Analysis Overview
SHA256
e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cf
Threat Level: Likely malicious
The file e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Stops running service(s)
Possible privilege escalation attempt
Drops file in Drivers directory
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Drops startup file
Executes dropped EXE
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 20:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 20:41
Reported
2024-10-02 20:43
Platform
win7-20240708-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoodByeDPIService.exe.lnk | C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ByeByeDPI\x86_64\goodbyedpi.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\x86_64\goodbyedpi.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
"C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\ByeByeDPI\install.cmd" "
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl
C:\Windows\system32\takeown.exe
takeown /a /f "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts" /reset
C:\Windows\system32\attrib.exe
attrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib +r "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc" /restore hosts.acl
C:\Windows\system32\taskkill.exe
taskkill /f /im GoodByeDPIService.exe
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI_Default"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI_Default"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI_Default"
C:\ByeByeDPI\x86_64\goodbyedpi.exe
"C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI_Aggressive"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI_Aggressive"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"
C:\ByeByeDPI\GoodByeDPIService.exe
GoodByeDPIService.exe
C:\Windows\SysWOW64\net.exe
net start GoodbyeDPI_Default
C:\Windows\SysWOW64\cmd.exe
cmd /c rd C:\ByeByeDPI_old /s /q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GoodbyeDPI_Default
Network
Files
C:\ByeByeDPI\install.cmd
| MD5 | aceefd9a2ecd1853e2b7cc7841aae842 |
| SHA1 | f1ba8d05ea74909ec5616224a6c28fa1b2d404e4 |
| SHA256 | 5990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86 |
| SHA512 | 8d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f |
C:\ByeByeDPI\hosts.txt
| MD5 | 47158fedec375f473d0b47d2c8e23290 |
| SHA1 | 1d904652019683dd977bc6e91f58b436bec7abe4 |
| SHA256 | a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6 |
| SHA512 | 142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be |
C:\ByeByeDPI\hosts.acl
| MD5 | cc4a037057ed1ac85a8845f01fe51f9a |
| SHA1 | e65b6b4cc81d709929d9ab148095d8f6228faab6 |
| SHA256 | 52217a03cc125f8c64b15a01062df20f39033a9ef27519981c0a5e8001705733 |
| SHA512 | cdc8476728a54ba3afa9a58c7db90e0ab6e60e8438bf73adb30a9726066d22416ac1d5fe678435f4885078ad721456af2c15b8dc969869fecd4eb7c43bcb54cc |
\ByeByeDPI\x86_64\goodbyedpi.exe
| MD5 | afa7f66231b9cec7237e738b622c0181 |
| SHA1 | 478f336ab054623abfa691f11f12bc3be31deabe |
| SHA256 | 8d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd |
| SHA512 | a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8 |
C:\ByeByeDPI\x86_64\WinDivert.dll
| MD5 | 88e1c19b978436258f7c938013408a8a |
| SHA1 | 09b77c8c85757e11667a7b83231598dd67fe0b8b |
| SHA256 | 6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e |
| SHA512 | eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14 |
C:\ByeByeDPI\russia-blacklist.txt
| MD5 | c778017427c08556621c3360e7b60b12 |
| SHA1 | 9f2e0a127dcc409c10d4890a27d165c08977c8e0 |
| SHA256 | 227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a |
| SHA512 | 7bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab |
C:\ByeByeDPI\russia-youtube.txt
| MD5 | 91d74100607dba77eda0d7a75dacb0cc |
| SHA1 | 95490aede362c6275d325615fdbf3f94fee8e392 |
| SHA256 | 2d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79 |
| SHA512 | 9f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd |
C:\ByeByeDPI\GoodByeDPIService.exe
| MD5 | 49299e5f6db7ed241efaccd0c038777c |
| SHA1 | 5926ea78a1f8ae78fd2f48a60d49be343a67f86a |
| SHA256 | fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca |
| SHA512 | 5337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99 |
memory/2120-103-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2120-102-0x000000013FF10000-0x000000013FF32000-memory.dmp
memory/2120-104-0x000000013FF10000-0x000000013FF32000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 20:41
Reported
2024-10-02 20:43
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoodByeDPIService.exe.lnk | C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\x86_64\goodbyedpi.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\x86_64\goodbyedpi.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ByeByeDPI\GoodByeDPIService.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe
"C:\Users\Admin\AppData\Local\Temp\e84ad5f29f114a1be73ecf4b6ae2e39b19b20acc0e60a79ab26bc52fc4bb17cfN.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ByeByeDPI\install.cmd" "
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts" /save hosts.acl
C:\Windows\system32\takeown.exe
takeown /a /f "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts" /reset
C:\Windows\system32\attrib.exe
attrib -r -h -s "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\attrib.exe
attrib +r "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc" /restore hosts.acl
C:\Windows\system32\taskkill.exe
taskkill /f /im GoodByeDPIService.exe
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI_Default"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI_Default"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI_Default" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "auto"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI_Default" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Default mode)"
C:\Windows\system32\sc.exe
sc start "GoodbyeDPI_Default"
C:\ByeByeDPI\x86_64\goodbyedpi.exe
"C:\ByeByeDPI\x86_64\goodbyedpi.exe" -9 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --blacklist "C:\ByeByeDPI\russia-blacklist.txt" --blacklist "C:\ByeByeDPI\russia-youtube.txt"
C:\Windows\system32\sc.exe
sc stop "GoodbyeDPI_Aggressive"
C:\Windows\system32\sc.exe
sc delete "GoodbyeDPI_Aggressive"
C:\Windows\system32\sc.exe
sc create "GoodbyeDPI_Aggressive" binPath= "\"C:\ByeByeDPI\x86_64\goodbyedpi.exe\" -p -r -s -q -f 2 -k 2 -n -e1 --fake-gen 5 --fake-from-hex 160301FFFF01FFFFFF0303594F5552204144564552544953454D454E542048455245202D202431302F6D6F000000000009000000050003000000 --auto-ttl --reverse-frag --wrong-seq --max-payload --blacklist \"C:\ByeByeDPI\russia-blacklist.txt\" --blacklist \"C:\ByeByeDPI\russia-youtube.txt\"" start= "demand"
C:\Windows\system32\sc.exe
