Analysis Overview
SHA256
e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Threat Level: Likely malicious
The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Enumerates connected drives
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3204 wrote to memory of 4348 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 3204 wrote to memory of 4348 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/4348-0-0x00007FF662AF0000-0x00007FF662B10000-memory.dmp
memory/4348-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4348-2-0x00007FF662AF0000-0x00007FF662B10000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2292 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2292 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/2228-0-0x000000013F230000-0x000000013F250000-memory.dmp
memory/2228-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2228-4-0x000000013F230000-0x000000013F250000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3836 wrote to memory of 3656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3836 wrote to memory of 3656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3836 wrote to memory of 3656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3872-0-0x00007FF689D40000-0x00007FF689D60000-memory.dmp
memory/3872-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3872-2-0x00007FF689D40000-0x00007FF689D60000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
Files
memory/1356-0-0x000000013FF30000-0x000000013FF50000-memory.dmp
memory/1356-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1356-4-0x000000013FF30000-0x000000013FF50000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
98s
Max time network
101s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4060 wrote to memory of 3436 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 4060 wrote to memory of 3436 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
memory/3436-0-0x00007FF7A4350000-0x00007FF7A4370000-memory.dmp
memory/3436-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3436-2-0x00007FF7A4350000-0x00007FF7A4370000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240708-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 1696 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 1288 wrote to memory of 1696 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 1288 wrote to memory of 1696 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
Network
Files
memory/1696-0-0x000000013F6E0000-0x000000013F700000-memory.dmp
memory/1696-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1696-2-0x000000013F6E0000-0x000000013F700000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240705-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6969758,0x7fef6969768,0x7fef6969778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2008 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1176 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1384,i,16028424706169606693,16711249795326607923,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.106:443 | www.google.com | udp |
| NL | 142.250.27.106:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_1988_HWUVZONDYZSLKIIQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240729-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/532-0-0x000000003F600000-0x000000003F61F000-memory.dmp
memory/532-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/532-2-0x000000003F600000-0x000000003F61F000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240708-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\mstsc.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\mstsc.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7629758,0x7fef7629768,0x7fef7629778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2092 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1176 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1268 --field-trial-handle=1320,i,6759703951539422645,14840500811309932133,131072 /prefetch:1
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExpandMove.DVR-MS"
C:\Windows\system32\mstsc.exe
"C:\Windows\system32\mstsc.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7629758,0x7fef7629768,0x7fef7629778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1228 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1244 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1176,i,4870826363450196346,9141195947578339934,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.105:443 | www.google.com | udp |
