Analysis Report fbi.exe

Overview

General Information

Sample Name: fbi.exe
Analysis ID: 372394
MD5: 2031e1ce62d6f433ac77c78c24bc8bee
SHA1: 6f67030df8f735a59ea8af7753893f708ae6965c
SHA256: b11371b6ab50cf5d8f8fae63880e6c2f00ea3a42274a334278f7f146439e8d83
Infos:

Most interesting Screenshot:

Detection

DarkSide
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Yara detected DarkSide Ransomware
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionalty to change the wallpaper
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Entry point lies outside standard sections
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: fbi.exe Avira: detected
Machine Learning detection for sample
Source: fbi.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: fbi.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\fbi.exe File created: C:\\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Recovery\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Links\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Music\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Recent\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Searches\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Videos\README.2c9ccbf3.TXT Jump to behavior
Source: unknown HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose, 0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose, 0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap, 0_2_00401BA0
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_0040745B

Networking:

barindex
Found Tor onion address
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO
Source: README.2c9ccbf3.TXT0.8.dr String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z||.||63a8cd71-0d2d-48fc-a533-1b6561177791||1152921505693287777||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z||.||63a8cd71-0d2d-48fc-a533-1b6561177791||1152921505693287777||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.321615766.0000023A50D3F000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z||.||1ad32855-590c-405c-8d49-1a557bf58211||1152921505693277189||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321624374.0000023A50D4B000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu
Source: unknown DNS traffic detected: queries for: baroquetees.com
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr String found in binary or memory: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000D.00000002.463011800.0000024294C70000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000D.00000002.463212207.0000024294E30000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000013.00000002.311176652.00000236AE413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.327229545.0000023A50D57000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000002.311317275.00000236AE465000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, fbi.exe, 00000008.00000002.212210317.0000000002AA4000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr String found in binary or memory: https://torproject.org/
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\README.2c9ccbf3.TXT Dropped file: ----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO When you open our website, put the following data in the input form: Key: fuhq13doggOCMrfxqkmjpQoY2kQDvwKhWDcTAc6wzO0xW5MYLHVUlZiL8TL9gJVDKD0vHqlXHVFQ1FmkuwAJ10v4gj9SMk9qeWp9Yn3qMghTwGDGTpeQawHC6k6ngMqKgRSaNSidPZSdANtdBcf0gxuWp6fp5uXtJvC7UgAsAXOr2zsxXa2fsBjRfaQNtSTKhwT1bh7l142iqc977kmwVM8S2eZhRK1rDNSCsxzPoU13m252KAnXaqbA555ntRX0YkvIu8T1R8rcXlWlumZWRCQtTiOqwKokOkSDz436zmbCq9tccBsVu0QWK5e6FVKshToVF8uWA0Ju8aR5XDudkJliZlEp3MX5We42S0OT7GhqJ1AHSHKFm2227MJd3B7SOUvVrpkTF3WtUqwMtnWk5RM3s0JusyIcyE4MCwjbszzQOlELkLCUKGftiY2YzgKDivCHcvrDnjzfhJvlRwmoUCf0x1gXMOMPDnaxMJMK7P8Qf0iwBU0X9FYpbur7T2UC3TaXQkurBAVop2nfdagQRq9urzPcOvx4Z52qxxihOgZH1XeDkJcuYBs !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Jump to dropped file
Yara detected DarkSide Ransomware
Source: Yara match File source: 00000000.00000002.192029416.0000000000579000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.217291433.0000000000538000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211708521.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.202907412.000000000064A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211626153.0000000002AC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211662182.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.212129998.00000000005DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211721573.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211608024.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211636740.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211748701.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.211763458.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.192572788.0000000000587000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.212148927.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fbi.exe PID: 6776, type: MEMORY
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Changes the wallpaper picture
Source: C:\Users\user\Desktop\fbi.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\2c9ccbf3.BMP Jump to behavior
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403451 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC, 0_2_00403451
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\fbi.exe File moved: C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File moved: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File moved: C:\Users\user\Desktop\QCFWYSKMHA.png Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File moved: C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File moved: C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg Jump to behavior