sc description "GoodbyeDPI_Aggressive" "Passive Deep Packet Inspection blocker and Active DPI circumvention utility (Aggressive mode)"
C:\ByeByeDPI\GoodByeDPIService.exe
GoodByeDPIService.exe
C:\Windows\SysWOW64\net.exe
net start GoodbyeDPI_Default
C:\Windows\SysWOW64\cmd.exe
cmd /c rd C:\ByeByeDPI_old /s /q
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start GoodbyeDPI_Default
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
C:\ByeByeDPI\install.cmd
| MD5 | aceefd9a2ecd1853e2b7cc7841aae842 |
| SHA1 | f1ba8d05ea74909ec5616224a6c28fa1b2d404e4 |
| SHA256 | 5990897ffc39ae039f6880b720b89c58af7862f5e88e3461573f46ff04c0aa86 |
| SHA512 | 8d0138ee94c59f94e370737367804cdd097ff5dcd9cdecb19bca0964a19f1dfb6aa77f21b891f9604df1ee1ff4aba5a9aad8c8137c867290aea9e529f028d12f |
C:\ByeByeDPI\hosts.txt
| MD5 | 47158fedec375f473d0b47d2c8e23290 |
| SHA1 | 1d904652019683dd977bc6e91f58b436bec7abe4 |
| SHA256 | a926fafbde9b448ac122a64dc15ae12a87350501bdae38f67fa2c612b44c17b6 |
| SHA512 | 142ec99546d083b3a5181168d1c0a8dc99d2347f719cbb2f00bd17333940addfc6d3e9ed90fd5c866327e072c1c77e7841c4d3eabd9c9d5cff2433e5c994f2be |
C:\ByeByeDPI\hosts.acl
| MD5 | de03fcce33861c8a005e919b203b7f6f |
| SHA1 | 86e9531ad41787a10fd2015b5f420882db707d79 |
| SHA256 | 52eda44d432f950d97bc64a0cb16b28ba15f66884214be1d5b63cb069fecb028 |
| SHA512 | 600a1f9f3914a913019295c1eb518318486308fa395d659c49b5e9ffde09d7948592ef8e2dd4f45d409c554197200a725af0555f9f590a31b9881416bc65c11d |
C:\ByeByeDPI\x86_64\goodbyedpi.exe
| MD5 | afa7f66231b9cec7237e738b622c0181 |
| SHA1 | 478f336ab054623abfa691f11f12bc3be31deabe |
| SHA256 | 8d412b094bb9c137ff25ba9a794d1122ecc84bb776debff6c249723a13cc31cd |
| SHA512 | a3833d6018c6ddb63c5bc5b1a2efe2f9e517e80d28d6c59661ff625d42397e484e902ae5f211fc1586a25901c1f0d1700364f604c51a536fcc467703ce76e9d8 |
C:\ByeByeDPI\x86_64\WinDivert.dll
| MD5 | 88e1c19b978436258f7c938013408a8a |
| SHA1 | 09b77c8c85757e11667a7b83231598dd67fe0b8b |
| SHA256 | 6110bfa44667405179c3e15e12af1b62037e447ed59b054b19042032995e6c7e |
| SHA512 | eaa0d8369b76fd9a4978f14702716ae31d801cd0dc36a86531f9320b4ddb683265c4f0e07af2b9d2e85f513270d98d1b11ae7d501d08287442bc505176d16e14 |
C:\ByeByeDPI\russia-blacklist.txt
| MD5 | c778017427c08556621c3360e7b60b12 |
| SHA1 | 9f2e0a127dcc409c10d4890a27d165c08977c8e0 |
| SHA256 | 227b4961ea7bafac9bb5aaf3dfeb2537beb64169ae37f7658efebb573bc9c01a |
| SHA512 | 7bac0ea2123c4be8ad0f1f0df6a941fa3ceb80bc0aa728b004f52cfc36bca99d8cbbf43ebd28a56cff90bf9e551e99a39750b364435ca05af21676a326b64fab |
C:\ByeByeDPI\russia-youtube.txt
| MD5 | 91d74100607dba77eda0d7a75dacb0cc |
| SHA1 | 95490aede362c6275d325615fdbf3f94fee8e392 |
| SHA256 | 2d8de5532bae45852a3f6d8270e881fc10fec89f8d9daec3d91988a669760f79 |
| SHA512 | 9f55f99971789c0f53aefda6d3beab78b28854b0a8ca74869e09d5e1dd905f8394a2927bca2f1bbb3a73198e5da6e8b6e3ac72ddd2cbf6363c0c88298bdadfdd |
C:\ByeByeDPI\GoodByeDPIService.exe
| MD5 | 49299e5f6db7ed241efaccd0c038777c |
| SHA1 | 5926ea78a1f8ae78fd2f48a60d49be343a67f86a |
| SHA256 | fc9380664a87b76a2af82c9f8e370f175c94816269875cfe52df4887d065f6ca |
| SHA512 | 5337853d8bb14b3d2b8e111e1c3d1a13025759aaf4c07d8a5f95bbb438261b9cf0ca5eae04c21c6789c7502b4aaea660584b6a6b695773df819a9735a14a5c99 |
memory/4040-93-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4040-92-0x00007FF7D6020000-0x00007FF7D6042000-memory.dmp
memory/4040-96-0x00007FF7D6020000-0x00007FF7D6042000-memory.dmp