| NL | 142.250.27.105:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.104:443 | www.google.com | udp |
| NL | 142.250.27.104:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_2752_CEPKQVPCJYACHYQL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\474fe4ac-9028-43ce-827b-c38f9fee726a.tmp
| MD5 | a63847dc43703ad23c42ee814bad667e |
| SHA1 | 164fb7c0650e7fd5cb35a6a5ef9a03e7a7d9a36b |
| SHA256 | 07db966ef66584bc2bf83b97b92008413eae3cf53bea6a95369bad540f7278b6 |
| SHA512 | 6ad29a673ab93b1dcd2094ccd146946fe7d27741763e9831252f8be767f22c3c3b50feb1d7b4e5333b55b0a6136f025a8da53bbcf9d6f2c9a3d90081c969cdba |
memory/1692-134-0x000007FEFABC0000-0x000007FEFABF4000-memory.dmp
memory/1692-133-0x000000013F3F0000-0x000000013F4E8000-memory.dmp
memory/1692-135-0x000007FEF5DF0000-0x000007FEF60A6000-memory.dmp
memory/1692-136-0x000007FEF4B30000-0x000007FEF5BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 0e6c086fa2d9984b75b0a4fa191f731a |
| SHA1 | 542b08c2375cfd5b8e88f17dd76a1d65043ef050 |
| SHA256 | 4413dc66a7214431b220d4c2dc603e35f559d58d63aaed08d243ef89e86bebbc |
| SHA512 | 2413a93b23b4529eb580a428dc97a2053d306c97b92042309cf35ffa3800da04931c6bb57ece191121094eb5f8d1ad5518b6b315d18c212530783d51c93c9ad5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | bc6142469cd7dadf107be9ad87ea4753 |
| SHA1 | 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c |
| SHA256 | b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557 |
| SHA512 | 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f029225332c3181e0dd03cd1e98af3d1 |
| SHA1 | c512ecc0664edccff0729356726993674af22b35 |
| SHA256 | f374167f5b12cca9fad2716fb5aacb6cdbad9b80541f2dda948bf651fa37787a |
| SHA512 | 0d75d7878189bfb5ad860f14c76bdbab281621ff3c3cc8bf5c2d9f76eb225e2042c9d467b16af2fada7d8d9c0f6b695f934c61acbc82d9db9db5055c3328cf12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007
| MD5 | 2ac0494b5c4c6d605281ee87339a0cc7 |
| SHA1 | 6ea0fd5480bd086ed4110d0622388574f0222666 |
| SHA256 | 53161ecf97484ce07e22fbed3f642f3c1daec51a22b84be407522e5d38d2afbd |
| SHA512 | 77c6a0422b17b90dcc84094e184020613bfc7f71f07bb6fe15a68f48330e7b374c5228d65606341248983e3ec17c9b30a61e31ebdfac73f7e6abeb9d2b5f8f7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | df3198cfe17ea8f310346df7f2a3f4d2 |
| SHA1 | b380bf9aa625e07f9de099fc6369804b7d86fe85 |
| SHA256 | 1702554299863f99790bb3533748877f8bffb8089e776b7cd931674d9e34746f |
| SHA512 | 1f0999097551b679a397791f0671a64b69d80347f6a2a33e6f986b224cfc57270f29ab0a2dda00a03fb6fec8b2b9b771d8ce56696b75335f331292d1e497bf1d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
| MD5 | 22b937965712bdbc90f3c4e5cd2a8950 |
| SHA1 | 25a5df32156e12134996410c5f7d9e59b1d6c155 |
| SHA256 | cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb |
| SHA512 | 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | 1ddbff4f248360f3fdd12b33b81ae08c |
| SHA1 | ac09cd96e0b4680f77f6221cb08d7499e93f77d9 |
| SHA256 | 194d70bcdb55ab2319783e2c1323c69a0480f456cd5e358109308a706a97cabc |
| SHA512 | cf54ba8451e09d17ac3be4ce4d6ad7823e6d5f1027c49108fcbf54fff62c9a02047205e48cc38e50e354a80cf794dd032262518412d1671eb9016a58fb228477 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 3952fecdcc69f69efe1ab37a38431017 |
| SHA1 | 4aae0c648aa497d4247da14069eb32a043775ad2 |
| SHA256 | 366ada69bfc4ded4cdb441015f85db052350a587909ef5227a154a8953c9f2bb |
| SHA512 | 0fcd182fffdc0e470e8a7d58e751356a195bd7d3ea93438e24268c2b34b51cd73c07810908df5a1893043fd88a457a1ed24543b7896470765a611598adb262b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006
| MD5 | 78c55e45e9d1dc2e44283cf45c66728a |
| SHA1 | 88e234d9f7a513c4806845ce5c07e0016cf13352 |
| SHA256 | 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec |
| SHA512 | f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007
| MD5 | 1be22f40a06c4e7348f4e7eaf40634a9 |
| SHA1 | 8205ec74cd32ef63b1cc274181a74b95eedf86df |
| SHA256 | 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691 |
| SHA512 | b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
| MD5 | 922c0bafadedd07dc8cf9985e860bbfa |
