccc5fd9b3b |
| SHA512 | b372a5c7d397f4f96f5a32433f7d5dce50bf5db6a05af55211bc728ea4a1b206e9e983447a0478c73552b1895cb972977c0f5a91e79bd6db72d97af766abc6d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | da2752e670c06da1426aa4da24ea62a1 |
| SHA1 | cde268ca7f2df929cfee48634ada1c0152b9bd27 |
| SHA256 | 1c137a503c3f3e149d6732cee57807af2ad3cd7696110dd09293b631a7e47a94 |
| SHA512 | 57cbc0a4f9a68fbd92970a80a503c87d49020c9d9c594564b28721fa7a6321da1b6e36a708f5f9ccc8c27b36763a79231026d13883501a4e5b580ea2ae596f8f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d856981d39fee62f45c6468432dafbcc |
| SHA1 | ad6bc98c682379a0738943875efe78175e8f6510 |
| SHA256 | 910e5f469b708f7f934b8c4a5b165b58528e79ecf4200518bf978bf40b2f5f74 |
| SHA512 | 4850c217da2e1c206d8aa17bf13411a368e30c3816399e6c7bcccf26e550c84652997ebfdd4693f0346fa2f00f7e430de844f89f57324c85fa9a4db3bd9792bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fefabf5e2642f241d970e76cdafdb344 |
| SHA1 | e2eb3689104316e199f5f6c92abc63140f025d75 |
| SHA256 | 89c2022d67a23ac1ac985a6dc57d4bcd22be4cc1322bf84ab666b715d08eb093 |
| SHA512 | 69f2d2317bdaffc3a6fb6d193ef87d5208300c82a01e946a0239cbd82acb467776d61204c8834503d29d98783babbcfa4659a6c4f23606b7f60199d10cf3d400 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d9f1899f044635af3b019eef5b5e3d0e |
| SHA1 | a3b9e03f2b08b15913870d6237d66ab0d3006d73 |
| SHA256 | d18ddd84e003d38020292b5901f66f0cb22997d5a83b53a8042544316f156f6a |
| SHA512 | 24a72f6bc2211b731ae4f0cc9dfde94afa5e8c45afe64ef6f257a4b3581c19ce2d82a90f5efdc1586c33d1bb362f0d402f686cd6c2f6a9172ec5613a95f4e64d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 348d6012a24f6736a0341f58d9e2e692 |
| SHA1 | 96c4d820ad3f6aa40401c3208d8483e7490cfdd6 |
| SHA256 | 9cb45b647a803423cc202c3fe38325e64a64e5bd39488360b67029839f84f4fd |
| SHA512 | 712e493da7c5e7007b8ef0ffb056a85cb252b8fc905e40b0e5e2bf4137207289f29fef91f501b5ca2c1d35f44e5847e82b1edba8239d68324164572b3c5ba191 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7e984d98444d6721a35b874d897bd8aa |
| SHA1 | 5477fc2b829022300dfa6de73a8bd4e152ff826f |
| SHA256 | b926cde9f22c5eac9954189571946dfd4dd96e02154ff0609995b80984847e8f |
| SHA512 | 40d0cb05db7488b0561c9114565c57e85bd56ddffa0b518af211dc0b763d8e688e0d7ba9daed20cf492e2a46c63c5112f36587f015c272f6bc48971323e419c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ff705e8f9d9478f1473cbb79f9d0dd27 |
| SHA1 | e14c6ce1e51a01317ad88fabe76b3b6d31026988 |
| SHA256 | cab6b39e86cb94f2d04b953c819558bd84d2c221b76b2a72c772349c2e63e9e7 |
| SHA512 | bf7cde6b657547da486ea5585bafc48b82e716c433292b4bd5b0dec93e85cfedc5344292f5169fe01215fd7461144a2162c8cb4d09c834fdbfd4485f1f3e2280 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6ae675135165172a500c9bc07eb98869 |
| SHA1 | b8b0d26d30a657298b7ee1d1cb2bfe7792d0fc1c |
| SHA256 | 48caa73c94243ba833658649764e9036b50aaaba33a0f07cbfc150f78c7539ed |
| SHA512 | 6b61948193b40491ab754411e954457d2a733e9fdb4d7f580ded5fe6d53f043a68fe67ccfef738f08d32543977679aafa05728de810da7e139a5d0059f5b5a45 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3c385bc9d173291c3d29247125956bfb |
| SHA1 | 91b799654e99fef9d99e5bdf931348030ac57b66 |
| SHA256 | cddebeef73d4377635bd0a508856aa96e56652e106c4e6bb919410940c7c0097 |
| SHA512 | c21c1fce8b3f70e0bac37839803baf214f6c27a83a7b7120ea2e0c74865cba9e15ef16feeb9c84de938ccd40ae99d8f002debb9e5ead0cdbf806a32c9c9328c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2dd710201782ddecd402bfcbc1fd0ce7 |
| SHA1 | d741cebde2458931c70faa4f55429f1161c249a3 |
| SHA256 | 32f59cda9aebd3ebe5b2e99e3004d5ef5f8cad72c61d8dd873dfae19ee1c1e28 |
| SHA512 | 2d611b808d1f04fc2b6ac90c19b96f437c8201ede4a4c408a13f77dadec12acffb46f39c4c35cf3deea77d6346f4a36a1bd61bd79f813e4b24261ff58c2991a5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:32
Platform
win11-20240730-en
Max time kernel
1508s
Max time network
1487s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3400 wrote to memory of 3136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 3400 wrote to memory of 3136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:47
Platform
win11-20240730-en
Max time kernel
1799s
Max time network
1768s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3600 wrote to memory of 1568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 3600 wrote to memory of 1568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/1568-0-0x00007FF6E1E90000-0x00007FF6E1EB0000-memory.dmp
memory/1568-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1568-2-0x00007FF6E1E90000-0x00007FF6E1EB0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:47
Platform
win11-20240730-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4968 wrote to memory of 5016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4968 wrote to memory of 5016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-getline.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-getline.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1509s
Max time network
1506s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1348-0-0x00007FF7B6880000-0x00007FF7B68A0000-memory.dmp
memory/1348-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1348-2-0x00007FF7B6880000-0x00007FF7B68A0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1510s
Max time network
1501s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:45
Platform
win11-20240729-en
Max time kernel
1698s
Max time network
1152s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 3904 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2172 wrote to memory of 3904 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3904-0-0x00007FF7618C0000-0x00007FF7618E0000-memory.dmp
memory/3904-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3904-2-0x00007FF7618C0000-0x00007FF7618E0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:47
Platform
win11-20240730-en
Max time kernel
1737s
Max time network
1165s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2803179037-308240136-4183858629-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 672 wrote to memory of 2864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 672 wrote to memory of 2864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-goodbyedpi.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-goodbyedpi.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1798s
Max time network
1770s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629259545-4196337482-2684730723-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3600 wrote to memory of 2004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 3600 wrote to memory of 2004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1506s
Max time network
1499s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.23:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:40
Platform
win11-20240730-en
Max time kernel
1795s
Max time network
1764s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 456 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2208 wrote to memory of 456 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.31:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/456-0-0x00007FF795270000-0x00007FF795290000-memory.dmp
memory/456-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/456-2-0x00007FF795270000-0x00007FF795290000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:47
Platform
win11-20240730-en
Max time kernel
1505s
Max time network
1499s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 1608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4520 wrote to memory of 1608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-uthash.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\licenses\LICENSE-uthash.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1695s
Max time network
1167s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1564s
Max time network
1533s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
Files
memory/892-0-0x000000003F780000-0x000000003F79F000-memory.dmp
memory/892-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/892-2-0x000000003F780000-0x000000003F79F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:34
Platform
win11-20240730-en
Max time kernel
1784s
Max time network
1786s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 768 wrote to memory of 3008 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 768 wrote to memory of 3008 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3008-0-0x00007FF7FCC80000-0x00007FF7FCCA0000-memory.dmp
memory/3008-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3008-2-0x00007FF7FCC80000-0x00007FF7FCCA0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1507s
Max time network
1498s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 4816 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4192 wrote to memory of 4816 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-01 11:55
Reported
2024-08-01 12:48
Platform
win11-20240730-en
Max time kernel
1505s
Max time network
1496s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |