Malware Analysis Report

2024-10-16 05:07

Sample ID 240802-k7hb9stfpp
Target goodbyedpi-0.2.3rc1-2.7z
SHA256 f845dbabb7772060cc875895b3f2c06e0edbc2bb079670a30816140e753ec378
Tags
discovery dropper evasion execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f845dbabb7772060cc875895b3f2c06e0edbc2bb079670a30816140e753ec378

Threat Level: Likely malicious

The file goodbyedpi-0.2.3rc1-2.7z was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper evasion execution persistence

Creates new service(s)

Download via BitsAdmin

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 09:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 09:14

Reported

2024-08-02 09:17

Platform

win11-20240730-en

Max time kernel

176s

Max time network

173s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.7z

Signatures

Creates new service(s)

persistence execution

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Stops running service(s)

evasion execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000fe584392110050524f4752417e310000740009000400efbec5525961fe5843922e0000003f0000000000010000000000000000004a0000000000829f2101500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000fe5810911000372d5a6970003c0009000400efbefe581091fe5810912e000000a49f0200000004000000000000000000000000000000b257cb0037002d005a0069007000000014000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\OpenWith.exe N/A
Key created \Registry\User\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\NotificationData C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 3668 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\7-Zip\7zFM.exe
PID 1536 wrote to memory of 3668 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\7-Zip\7zFM.exe
PID 4976 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4976 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4444 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3876 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3876 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3696 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3696 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4072 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4072 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3544 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 3544 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 3708 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 3136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3708 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4404 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4404 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3152 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 3152 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.7z"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "

C:\Windows\system32\sc.exe

sc stop "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc delete "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"

C:\Windows\system32\sc.exe

sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"

C:\Windows\system32\sc.exe

sc start "GoodbyeDPI"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

C:\Windows\system32\sc.exe

sc stop "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc delete "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"

C:\Windows\system32\sc.exe

sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"

C:\Windows\system32\sc.exe

sc start "GoodbyeDPI"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

C:\Windows\system32\sc.exe

sc stop "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc delete "GoodbyeDPI"

C:\Windows\system32\sc.exe

sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"

C:\Windows\system32\sc.exe

sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"

C:\Windows\system32\sc.exe

sc start "GoodbyeDPI"

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd" "

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe

"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
LV 195.123.208.131:443 p.thenewone.lol tcp

Files

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd

MD5 af6dac6686b77dc51203800737f41b75
SHA1 385568a96d92ca8206e45b6cf945b2fa11b29f80
SHA256 4d2068f04436998bdf003c430f7bc28f0d0fc7d48031b8a37983f84bad6374bb
SHA512 ae54f13ec18a71983b598f9f2d38231168b9f7de3238f6f742128331f2957e0a770b9502f2bf1997c8f6a6cb0c4bb90e9f4a8156ac807744141c51f4b0c4c49c

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

MD5 fd680538c2a80dc54c63ae39c3563fbd
SHA1 34fc71b71ab4361a68bf8355e9b2f54dd8cf910f
SHA256 fa9a32ae6eb24e2290941ea60f80e914168e1f84e900293bffd4393fb9a8fae2
SHA512 8bae7d75dcaf708433504e8b725da41f051fdaffccfc2e27e2450f89866b8d113a2782a11c54e1dbf03e5db22b883eaf7bea8cfd2472e67c7eebabc9de2ef838

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll

MD5 88e1c19b978436258f7c938013408a8a
SHA1 09b77c8c85757e11667a7b83231598dd67fe0b8b
SHA256 6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e
SHA512 eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt

MD5 10428c8013f3a63e4d85c7e8c12d1288
SHA1 1d56c58626c75947391c48e0512be1308852d1ad
SHA256 a0edd9b4d4d99b31b62f73ad4d0819408b0f38a4178893d5279a9bc6736b0668
SHA512 4875c71317946315e43231a1a41b7cc1588a98236377d801418493bddd06ceebc2d80afe24e7e5cbcdb4bf1af7a6e907fc968283fefd458478f850622d730043

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt

MD5 224c80ffbff4b72fb9c7daeea96f2d06
SHA1 54ae8bc9f32415a1d7dea35cb7cfeac76184f865
SHA256 40499135555124cdee19699e060e30a8649257420c791717e8d875506529b1f6
SHA512 465e73037165ff79f3799f45fcba39a7bf73bca5d1cb3b454873714ffad233e4478aee88d3798275dec8a8d677a398d387e7fc01b3a10934c0363b741ac98771

memory/5068-49-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/5068-50-0x0000000062800000-0x0000000062813000-memory.dmp

memory/5068-51-0x00007FF670650000-0x00007FF670670000-memory.dmp

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd

MD5 76763259e528cd27e998fb4c665c2b78
SHA1 f2b6e15dca04c54ace2aefc4bc72656dc7550cab
SHA256 69c8b67fafbca446ce5302e97f9947191ecb84d2a51eae61d4955dc3e2147da0
SHA512 69d35fb64ab4cee901b7ecc9baac437cd4dd5e3feb5b006a0fa8c3d52fce8ac9eea5ee68a6dcea01f5386966ac135e85bfba8fc8eecec5d8c70212e795d0dd76

memory/3096-58-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/240-60-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/3096-62-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/240-64-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/500-68-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/500-70-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/3716-74-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/4336-78-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/2000-82-0x00007FF670650000-0x00007FF670670000-memory.dmp

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd

MD5 a6af4b081a4cbcd448759306b2366eac
SHA1 0d1d887413e074b0991b5be0ca296f18053502c0
SHA256 d9d7c57c7dedb3a4e6566ddd7623758f53986a2c34e0cd3784b84f7f881a01c4
SHA512 f406b865f4bbe08181f1c1f239f198bab03b5b681174323b78f0b3c1790a1e177473a89ee566dac906c08d044fb0eb9a48991cf773222d378f469bd4941af62f

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd

MD5 77b1d63472e67c4368961c463cc1d92c
SHA1 7653fa303944e6f2436ef72ad8a6d11eb6f8b95e
SHA256 450f2b003fb579f897eded1131c9e893afde7b2ebf07b86110449e57ed9a0da8
SHA512 67763f15836d456bd8713533599f2bc6d97d16887fc4078f5c5c36ec0b42beffc267e5eb9396f16aa350ce39a61c57ecc1c82e32068495a74489af68dacc3a31

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd

MD5 77048213eb9358ff71f99667dd08034b
SHA1 cb35b4554e96f3a7089c103e911eab58c9369d53
SHA256 e599adb50f219cfbd620a21167b6cfc68e326da50836b5985826e45e88d247fe
SHA512 6af0c1281108ad7d61d61ae98ae84e5ad024fed32dd997e2f053dcb40a1d595cf76310ce36397791e747cad984a341a959fd4eb43d284cfcaf6cf17f7c5f7236

memory/1980-91-0x00007FF670650000-0x00007FF670670000-memory.dmp

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd

MD5 72103c58f2ed536ebc07e19fd00fa2f0
SHA1 cd37e3bfdc4dbeecfd945561b8538e328dcfe2f9
SHA256 17a3d7b8b1e1340f67d3687ce9162199c0a25025941d23954880808403487d07
SHA512 4270dfb825f03d41d5911db8cef7de43c58a0401d84bd72e047da6b9fc6753789c070c9fd61bb0145f70b47026ba70d9d18612fefd1314436998adb354de815b

memory/2204-96-0x00007FF670650000-0x00007FF670670000-memory.dmp

memory/4792-98-0x00007FF670650000-0x00007FF670670000-memory.dmp

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe

MD5 92a6c37a997fba11f9e26995925cbee6
SHA1 e00bd8465497427230c856089c36c64afc70c677
SHA256 da0884d6b282ff934c0d7392a50efca03c65943b6e2b6254e14e81420f0ebb5f
SHA512 68edb1ee011aa610fdaa53047a89f8f7498848832c46f5fb5bfd289090fd77e49560d13dc8ce5996203074cf5e158d4225152878b30e44135423f520d03901d9

C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\WinDivert.dll

MD5 1cb0efd60883b5637b31bf46c34ae199
SHA1 b91de8d5f072f8c6aabd029d96568effdd5662d9
SHA256 625ffdd95bfabff32d0e8a95beabcd303c01c8bba73b90402d4e84d6e15dd8e5
SHA512 68c7c257b8cd28011f4b9af09b1e4c7b3d69c6f1457ca6f68fe114fcb382e470b87b9c12ca5d6d4aedd27a103a35fac9093c08b288867cceb9621a60ac70a6f7

memory/3904-104-0x000000003F2F0000-0x000000003F30F000-memory.dmp

memory/3904-105-0x0000000063D40000-0x0000000063D4F000-memory.dmp

memory/4792-106-0x00007FF670650000-0x00007FF670670000-memory.dmp