| SHA1 | 73ab53f47e63daa5d5b2d2e612d33e23084d9e6a |
| SHA256 | 39e05a7c93ff67329825154ee7a8d44b210011789b83858c0511e3656180c6ca |
| SHA512 | 5fe979d01fc688dec5b206142d5b5dc596390e03368fbf0877003ab26db26a6e56682c7f56062afb24027a918ccfc4aab298f3a1d5f1400fe0aecf61aa6c3b99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007
| MD5 | b6d5d86412551e2d21c97af6f00d20c3 |
| SHA1 | 543302ae0c758954e222399987bb5e364be89029 |
| SHA256 | e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191 |
| SHA512 | 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log
| MD5 | e9c694b34731bf91073cf432768a9c44 |
| SHA1 | 861f5a99ad9ef017106ca6826efe42413cda1a0e |
| SHA256 | 01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85 |
| SHA512 | 2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
| MD5 | 72bc12345e72c56c0ffa6dbd94aaf2f5 |
| SHA1 | efb59d3dba18c0065e98509bbfed4f56b6f11c0a |
| SHA256 | 0b48f93fe390a4c2b201572467987ce00cc21348ea2d91e91161f077fd69c5b4 |
| SHA512 | 3699e136f2a968392538dc54fd76ed013fdc50feeed65212af20014180e0e313cb29ef09e5240b86bd507bc80ffe01057f788a163e715eced640014851118dd1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb
| MD5 | bbd70b633fe31912ec457d3eff6ea3b4 |
| SHA1 | 08a93d89bf497d2d9af156a2f171365ac09da942 |
| SHA256 | d54d60b550ce8df4e2d186cdd7daed4638006f2ea44826e5de0d19ee7f32ce16 |
| SHA512 | 5e6d66e71bf057ffbe609be4b5a8aabfc54b0c080087af4ade047b5f7f0f67d0432d4ea951c36a903ee171614e654136f4a190c82c6d6ad3a1fe67ca41249975 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb
| MD5 | 566074223ecb0113ff6b84c8cd56d38f |
| SHA1 | 88301dcd29b3958f544113d498dcdc869953415e |
| SHA256 | 5a74a0600de39d0afe6e645b4569f3d99b89cc0ca54ba84ef6fef96bb2b2f75a |
| SHA512 | 8f44deae6f0ce28e630b8d218b067e54eda36081d733348c1bf757901c70ba1d9b79ef641c4374611b59fcf767ee410e2c85d79973fb87a3df07ee78e4160e54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log
| MD5 | a2f36fd75efcba856d1371d330ed4751 |
| SHA1 | fb7c3dff0fa2b47c6f0026287d12d16d05d14d8b |
| SHA256 | 561fe33b81dac187686e9e50103590f3a857f4e1b9c8ada714d43964b938ea7f |
| SHA512 | 79ca96560a074fa678cfdc06007d0e1e01718831d18c4a800c5361b8ba8091b46acada47418a8d7be3b626d2d9af5cf346abcdd88166a9d1634f81157ab1ad6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007
| MD5 | fbb6936d2877ce2d560520a2c3523a8b |
| SHA1 | 8cc7328f052440b58b02ff0280d760c54d0aa882 |
| SHA256 | dabc216c387723e96936a51c1927f9fa0300c939285730379195f9beb190100c |
| SHA512 | 39d1c0116d716f8fb67464fe7d262f5c434cc55e7fd37f52673367d6ed4922a289771e4696d5beab20f62f2ff6d7c4b5569ebf1517fbc2da838c60e47cc1fe38 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
| MD5 | 4e7573c0a769e7cba2ffcd4f1e2d8447 |
| SHA1 | 42224dfb6a6397beac975fc703fee750b326d1ba |
| SHA256 | f62286f5a675e62e7b75e1c7f20014663428cac93e35808147ccd6221668eb64 |
| SHA512 | 6d0527f7e32ad3324cdf4d614b6bb9c7528e9f20f2fcb55011f76ec74c8260c00f16401d9d0f362b9fa0a8f96ef962ab93f6754cfd027ed16d3982bf230cc5ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log
| MD5 | fe62c64b5b3d092170445d5f5230524e |
| SHA1 | 0e27b930da78fce26933c18129430816827b66d3 |
| SHA256 | 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4 |
| SHA512 | 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
| MD5 | 49a98a92f334d33eece0d8db051b458a |
| SHA1 | 8fa84859f6d08aecaece9f6874b5a3576719f402 |
| SHA256 | 24280df703d34d3e4423fb1250ca9872794515b80cbfabbb4f434fff41abea2b |
| SHA512 | 588285b87c7d2f4bfb1b0332fcad598d80624ea9d7794506c4296eed478704e4e58b3204e196349234f6134203a05ad85a0fc68d4ecfe1c30c3a0d357ead6fce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 88913b491200846051d7b39b2a2beb98 |
| SHA1 | 98a84777f6c112b2f4a42685a8f0196ad37ed729 |
| SHA256 | bebaf461b59c3b6d43cdcbae70a043ce1a7de346817f5a22f831be4996cc9c49 |
| SHA512 | 53ef73d055d5a15ea6da883483b2963baf69585079ac6d88f192cacf15f37b9f9acd691687089cf7ac4ee75ecf513f4f0b4462dd073f0566d60cf8ebf28e7194 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ec9ad255a26d97cac00b559d031a42d1 |
| SHA1 | db260c27dc56918614f7f2caed80edb206a3e73f |
| SHA256 | 12fd363a038b8e2d600862a6266ee4be1e82834947b2d291a86694586facb297 |
| SHA512 | a081d9fa40157e1ab9ec59a6366a0edd1c766205e7ec0928a9449f7a7ced57d73ddf97f0b820380ea97ccc378ff7ff1383451fb2a1b168a6ee9f40c4f8299b4f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | d1f604157b0745a40453afb93a6caa42 |
| SHA1 | 3d5d77429b03674ebb0ba34d925ba1b09310df5e |
| SHA256 | 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5 |
| SHA512 | 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
| MD5 | b68d508d0cde7913e352d9defa79c8d3 |
| SHA1 | aef05d0f3262d5377a36f8c47c377bd080e2e9af |
| SHA256 | 73d92412dd3d3f424a307a72213b28ac3ba69c6260fcb471cb0ec388129e6230 |
| SHA512 | 524319e4daf6ebe5726c456eae78edc0e8b84cb3f32a9644bac2351424d965deb5a15455e4bbd35e86037983ddb6eddd2cb1bd675ff6c9204f85b3047719f729 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | 240105245bdec0647b646a054f01de42 |
| SHA1 | 16cf29ce880b0da4b35057926790a812463dfc3a |
| SHA256 | c86bc2a1d4e34567f8a9dadf4d224073b92364e25abae8e93c8e819e6098bc85 |
| SHA512 | d28316a87579564b3a008b88a23707a06ca85637929e7cbab8c8727b50f77fc6569950c76f984b3895ae198227a59560a3cff427c2a9f8b6c5f467caffe88b7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13367084951983400
| MD5 | ab0c27a89752c3a3e6965b0bb9d17d54 |
| SHA1 | 54b9cb9637e7fb420039045cd8f0da0007d8de10 |
| SHA256 | 7da283002dd526fbe327fa825540e8130fe60cc754c96d1b676d8f3e667dbcfe |
| SHA512 | b85ace56e8b173184fb4c03168d3066120b29b9305aad4e247e635969e3999c99f7cee26e9bc514867f4581fc03435f912131972700ab3867f6eca9eb968ef30 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
| MD5 | 78d4eaa879dd0c8a092fe22dd0e252ce |
| SHA1 | 9d4d2d33747000fd263fa2ada6446b2c51af2d60 |
| SHA256 | 83bdb0b6eacc0c3dd6d74e5b9c4065466776ad1bb6186d06026039282212d7ba |
| SHA512 | 8725f671fe7027ad8560a35fef0a2524188e6fb811e1f8a7813bc52b38d0d89393b64df34bf42a404a0c5c50217e5b5566851caee090ee7bf70b0cf6b482f9a9 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240730-en
Max time kernel
94s
Max time network
97s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1372 wrote to memory of 4296 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 1372 wrote to memory of 4296 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4296-0-0x00007FF66AE00000-0x00007FF66AE20000-memory.dmp
memory/4296-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4296-2-0x00007FF66AE00000-0x00007FF66AE20000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240729-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 1356 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2516 wrote to memory of 1356 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2516 wrote to memory of 1356 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/1356-0-0x000000013F0F0000-0x000000013F110000-memory.dmp
memory/1356-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1356-2-0x000000013F0F0000-0x000000013F110000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240704-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 2284 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2476 wrote to memory of 2284 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2476 wrote to memory of 2284 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
Network
Files
memory/2284-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2284-0-0x000000013FEA0000-0x000000013FEC0000-memory.dmp
memory/2284-4-0x000000013FEA0000-0x000000013FEC0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win7-20240705-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
Files
memory/2708-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/2708-0-0x000000003FF20000-0x000000003FF3F000-memory.dmp
memory/2708-2-0x000000003FF20000-0x000000003FF3F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3380 wrote to memory of 2364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 3380 wrote to memory of 2364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
| US | 8.8.8.8:53 | 131.208.123.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
127s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 4428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 4908 wrote to memory of 4428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4428-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4428-0-0x00007FF6244A0000-0x00007FF6244C0000-memory.dmp
memory/4428-2-0x00007FF6244A0000-0x00007FF6244C0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-02 15:04
Reported
2024-08-02 15:11
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |