Malware Analysis Report

2024-10-16 05:01

Sample ID 240803-tbrqhayakq
Target https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip
Tags
discovery dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper

Download via BitsAdmin

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: MapViewOfSection

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy WMI provider

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Phishing Filter

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 15:53

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-03 15:53

Reported

2024-08-03 16:03

Platform

win10v2004-20240802-en

Max time kernel

480s

Max time network

543s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4192 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff77ca46f8,0x7fff77ca4708,0x7fff77ca4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\2_any_country.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\service_remove.cmd" "

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\Temp1_goodbyedpi-0.2.3rc1-2.zip\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16701877439566802218,16300672841450098934,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_remove.cmd"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 p.thenewone.lol udp
LV 195.123.208.131:443 p.thenewone.lol tcp
US 8.8.8.8:53 131.208.123.195.in-addr.arpa udp
US 8.8.8.8:53 p.thenewone.lol udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0446fcdd21b016db1f468971fb82a488
SHA1 726b91562bb75f80981f381e3c69d7d832c87c9d
SHA256 62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA512 1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

\??\pipe\LOCAL\crashpad_4192_XCOWRDNQYFDNDOVL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9b008261dda31857d68792b46af6dd6d
SHA1 e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA256 9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA512 78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e36c67d2e0a630db7c270127e4aaabf
SHA1 22388e1540eaaac6549ec0d3ad9fee03d71b719d
SHA256 0470f7ef903a29893a06a544f51f31b983de8315b0375263a5faa5c64ba25163
SHA512 a920bc3af26430cddeb5fc6855a416d5b8a3c8dadba22130bc904a179383718fdde9017b0862db53b35df65d437f3c1d18604f12dc1ccd4782277439bb4a634a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2.zip

MD5 41938d1256f900cdaca626a152ba5e95
SHA1 dbafc9a75213d46b19e8fd7a330b87bfd8c0b562
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
SHA512 5fcc097dec3144619c52f028ae1a8ffb0f6354779d86b5972017e57a0a7d1871ef2e3d6436c620e30a74d8ab969848b3bfcae979b96040f35ed10fdd184fba3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 20ea7b8ccd93dd71ac1a09ad158d2113
SHA1 6dbe8d81ae4f47ceebbcf789a4c03cb0d0aafaea
SHA256 04b9969d2b7bc01203f2982a151f01ab2803d188fc7142a615a7b69f5c459d50
SHA512 687b4d8280f96c4af9e0159c3791c14b8ac184b2ccb17c6e19ea5b66bdabd7f2b249bb1b107d5e2c82154948554c224f59cac7abb3374b498f097fbdbd43fbb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 27c7503faec8faf3000c3621fd9b0721
SHA1 7ca69b2c28ec21b9deb08d1515a2f22fc47b8899
SHA256 4464c41358910228b1e044f74f2023ebdc70e5cb69a539a5c1a82a3caad76913
SHA512 b34dc5393aea3009aed2d4d75be63a6669246869a53530e037ec0495fb91ba778dfd252478bc87bb1687440a847881706cd121487112d712b6196c344a080681

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ee77ee0ddce6df6a4cf39b6d19ea6b4c
SHA1 d5407a3c365266b7a794e647bc17ed9e06b4389f
SHA256 79a078c39145a1dc1c27c15f05bb7a39bdaf7aec14fd85a2dcfd36b95a3f5b36
SHA512 1841689b05aab9ba73ac48bb390c148e92d218b07da6b89bbec900bcb84055fe2080115545933d495f6e8f2506497af930fbab1c68cf65ff080f2d5a61b30eeb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bcdc4c293a7077af038ba607686d6cc2
SHA1 36eefa58ba27c5ff785eda9a11e6911152239aeb
SHA256 9f0d8222de9e2962e450135505293f82f8afe9dc05335d9314deea8c85bf238d
SHA512 41dda097bdf2b7b7693badeb43e3cd53a0d4616e5a114d5af4d3594096f67a31cc1c1c3ec0b5c8f6526a5135714dc639ea0a11e9d42f9932a16104f288cb7da8

memory/1372-144-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/1372-145-0x0000000062800000-0x0000000062813000-memory.dmp

memory/4948-150-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/264-148-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/2372-146-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/1372-169-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/264-171-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/2372-172-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

memory/4948-175-0x00007FF6DBF20000-0x00007FF6DBF40000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-03 15:53

Reported

2024-08-03 15:56

Platform

win11-20240802-en

Max time kernel

167s

Max time network

168s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 984 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 3608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 1320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 1320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 984 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbdaae3cb8,0x7ffbdaae3cc8,0x7ffbdaae3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,8046923721539619815,14152344857051859618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2636 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_remove.cmd"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 p.thenewone.lol udp
LV 195.123.208.131:443 p.thenewone.lol tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6fdbe80e9fe20761b59e8f32398f4b14
SHA1 049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256 b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512 cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

\??\pipe\LOCAL\crashpad_984_NCENUJUUBXOTZFSD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9828ffacf3deee7f4c1300366ec22fab
SHA1 9aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256 a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA512 2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37bbc57839d08a5ae33bd5a57e8b1787
SHA1 f03dcb4532af2d1349a33bef918285ad2fee0972
SHA256 86ecb0fe1fa29ac3b60c84c032379ff1e3dd39c3ca6ad638614f5d772b89c11a
SHA512 3bf9b25f018a61d19c9e98494cd58d1e2395dddf86bf4a647571da374fe4bde2acc180dc4cd075dc791a2cb42692c97803585416af091bce898fb2af1f772a39

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2.zip

MD5 41938d1256f900cdaca626a152ba5e95
SHA1 dbafc9a75213d46b19e8fd7a330b87bfd8c0b562
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
SHA512 5fcc097dec3144619c52f028ae1a8ffb0f6354779d86b5972017e57a0a7d1871ef2e3d6436c620e30a74d8ab969848b3bfcae979b96040f35ed10fdd184fba3a

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2.zip:Zone.Identifier

MD5 12e7efad42ba2a492c02288f85f1d858
SHA1 56c7d4856b2049d396c5d0d5752090ce6ad5a385
SHA256 bb87e5997bd9941cd587c25191f81e71b8c3f51eb4b1c67f54968ce8472cefc3
SHA512 81fff045242e2bc5e643be54117b03d1b59e572b3bdda139e48faf3143f698877a6829e349c3c320f0d04742705971742559c7ee338661f8968110cf0cae10e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3c77c5d6e25c15c9cf9012e68c57577e
SHA1 5ea0a45d90904e266346719742a29409478d9744
SHA256 480e0bc7ab4a4212ac74aa032a53cfb5255a1c929ab48d323a4c3ebe8c2543f2
SHA512 9d391121d1b3b01fd7ca9b2b68d5d5b6d0454f93b25d660c1b2b9c990b2f1cd8a6d7ae377c3644fc3721f274227952a81738321860ae3d6c40c019414ad85729

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f73cd911cbb32c3e5671773283c5d94c
SHA1 1c34e24adcca4284a112236c0d490be8ee40b935
SHA256 7940009cee97b1917f3cd211e8a6919c53490f9d1623297ced272a1475be33c6
SHA512 5503ff328232f8b3c332911d308f013866f86b5c5deebebaf3ac90cee509a7a0bc8b60ca6dbdac48398464dc4db1322fd987547e4d70ac28df23a82373925095

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6d723793ceb3a26ff853a8591a2e693
SHA1 9ca4cd41a6cb39e1c5499ca1757f85d4cb22e62b
SHA256 ba7d56f7949096bf513b6f41e5b181cebca1f824f1c75b96c1b69abb2bfec027
SHA512 aea05edb122615c8b48759df68d22037f970c5269af98f6bfb9de953b7cefdb17e3b980785e342969162ab23f377c88d05fe4bee048094a6c914014f334f22b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f5cd008cf465804d0e6f39a8d81f9a2d
SHA1 6b2907356472ed4a719e5675cc08969f30adc855
SHA256 fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512 dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 984e06d12120ea5d7a41f4258dd2df92
SHA1 15c1abc8a3fc3fc2cf3afb68cdc71e908d1ecb93
SHA256 ae9ff037c1f69be35267107f56c6d55e3cb353dc794c8d464c2bd8549a218515
SHA512 970313774fc17bca65dace6764bf80ea83da933dcb88ebc83ab059c6dc1dbffa7446200f4c9efc043bbcdf109e28a13256dcc597ab5ded3a2bc58e2ab01e9803