System Summary:

barindex
PE file has a writeable .text section
Source: fbi.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functions
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402E50 NtQueryInstallUILanguage,NtQueryDefaultUILanguage, 0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401D54 RegCreateKeyExW,RegQueryValueExW,memcpy,RtlFreeHeap,NtClose,RtlFreeHeap, 0_2_00401D54
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401ECB NtOpenProcessToken,NtQueryInformationToken,LookupAccountSidW,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,NtClose, 0_2_00401ECB
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040998D CommandLineToArgvW,NtClose,NtClose,NtClose,NtClose,NtClose,RtlFreeHeap,OpenMutexW,NtClose,CreateMutexW,ReleaseMutex,NtClose,NtClose,NtClose, 0_2_0040998D
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404849 RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap, 0_2_00404849
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040624A wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,SetFileAttributesW,CreateFileW,RtlAllocateHeap,ReadFile,NtClose,RtlFreeHeap,RtlFreeHeap, 0_2_0040624A
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040574A NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_0040574A
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403451 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC, 0_2_00403451
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00405C57 SetFileAttributesW,CreateFileW,PathIsNetworkPathW,SetFilePointerEx,ReadFile,memcmp,NtClose, 0_2_00405C57
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00405558 RtlAllocateHeap,NtQueryObject,RtlReAllocateHeap,RtlFreeHeap,_wcsicmp,RtlFreeHeap, 0_2_00405558
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_0040745B
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040576C NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_0040576C
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040216F NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,NtAdjustPrivilegesToken,RtlFreeHeap,NtClose, 0_2_0040216F
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401B6F NtSetInformationThread, 0_2_00401B6F
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00409271 NtSetThreadExecutionState,wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathFindExtensionW,_wcsicmp,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,PathIsNetworkPathW,PathIsUNCServerW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,wcslen,RtlAllocateHeap,RtlFreeHeap,wcscat,RtlFreeHeap,RtlFreeHeap,wcsstr,wcscat,RtlFreeHeap,RtlFreeHeap, 0_2_00409271
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402376 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules, 0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403A7B SHGetSpecialFolderPathW,wcscat,wcslen,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,wcscpy,wcscat,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,SHChangeNotify, 0_2_00403A7B
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00409611 _swprintf,_swprintf,OpenEventW,OpenFileMappingW,NtClose,MapViewOfFile,NtClose,NtClose,GetVolumePathNameW,GetDriveTypeW,UnmapViewOfFile,NtClose,SetEvent,NtClose,SetEvent,UnmapViewOfFile,NtClose,NtClose,GetProcessId,_swprintf,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,NtClose, 0_2_00409611
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402012 NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap, 0_2_00402012
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040701B CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose, 0_2_0040701B
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00405E20 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,RtlAllocateHeap,wcscpy,wcscat,MoveFileExW,CreateFileW,CreateIoCompletionPort,NtClose,RtlAllocateHeap,NtClose,memcpy,memcpy,PostQueuedCompletionStatus,RtlFreeHeap,NtClose,InterlockedIncrement,RtlFreeHeap,RtlFreeHeap, 0_2_00405E20
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403222 memset,OpenWindowStationW,NtSetSecurityObject,OpenDesktopW,NtSetSecurityObject,CloseDesktop,CloseWindowStation, 0_2_00403222
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00407127 memset,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,wcslen,CreateFileW,wcsrchr,NtClose,CreateFileW,DeviceIoControl,NtClose,memset,FindNextVolumeW,FindVolumeClose, 0_2_00407127
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00406B3C GetModuleFileNameW,PathQuoteSpacesW,GetProcessId,_swprintf,_swprintf,CreateFileMappingW,MapViewOfFile,NtClose,wcscpy,UnmapViewOfFile,_swprintf,CreateEventW,NtClose,wcslen,RtlAllocateHeap,NtClose,NtClose,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,NtClose,NtClose,_swprintf,CreateFileMappingW,ResumeThread,NtClose,WaitForSingleObject,NtClose,NtClose,RtlFreeHeap, 0_2_00406B3C
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402FC2 NtQueryInformationProcess, 0_2_00402FC2
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004055C5 NtQueryObject,_wcsicmp,RtlFreeHeap, 0_2_004055C5
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004056C8 PathFindFileNameW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,NtOpenProcess,NtDuplicateObject,PathFindFileNameW,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,PathFindFileNameW,NtTerminateProcess,WaitForSingleObject,NtClose,NtClose,memset,memset,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_004056C8
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004027C8 RegisterServiceCtrlHandlerW,SetServiceStatus,NtOpenProcessToken,NtDuplicateToken,NtSetInformationToken,memset,memset,CreateProcessAsUserW,NtClose,NtClose,NtClose,NtClose,SetServiceStatus, 0_2_004027C8
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004030CC CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose, 0_2_004030CC
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004054D4 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose, 0_2_004054D4
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004069D9 CreateIoCompletionPort,CreateThread,CreateThread,Sleep,PostQueuedCompletionStatus,PostQueuedCompletionStatus,WaitForMultipleObjects,NtClose,NtClose, 0_2_004069D9
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004088E4 memset,RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,NtClose,RtlFreeHeap,RtlFreeHeap, 0_2_004088E4
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004083E5 WaitForSingleObject,NtClose, 0_2_004083E5
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004022E8 NtSetInformationProcess,NtSetInformationProcess, 0_2_004022E8
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401AF0 NtDuplicateToken,NtSetInformationThread,NtClose, 0_2_00401AF0
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004078F7 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose, 0_2_004078F7
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004087FB RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap, 0_2_004087FB
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00405CFC SetFilePointerEx,NtClose, 0_2_00405CFC
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00406F85 CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose, 0_2_00406F85
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404887 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap, 0_2_00404887
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040818E RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,RtlFreeHeap, 0_2_0040818E
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040339B NtOpenProcessToken,NtQueryInformationToken,ConvertSidToStringSidW,wcscpy,RtlFreeHeap,NtClose, 0_2_0040339B
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040559F NtQueryObject,_wcsicmp,RtlFreeHeap, 0_2_0040559F
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00407DA5 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_00407DA5
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004048A9 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap, 0_2_004048A9
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401CAA CreateFileW,WriteFile,NtClose, 0_2_00401CAA
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004059AB GetCurrentThread,SetThreadPriority,GetQueuedCompletionStatus,PostQueuedCompletionStatus,NtClose,RtlFreeHeap,ReadFile,Sleep,ReadFile,WriteFile,Sleep,WriteFile,WriteFile,Sleep,WriteFile,Sleep,NtClose,RtlFreeHeap,InterlockedIncrement, 0_2_004059AB
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004086AD RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_004086AD
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004098AD NtSetThreadExecutionState,GetTickCount,GetTickCount, 0_2_004098AD
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004054AF NtQueryInformationFile, 0_2_004054AF
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004020B2 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose, 0_2_004020B2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00407127: memset,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,wcslen,CreateFileW,wcsrchr,NtClose,CreateFileW,DeviceIoControl,NtClose,memset,FindNextVolumeW,FindVolumeClose, 0_2_00407127
Contains functionality to delete services
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040274E OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_0040274E
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00406B3C GetModuleFileNameW,PathQuoteSpacesW,GetProcessId,_swprintf,_swprintf,CreateFileMappingW,MapViewOfFile,NtClose,wcscpy,UnmapViewOfFile,_swprintf,CreateEventW,NtClose,wcslen,RtlAllocateHeap,NtClose,NtClose,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,NtClose,NtClose,_swprintf,CreateFileMappingW,ResumeThread,NtClose,WaitForSingleObject,NtClose,NtClose,RtlFreeHeap, 0_2_00406B3C
Creates files inside the system directory
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402E50 0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404A7C 0_2_00404A7C
Sample file is different than original file name gathered from version info
Source: fbi.exe, 00000002.00000002.217759035.0000000002930000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs fbi.exe
Source: fbi.exe, 00000002.00000002.217743616.00000000028E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs fbi.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: fbi.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: fbi.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fbi.exe Static PE information: Section: .data ZLIB complexity 0.996012369792
Source: classification engine Classification label: mal96.rans.evad.winEXE@21/112@1/2
