Analysis Overview
SHA256
f845dbabb7772060cc875895b3f2c06e0edbc2bb079670a30816140e753ec378
Threat Level: Likely malicious
The file goodbyedpi-0.2.3rc1-2.7z was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Download via BitsAdmin
Stops running service(s)
Loads dropped DLL
Executes dropped EXE
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 09:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 09:14
Reported
2024-08-02 09:17
Platform
win11-20240730-en
Max time kernel
176s
Max time network
173s
Command Line
Signatures
Creates new service(s)
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000fe584392110050524f4752417e310000740009000400efbec5525961fe5843922e0000003f0000000000010000000000000000004a0000000000829f2101500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000fe5810911000372d5a6970003c0009000400efbefe581091fe5810912e000000a49f0200000004000000000000000000000000000000b257cb0037002d005a0069007000000014000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \Registry\User\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\NotificationData | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications\7zFM.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1-2.7z"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI" binPath= "\"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe\" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt\" --blacklist \"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI"
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe" -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt" --blacklist "C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd" "
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
Files
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd
| MD5 | af6dac6686b77dc51203800737f41b75 |
| SHA1 | 385568a96d92ca8206e45b6cf945b2fa11b29f80 |
| SHA256 | 4d2068f04436998bdf003c430f7bc28f0d0fc7d48031b8a37983f84bad6374bb |
| SHA512 | ae54f13ec18a71983b598f9f2d38231168b9f7de3238f6f742128331f2957e0a770b9502f2bf1997c8f6a6cb0c4bb90e9f4a8156ac807744141c51f4b0c4c49c |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
| MD5 | fd680538c2a80dc54c63ae39c3563fbd |
| SHA1 | 34fc71b71ab4361a68bf8355e9b2f54dd8cf910f |
| SHA256 | fa9a32ae6eb24e2290941ea60f80e914168e1f84e900293bffd4393fb9a8fae2 |
| SHA512 | 8bae7d75dcaf708433504e8b725da41f051fdaffccfc2e27e2450f89866b8d113a2782a11c54e1dbf03e5db22b883eaf7bea8cfd2472e67c7eebabc9de2ef838 |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll
| MD5 | 88e1c19b978436258f7c938013408a8a |
| SHA1 | 09b77c8c85757e11667a7b83231598dd67fe0b8b |
| SHA256 | 6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e |
| SHA512 | eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14 |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt
| MD5 | 10428c8013f3a63e4d85c7e8c12d1288 |
| SHA1 | 1d56c58626c75947391c48e0512be1308852d1ad |
| SHA256 | a0edd9b4d4d99b31b62f73ad4d0819408b0f38a4178893d5279a9bc6736b0668 |
| SHA512 | 4875c71317946315e43231a1a41b7cc1588a98236377d801418493bddd06ceebc2d80afe24e7e5cbcdb4bf1af7a6e907fc968283fefd458478f850622d730043 |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-youtube.txt
| MD5 | 224c80ffbff4b72fb9c7daeea96f2d06 |
| SHA1 | 54ae8bc9f32415a1d7dea35cb7cfeac76184f865 |
| SHA256 | 40499135555124cdee19699e060e30a8649257420c791717e8d875506529b1f6 |
| SHA512 | 465e73037165ff79f3799f45fcba39a7bf73bca5d1cb3b454873714ffad233e4478aee88d3798275dec8a8d677a398d387e7fc01b3a10934c0363b741ac98771 |
memory/5068-49-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/5068-50-0x0000000062800000-0x0000000062813000-memory.dmp
memory/5068-51-0x00007FF670650000-0x00007FF670670000-memory.dmp
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd
| MD5 | 76763259e528cd27e998fb4c665c2b78 |
| SHA1 | f2b6e15dca04c54ace2aefc4bc72656dc7550cab |
| SHA256 | 69c8b67fafbca446ce5302e97f9947191ecb84d2a51eae61d4955dc3e2147da0 |
| SHA512 | 69d35fb64ab4cee901b7ecc9baac437cd4dd5e3feb5b006a0fa8c3d52fce8ac9eea5ee68a6dcea01f5386966ac135e85bfba8fc8eecec5d8c70212e795d0dd76 |
memory/3096-58-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/240-60-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/3096-62-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/240-64-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/500-68-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/500-70-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/3716-74-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/4336-78-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/2000-82-0x00007FF670650000-0x00007FF670670000-memory.dmp
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd
| MD5 | a6af4b081a4cbcd448759306b2366eac |
| SHA1 | 0d1d887413e074b0991b5be0ca296f18053502c0 |
| SHA256 | d9d7c57c7dedb3a4e6566ddd7623758f53986a2c34e0cd3784b84f7f881a01c4 |
| SHA512 | f406b865f4bbe08181f1c1f239f198bab03b5b681174323b78f0b3c1790a1e177473a89ee566dac906c08d044fb0eb9a48991cf773222d378f469bd4941af62f |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd
| MD5 | 77b1d63472e67c4368961c463cc1d92c |
| SHA1 | 7653fa303944e6f2436ef72ad8a6d11eb6f8b95e |
| SHA256 | 450f2b003fb579f897eded1131c9e893afde7b2ebf07b86110449e57ed9a0da8 |
| SHA512 | 67763f15836d456bd8713533599f2bc6d97d16887fc4078f5c5c36ec0b42beffc267e5eb9396f16aa350ce39a61c57ecc1c82e32068495a74489af68dacc3a31 |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd
| MD5 | 77048213eb9358ff71f99667dd08034b |
| SHA1 | cb35b4554e96f3a7089c103e911eab58c9369d53 |
| SHA256 | e599adb50f219cfbd620a21167b6cfc68e326da50836b5985826e45e88d247fe |
| SHA512 | 6af0c1281108ad7d61d61ae98ae84e5ad024fed32dd997e2f053dcb40a1d595cf76310ce36397791e747cad984a341a959fd4eb43d284cfcaf6cf17f7c5f7236 |
memory/1980-91-0x00007FF670650000-0x00007FF670670000-memory.dmp
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd
| MD5 | 72103c58f2ed536ebc07e19fd00fa2f0 |
| SHA1 | cd37e3bfdc4dbeecfd945561b8538e328dcfe2f9 |
| SHA256 | 17a3d7b8b1e1340f67d3687ce9162199c0a25025941d23954880808403487d07 |
| SHA512 | 4270dfb825f03d41d5911db8cef7de43c58a0401d84bd72e047da6b9fc6753789c070c9fd61bb0145f70b47026ba70d9d18612fefd1314436998adb354de815b |
memory/2204-96-0x00007FF670650000-0x00007FF670670000-memory.dmp
memory/4792-98-0x00007FF670650000-0x00007FF670670000-memory.dmp
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
| MD5 | 92a6c37a997fba11f9e26995925cbee6 |
| SHA1 | e00bd8465497427230c856089c36c64afc70c677 |
| SHA256 | da0884d6b282ff934c0d7392a50efca03c65943b6e2b6254e14e81420f0ebb5f |
| SHA512 | 68edb1ee011aa610fdaa53047a89f8f7498848832c46f5fb5bfd289090fd77e49560d13dc8ce5996203074cf5e158d4225152878b30e44135423f520d03901d9 |
C:\Users\Admin\Desktop\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86\WinDivert.dll
| MD5 | 1cb0efd60883b5637b31bf46c34ae199 |
| SHA1 | b91de8d5f072f8c6aabd029d96568effdd5662d9 |
| SHA256 | 625ffdd95bfabff32d0e8a95beabcd303c01c8bba73b90402d4e84d6e15dd8e5 |
| SHA512 | 68c7c257b8cd28011f4b9af09b1e4c7b3d69c6f1457ca6f68fe114fcb382e470b87b9c12ca5d6d4aedd27a103a35fac9093c08b288867cceb9621a60ac70a6f7 |
memory/3904-104-0x000000003F2F0000-0x000000003F30F000-memory.dmp
memory/3904-105-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/4792-106-0x00007FF670650000-0x00007FF670670000-memory.dmp