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 4d52399020a24c1f6b4254cc7252504b
SHA1 2afe0c8994c64898d5fe16ca68811438ef19b0ee
SHA256 e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7
SHA512 a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 f065a39d7e06597189e073755a0c1719
SHA1 f2ce3c9d697f40ab82ec0fecce46de6b354b4c54
SHA256 5ce6608613c37cdb3b66ddee4db699f41b06bb3906301b29c5f5039b8ce6356b
SHA512 c361ae3950de1fb738ef9b18d58786819ae246c21631bdfe4c392a41a859e25fabbdfd473d42d875846cb4a1abbbe798b29512264f9aa3f9558e067795468e20

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 15:53

Reported

2024-08-03 16:01

Platform

win7-20240704-en

Max time kernel

363s

Max time network

367s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 60793a67bde5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428862315" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000444055ab75792cc7ff27ce9961f1f91f03a000f700fc4810280f96b724b2e102000000000e8000000002000020000000ee875a1e8370e2cbe84105012fe11704f1abe536b433098e1836423e8fc871ef200000000f8e3a563b61669ebe6678c453e153b8572d659c6b8f6458ee20a2599f410e5a40000000ed71a80c29aef1aea0229666a3e71beecefedd821471bc430cb02043544db63d73f47f11141b2b08b2b220a06891ac58daa89d3128b7dcbed0c11ee3f9513196 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b700000000002000000000010660000000100002000000037ddb3dc47e1c5aae2ee29d0367c334122a89c0ae8a8e02a6301c8e8de707af3000000000e800000000200002000000033c03e913006e0158f9b125b8ddfc5fe082dcf0aaae77a96d59037f5006fe93690000000032c81ef61950564a83e5bc50e34240039af87111865abd7e17d7cebe30011001c19b4892c7c4613a86be18a48393535dd61a5096e6b8414ec53d3ce435c9a5c139cc530500ef299c00aaa51195b3ac5afe2d08adb907f56046ae5aeb82d30c4ae93c8eacc7551b99c8706257dee3bb5fae63acfa505306a2a1675627e7aa28521ff6863113e273f11e6ac890a33d5d14000000011be097a1f78d19068074eeab93db58ab19646c17fb5fa002047741092f000addbc27ad0475e29f18f1cf9e9ac5c4c655e9c93e77fec238af41168589f92f365 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99DF9F31-51B0-11EF-80D8-CEBD2182E735} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0084d873bde5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 328 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 328 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 836 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 836 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 836 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1036 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1036 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1036 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1996 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1996 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1996 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1168 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1168 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1168 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_remove.cmd"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2CFB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2E19.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a58a434d80c6287776a03701894076c
SHA1 e60f3ef8a23329a966fa1d3859d6f2f4a0ad9d48
SHA256 c30be9f469b419a6d2327f15e778ba12eba5595f356edbdb691ce54785b1f4fc
SHA512 7c54bab23a7f5f26a212f212f8d7c340effc8b9bf7ee41756f472f78eeee1d151cb7987a6a6bac051f8ff4f5d1b23b5fdd1a4aa23a0815f7816d011e975c5011

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a9ce822a48900342a07581ed561f226
SHA1 c4bb891c7379e098fa358a151f12819e10a13882
SHA256 3ba018c3f0552765235733208b43493c55f723fcd190c991f1e64b7ba811e18b
SHA512 4832f0f34d54d946042562b38e7294562cd2a6a9409227751ff4cbb21d127a1b797687eef7e1ebec32ba30e4ecde6ff413a86bf467ce38f0c1b876f189de701b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 915ca4934d4b12dc245e73bcdd196fd5
SHA1 7ad19acc5b71c7a98de7c22e77001705e58e993c
SHA256 07516202c689dcba80e578a53ce715a773cd5ae1410f043383913afc35a909ca
SHA512 e28437d9e181d53a593855c308d57f24e471a043f12e0d8a7cca68d610618698887913aba0ee10bf44ec21203a6fa93c5ae2e691750c4622f7548c293b19f240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c64026391fd0ae72adfe0ca52f7716c
SHA1 4204ea739036c7a0eba8f8a1ce715704d149b9b7
SHA256 84ad149f923932809ba968a1b04cf51db6ed288d4d40b79a12d0c60a8583fb51
SHA512 a6134e7cefb526dbbe30538f80d52a7fc29617d56b9726f684c16db6121804d3d829e34fa7d945ea5d22a445fa8c7be2ce374bb3963345d632b22b94285b9ecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7d3c1444529a28c8067dc5edc4ac703
SHA1 f48e57a6b8445cb2d2256be71671e77c4f1e2635
SHA256 075b87690760ec68df352e1d14c5b028d106323a60569238bd3a2b8ce2f2050f
SHA512 628ad125bcffa928623aeffb27ec0d575f16042d179ae81296169adb297ef906df338067285dffaf49feb5e1f8ba7ea43ae981feee02fd95d6806bf7b85ed464

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba8caeb8e2eba91a64523f95d3db3003
SHA1 c26ea31e559dca6d7ec210a67070ea7211016f81
SHA256 7d7b0ed19508e70b3aaa3883860010ac1d849423596b6853ae285a7c9a3e5dd8
SHA512 0f8e3063110474be8cd92e46f7b02ce55951f40d059f47745330f0b924ceee95ef9871e50921fdb4d5cbf6cf8a86560a255203a38b6f5b5d8e781012a1b7c7f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca87f789235e28d403c37c8479c43837
SHA1 a165d2492c6d24b15b62a57fc8e06948eb706a9d
SHA256 f43b7a9ff089f7914e84cec1fe0ce0f4053410234c690cc8843cdbb61de9e12d
SHA512 e58f470116813dfdbde5b0dab97a141a0b57688a6057ff35beb81ce3b3065a0b61355c5542d3a4ba3d1aabdf8ae8fb5abda2224b9bebcbe282e3f1e1b5aa0982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35117083527564ed0e2c2a51690a32dd
SHA1 1c692b085b8dbcc07dc8764dd82214348106bc6d
SHA256 64076b1ea258366a256f30b61d83eab276aa1eb660dc9a0294c51ba481429df0
SHA512 cc4fb091bb5c7e744a1c0b92ebbd409b8d6780c8cafe292ad99537d23f0e35dac3ded723893af46576f47d3c15e3edd230480e1fdae8c4db7bb87b3906047529

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be3dee06b72fb0fbf118facf1e9f5dc4
SHA1 2b614c1b4320046441704f5db6105c90a6b56caa
SHA256 740cdc5fb5f1f48091c0dc0700c90d878bcae001b8d6d11d1485b58ba9d1778a
SHA512 fa7a4c99c2d484ac29f310940c6e806734f17caeb8f9023872d3debfb374e4c37a6019234eb1056acbed0fd47557338e02c366f8627bb43915728cfe2ccfbd58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 838ab930ab59c6911ab46faca5d3b7ae
SHA1 6508a1d63f9be0bd26949f1c41e8c781964df646
SHA256 c84cea024182e50e0db9404e31381283c7c59f370b93621b4109a3e87f987a82
SHA512 a5224199191467517cac2da0eb06712871cb7ee47129e583af641f3f7262058ab73bc3e04dc765c063df14478150da6852982fb9a066aec8c11c06e4f4a0ae3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9318ad67eaf9cfc4ad7c19efb42262e7
SHA1 e0ea2efb85a77ca2a88789b09bf2c65546bcbe24
SHA256 4e9e9b84214206d2475b309ba7f4e1070260a02cc2e8102c30c22ca039949a80
SHA512 301f60a93337d9c3537b8e7106fa305f2b3d12fcc283c364f4e8ca7129c89cd81574eceeb3165ef5daf8080d17cbd7d7ecc8db3187224cffaa98f4e511b1895f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ed9dbf9b5a94774810c443b93b0a586
SHA1 99e1d093918e425728f44366e75b0fd74ea38395
SHA256 097a14df8c5f0022e97ee9f36764dbd3540755518ea900316a69f09b48e6d379
SHA512 67c59c03ac96fba71893bd3286b4507a2e58f907e4f3991e6db73b4c1010f23692590ed9e5ac4a32368120308824580dbd3d04a4c00195337280131e97f610a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd6a56bd275889757cb689c40ba2ba30
SHA1 b9d0ce4a6f66d759158e6655f45d87ff1bd77ced
SHA256 c8a582a1b5b55968d8974324c5c5f3f2cb5b977418d37aed62d0f88b5fdc2650
SHA512 46ac2f7774ccf16665fd74647f56a93ca69095d56221f12448fc2eeac54213c25da2ad436eb064b56e7c60c9c76419ad413d72d3a3886e7f2b2f52698fc457d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 426b85bd7acd6faaec924b775e5712a8
SHA1 8a758020d1b7568a8a10d64ad602689c21f0a81a
SHA256 0e71acde07b432080ff83c5acbb9a1952742fa5749d933b3de83dbe68261be31
SHA512 b4d53d67fada632fd87fa73fe41ad367686b87e705a3ebc25281aed15a29f8119a1fca0b980bea99bf742d30e90093f3838870c72105184dd7d6269a345e0660

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96399b2cc6f8f558f02db1038325464e
SHA1 548a8fa0c74f11322a3080b8ee795d1c19912c6c
SHA256 a3d3c6eac36e69016f1dc3ae57acadb5955e2bdba76c2e4f45f1b3db9923cb3f
SHA512 05ab5afb8d68c5d3603440b42e818d2cf4eecfddf6ad94a219368a7282b1bba3be81224606a998ad2e63707cdb6554bbeee61986d7bdcfd591beee71dd8752a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2173b845ea54908c5bce3b74a4b23964
SHA1 cd41194d294a2d23950d190d86c4798d5963a45e
SHA256 84461c2018406952a42aa86569e415a84955dd9df9d8b91bd0e950319987892a
SHA512 a2b6f4e68c50aef158643f8422ad8f16672b77e8b1845e3d3cb8f09b934a616557f86533f8b865facba6cfcb4fea27d0f54b67f80c22b1283d7e3726b36306a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10b52084f2bda497b119fcb88c5d8f19
SHA1 b95245f4c481cae54f1dcc0d14675fac4f811463
SHA256 e3791d948f00d6a338e008458e7c7046f50994c54f23898742902041896a3277
SHA512 ff8d605d98c75b81d0f5b0e1e4f81556dce0605486200849fe1ea6b185bc2c1b9e74983d4941a50bbec4328f96d95ce6c5183c12c0692ede238f07864ded7f97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5191f640e5eee43448a9a340a6d3ad73
SHA1 b7a629efb0ad5f89de7b88f4805db4b10fb6591b
SHA256 d6ebff7f8b83fc232e08e927dfc0cac2b6e991c7a7dfcf4609aa79359cbab4c6
SHA512 0d4e28b49c52f73aec96524072cb344f8add6610780e2d022c5df59c86ca2e675b82dd427a9f0e774cc890ad6ac4461b25ff2ef7883c6d376c2c6b5f3facc6b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 754eaca220d4118aa2cabd225b779376
SHA1 9986d3df706890739aa62ac10af28f92f76dcfa4
SHA256 f51995978593f9db6513eb2a420a954f3e0cd817524e097ff6a5e7c76fd4af3f
SHA512 3244ccb5ce231a3401f046363550fe6801753a4084a8fb70395ce19d69b8b3c14fc3497383054b5e23d51b00c5f346734689a4c3c3b2e75c438fc04321f61bbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e3c9c568e23dcf7ba0b20adcbcdc8ea
SHA1 738f19d83f020f8fce29ab3cbe5a7f2b1dcf4e72
SHA256 c53ecdc55f2f4a991ba558b89b5ec255f7a249e22ba5ad117abf28d369cf6bc0
SHA512 24956d0da38c40320f7190ad47df991c6ba9b3519c6eedabd5c24dde395b7d44afe30b838b4020943e8f4656a2f58cd7f72a1d619a5004976c15d383362b037e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 715794bba00854096cb9cbf72c1d0c76
SHA1 80df3f1b4e8596aee05630a95f313c5b1300e610
SHA256 aad397814e58833593c6fc9d5c6c9e756d18d1db2c8da0d21d9b460ba1b8c1e0
SHA512 79fdcbb843d3dbb2d6a1985168f9d382ba13202305c0aa49c78a8b03b54fa4b89787c60908916b070345da9fcb6fb27e37feca520828b77eed1cc3d603c58e0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 820cc975082364491d67e361072ec143
SHA1 24a64bed68727b5ea20b37ab8a0efe190d07d43f
SHA256 da6fd0f3ee385a36bd174e1c3d32e332d1c88d8e7b37ea662c5e8929e860747d
SHA512 4c301e74635174e030281f9c55d186d4e8035c95fed5c56ebe9ff5c90177a6a84d1c8dddca387f6a0f3a3c45a7c06aad94f0a9bfe716274ce69304b208e91934

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e5190f75cda023cb02a86fa5be696c4
SHA1 36516d02a88959e28004156ddd160559d2962464
SHA256 09156e87ab8428c47d138e02bfd13d676b01345888557791a391ab6a318ff21b
SHA512 4519599ef308f965fd80341fc89f9a7bdf9fce359d108b33ff87a77c6eff20a849aca27ff1eadc1ca49e3ac6e53a08659d4c2d07ff3dce9c355aab688273cabe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7476a65fb267ab98b07bb628aa675d4
SHA1 880a36d9c86819f544d343a72a97a7233778289c
SHA256 1f52655118ddd96b900b7127a429993fcd983bbf3d01a5ce6634842e029243b2
SHA512 751528c6cd544e288b7cd737d48d558ef276f7fe6083a8476c38ce05f3e2d83855e49602480dea3249cb45b4d19191d643d3f91b8eade992dafd806250127245

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57a6e2966e5aafe685ea4b852c3b5f68
SHA1 b22717fc06e6f64dd4b620a25372fb632b5b6cfa
SHA256 0e2edcc466ed3c7a93da23e63191b3b121d0cb0c93bd3a1495763dfd3a302a34
SHA512 c70d4805b7c7a97ef0d4d9c81d660e35abadd3b944a53eac8f9defb5cf332f7346a7b3e5f822b5827c63b679d0b7e709d080bb5982931300413a7e1086d4814e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa2be0fb098cbf057ba712e200183bcf
SHA1 49c4548c8e76521b4ff986d773501ccc0d91c6ba
SHA256 e977d984af51b025e02543fe045c19a3ed618b795367d5b7ad46455a5b3a86c9
SHA512 57c602b98bfa24ae97d56e7d25bc3afcbf8434ea6b2f01b688bafc061c5ffcf78f9131570fed8f55509b2245689ba88ee1666aeb99eb0de30068257f13d2f53a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a17f13bc2a1dd8cebd53d63054f9a0f6
SHA1 290575d9e13ec39675820b07ca3fdc27d2d121df
SHA256 cf757278e8dbded945930d024a1f0e8fb5c16b615adeb32e530ba647e67766e5
SHA512 94a0cebc8de39d843f397630fd01f00880d4ff6319d3463e95dfe9bcfb74313509ec2cffb1c030ddbd9b97a466cc53a1c5b92195471728a451371095deae3f65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3b3036baa4d95ddd13e3153bf83abdc
SHA1 0f93e1f91ef3219a187fc9290bcb4e351a428930
SHA256 84386ce2aa45a40b8b453447674006ca3f13eb036d1bfbb752fb2b967f0943d5
SHA512 851d97464bc89fc96e9c897f296bddbeb428357324dd19faab5b042cd5297bcfbe99d1bcbb41ebd27555add764756d7affab5b06328c4d0d15b5df0a4f80c831

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97251b78a22438188dfe07dc4742edc6
SHA1 20819f8dcc51da8046fcb539ac6dfd440a6f3895
SHA256 061180c143927798a8239ced22cab71bb6f14034af9e919846dced29ce4edece
SHA512 62d26efa1eaf69c801d034503c8b98bc5d729a725a3a6a18b70847f1798ba0254133d5be51769195b0c14f2a51dc0a764b83e3733b1bb388c4c84409afd9bba1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be232a09c46edb41ff1f5f07453b44f3
SHA1 ae0b6260c83ddee9c1a50c038be3e7804da91064
SHA256 dc5d20bb8f3ea6afb397051e921ca792dd238f40ebcc50ec2a4dc11a4200512f
SHA512 b17df61d8b559153424aa8f63d015bf36f9089151d18cc50e26ecbac18679de005a85d65af407f7b0d606f92892baa70960dc856fafdeabf3752be995f0191ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 725cfd3a965dfecaa198292dd3b6fd26
SHA1 d39318a1a8cb2312ff0b99ffdc9393cef0dbcfb5
SHA256 db51198c5e7288cdba22f72d8d9add4c9a46e12c2b87a3f95d2dbc0c52df7f51
SHA512 5df2f2729c6d7c2bb3cf42aedec5427faac36bee597dfbc19529144c4852eff6a4ef10ebd504db1b25244bf0f8b06c350d5ebc589f9152f1044eee2e429f1806

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eef6a47f155d8170725ba0d803faf86b
SHA1 606f5487ae8a7ec1b9ef5639fab542c171450775
SHA256 384cc3aed84819d9ace73aee7e6121ec7f93af49cdaeb222ff1befb4b1d9303c
SHA512 13dd685d5dfc2aece04960da554bdd9ae8f62c6aef7414173472eccffa5f61cc058c209a8e5b41e5be790b425a80277c003b20d01c910f15e0db08a64e7a69b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d2311649042519a1bb225d1806d7ad6
SHA1 3aa4500f6033a513492c53a38f29312c09193c5f
SHA256 9b0c74b14c4d4331f5ad23ead0c428dcf7e3176c1f0cd69cef19341e5d981bc0
SHA512 0872b4cec437717a9bd73ad4b66c6064e6402ef5ab0079407951ad1c705b70424387321f46743189ccbc48fdf25578f051bee779cd299bb6b17bd011abe78f3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7ab99ec30c80179868612a6097203b5
SHA1 28761d09e26c138c94080e75dc1bfb9f0f97b484
SHA256 c0a1c57350cfa4abf689377d2e5adf76d8e14cb81f7e736b0e55432aa6a082ce
SHA512 265d5f1074eda6285e437c2e94bea702873815d756d36768f97729f219f15096bc6e73b49ee48e1c5f57315903db162190b3496fa9941f26e65a2463a0a56781

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VOGNAB2O\goodbyedpi-0.2.3rc1-2[1].zip

MD5 41938d1256f900cdaca626a152ba5e95
SHA1 dbafc9a75213d46b19e8fd7a330b87bfd8c0b562
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
SHA512 5fcc097dec3144619c52f028ae1a8ffb0f6354779d86b5972017e57a0a7d1871ef2e3d6436c620e30a74d8ab969848b3bfcae979b96040f35ed10fdd184fba3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8072bffa7c40dd0211f119d3142a8d6
SHA1 9fefa19215d19f05bc208f65af2a949f77f42edc
SHA256 295a322a39ca6a8768aef4d78f131891a7ce43171195f8a7f0d603df9b06b8c2
SHA512 cb67c65655859d76cbe1fef8e4b6991e8127c52c5610d3824c921bde077e83fd06fde8d5aa99c67963d352294a14fa344a3163fac2cebc4a08a17225401e64c6

memory/3040-1374-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/1660-1372-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/2360-1370-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/1708-1369-0x0000000062800000-0x0000000062813000-memory.dmp

memory/1708-1368-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2dd1e02b8e266af81da60a2c5b0ca8f
SHA1 9f63c3a03b85f14f0dd593172de56d7a2b5bb2d3
SHA256 b1477838478a6dcb53d1120455439230b7f16d75cbe8d8e4e26cae2ebd6ec0ff
SHA512 5e65e87ab8f1d3f93ac6a7de06e1027e647f32f3f5448419c13c1723cb57e2a64ac9fcc7eef10a1e7055e62743416eec9f0365e8f794c7978ed4f1c131364c80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b5f0cdd1f17c5fc541c29e2d74434977
SHA1 1d200957e1daf9eaaa83c9f441250f5fd0c97ed4
SHA256 b07f46d95a41c59346f693497b0fd52f35b322cb5d559657d0a6728709d1cd37
SHA512 82c2330b0d7d381956f48e2481608dd7ef5089bd53448e94c783cd87e8c1c96b259373e21307445f3f6def8c6829964bb811cb50bbb86c288cf83d42633b5eac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f96b45bd2b6b5997d906c773fc4d4dcb
SHA1 869a7d1488924b593e70a10f9be8e441078b5578
SHA256 168de5ed6b298adb5648776cb4089cd2cc9319adc9dca1a860aacc9abe1231ea
SHA512 7244af696099acdd96d0632542d9b18666af2f50266b90e2f328e34af493907ec2a5bfc1de1b6ccc1a905757e51456ef9c01eb5b52896a05a5a5abff4b40cf59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23957fc52fa9221ce86f0a8139bee902
SHA1 751c37951088b7caf325d75e770fb1fbb17f8eb9
SHA256 6d3ece14ef9f1902d3b8277af95b12afe8ebf1131d5ab22469b3450ee95e5e21
SHA512 8b7fd2d4fd140ac819ad1c8afeb09e6bc2114e83c04772b42709888e145394a30261c7378c1c37a0fa22f93775794ddb34a39e2caa9b41dfb847d36fc105fd69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7809c6db0e3f1529a90e5dc6e8785ce3
SHA1 3f2e12f25729deba3811e8c7bd23530f54594d8a
SHA256 e393f729bfe3e01a4811b61bbe122de64bdd2867109d1e3c2f1586f4ad2582af
SHA512 4999e71dc3b23fa143ea1345f0c06b6e02db182ca066fa35925c472c9b15d570b6a7d170418d777dfccda47ff6c06fdf09f051084f2f467baaf522468855ffb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 70846c7aba169579e19d0cb95ae5fe0e
SHA1 a800a936434011c90b833dcc81ecce51bd8243dd
SHA256 689e75f2f5458b712bc949f5e66647271fbd91fe9e5d2b54da7052efe6272c7a
SHA512 65f4836ee3b526e9fc9cd6ebc1d52c43c6a8b32859a4e9ce5773bbbc46d703e4caa1ebc665e058c96c8178b610f687d9995246ea99694e9b5d90a4bc39dfc061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df11491f923219ed9c8b6261f00f5a72
SHA1 6a439598b6025469046bf8ab51e20423a3809b21
SHA256 6c06040656fc7742c556c1f772eb20ed612075d912696932f8fb14f9e4f2b608
SHA512 1b468801741492e170871ca982c1e8bd3b4f92b749590776dc627c744e76d826bb3192e872330b922cade97a3b6d934ff0827daa5641ea463acef396fd8e13be

memory/1660-1906-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/1708-1908-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/2360-1910-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

memory/3040-1912-0x000000013F1B0000-0x000000013F1D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 15:53

Reported

2024-08-03 16:02

Platform

win10-20240611-en

Max time kernel

510s

Max time network

390s

Command Line

"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7cfd6c64bde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ca217679bde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\system32\browser_broker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 053bde60bde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b88ee95ebde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E86CDF28-8D26-45CA-B03F-A4A303383B6E} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 518b5764bde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2.zip.gdv0jf4.partial:Zone.Identifier C:\Windows\system32\browser_broker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 3984 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1352 wrote to memory of 3984 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1352 wrote to memory of 3984 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1352 wrote to memory of 3112 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1352 wrote to memory of 3112 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1352 wrote to memory of 3112 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1592 wrote to memory of 4708 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 1592 wrote to memory of 4708 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 536 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 536 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 5100 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 5100 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 4380 wrote to memory of 1492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4380 wrote to memory of 1492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2764 wrote to memory of 168 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
PID 2764 wrote to memory of 168 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\LaunchWinApp.exe

"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/ValdikSS/GoodbyeDPI/releases/download/0.2.3rc1/goodbyedpi-0.2.3rc1-2.zip"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\service_remove.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\russia-blacklist.txt"

C:\Users\Admin\Downloads\goodbyedpi-0.2.3rc1-2\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe

goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.101.143.210:443 www.bing.com tcp
GB 95.101.143.210:443 www.bing.com tcp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 210.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 p.thenewone.lol udp
LV 195.123.208.131:443 p.thenewone.lol tcp
US 8.8.8.8:53 131.208.123.195.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4904-0-0x000001EA7B420000-0x000001EA7B430000-memory.dmp

memory/4904-16-0x000001EA7B520000-0x000001EA7B530000-memory.dmp

memory/4904-35-0x000001EA00050000-0x000001EA00052000-memory.dmp

memory/2656-45-0x0000025E44800000-0x0000025E44900000-memory.dmp

memory/2656-44-0x0000025E44800000-0x0000025E44900000-memory.dmp

memory/2656-43-0x0000025E44800000-0x0000025E44900000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O1CG8PK3\goodbyedpi-0.2.3rc1-2[1].zip

MD5 41938d1256f900cdaca626a152ba5e95
SHA1 dbafc9a75213d46b19e8fd7a330b87bfd8c0b562
SHA256 e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
SHA512 5fcc097dec3144619c52f028ae1a8ffb0f6354779d86b5972017e57a0a7d1871ef2e3d6436c620e30a74d8ab969848b3bfcae979b96040f35ed10fdd184fba3a

memory/3984-74-0x00000229619E0000-0x00000229619E2000-memory.dmp

memory/3984-72-0x0000022961920000-0x0000022961922000-memory.dmp

memory/3984-69-0x00000229618F0000-0x00000229618F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZVQ9VIUB\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

memory/4904-122-0x000001EA01FF0000-0x000001EA01FF1000-memory.dmp

memory/4904-123-0x000001EA02500000-0x000001EA02501000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZVEYYTLG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/1812-145-0x0000000062800000-0x0000000062813000-memory.dmp

memory/1812-144-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/1888-148-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/4708-146-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/168-150-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/1812-152-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/168-154-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/4708-156-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp

memory/1888-158-0x00007FF6D1680000-0x00007FF6D16A0000-memory.dmp