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00408422 GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcslen,RtlReAllocateHeap, 0_2_00408422
Source: C:\Users\user\Desktop\fbi.exe Code function: OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_004026B5
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_004026B5
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402A2B StartServiceCtrlDispatcherW, 0_2_00402A2B
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\89f3671df4dda4177e202fbdb1910c9c
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4440:120:WilError_01
Source: C:\Users\user\Desktop\fbi.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: C:\Users\user\Desktop\fbi.exe Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: C:\Users\user\Desktop\fbi.exe Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fbi.exe Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe' Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Windows\System32\VSSVC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}\InprocServer32 Jump to behavior
Source: fbi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401867 LoadLibraryA,GetProcAddress, 0_2_00401867
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .text1
PE file contains an invalid checksum
Source: fbi.exe Static PE information: real checksum: 0xe0fc should be: 0x1837b
PE file contains sections with non-standard names
Source: fbi.exe Static PE information: section name: .text1
Source: initial sample Static PE information: section name: .text entropy: 7.92008086482
Source: C:\Users\user\Desktop\fbi.exe File created: C:\\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Recovery\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Links\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Music\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Recent\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Searches\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe File created: C:\Users\user\Videos\README.2c9ccbf3.TXT Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_004026B5
Source: C:\Users\user\Desktop\fbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004049CA 0_2_004049CA
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004049CA rdtsc 0_2_004049CA
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\fbi.exe Code function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,memset,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RtlFreeHeap, 0_2_004046B3
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\fbi.exe API coverage: 4.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5304 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1320 Thread sleep time: -120000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\fbi.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose, 0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose, 0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap, 0_2_00401BA0
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 0_2_0040745B
Source: svchost.exe, 0000000D.00000002.462876038.0000024294C62000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.459389392.000002627F445000.00000004.00000001.sdmp Binary or memory string: ar&Prod_VMware_SATA_CD00#5&280b6
Source: svchost.exe, 00000019.00000002.340253298.0000023A50483000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000D.00000002.459723393.000002428F629000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.340399301.0000023A504E7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.459361449.00000161CEE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.459553359.000001C2BFA29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\fbi.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004049CA rdtsc 0_2_004049CA
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402376 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules, 0_2_00402376
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00401867 LoadLibraryA,GetProcAddress, 0_2_00401867
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00402376 mov ebx, dword ptr fs:[00000030h] 0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004016D2 mov eax, dword ptr fs:[00000030h] 0_2_004016D2
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040A288 mov ecx, dword ptr fs:[00000030h] 0_2_0040A288
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004017AE mov eax, dword ptr fs:[00000030h] 0_2_004017AE

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_0040222A wcscpy,wcschr,LogonUserW,wcslen, 0_2_0040222A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fbi.exe Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368 Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_004049CA cpuid 0_2_004049CA
Queries the product ID of Windows
Source: C:\Users\user\Desktop\fbi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe Code function: 0_2_00408592 GetUserNameW,RtlAllocateHeap,GetUserNameW,RtlFreeHeap, 0_2_00408592
Source: C:\Users\user\Desktop\fbi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000015.00000002.459529907.000001E37BC56000.00000004.00000001.sdmp Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000015.00000002.459582745.000001E37BD02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct