Analysis Report fbi.exe

Overview

General Information

Sample Name:	fbi.exe
Analysis ID:	372394
MD5:	2031e1ce62d6f433ac77c78c24bc8bee
SHA1:	6f67030df8f735a59ea8af7753893f708ae6965c
SHA256:	b11371b6ab50cf5d8f8fae63880e6c2f00ea3a42274a334278f7f146439e8d83
Infos:
Most interesting Screenshot:

Detection

DarkSide

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Yara detected DarkSide Ransomware

Changes security center settings (notifications, updates, antivirus, firewall)

Changes the wallpaper picture

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionalty to change the wallpaper

Found Tor onion address

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Entry point lies outside standard sections

Found large amount of non-executed APIs

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: fbi.exe

Avira: detected

Machine Learning detection for sample

Source: fbi.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: fbi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\fbi.exe	File created: C:\\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Recovery\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Music\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Recent\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Searches\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Videos\README.2c9ccbf3.TXT	Jump to behavior

Source: unknown

HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,	0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,	0_2_00401BA0

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,

0_2_0040745B

Networking:

Found Tor onion address

Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp	String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO
Source: README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z\|\|.\|\|63a8cd71-0d2d-48fc-a533-1b6561177791\|\|1152921505693287777\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z\|\|.\|\|63a8cd71-0d2d-48fc-a533-1b6561177791\|\|1152921505693287777\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.321615766.0000023A50D3F000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321624374.0000023A50D4B000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: baroquetees.com

Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000D.00000002.463011800.0000024294C70000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000D.00000002.463212207.0000024294E30000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000013.00000002.311176652.00000236AE413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.327229545.0000023A50D57000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000002.311317275.00000236AE465000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, fbi.exe, 00000008.00000002.212210317.0000000002AA4000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: https://torproject.org/
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Source: C:\README.2c9ccbf3.TXT

Dropped file: ----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO When you open our website, put the following data in the input form: Key: fuhq13doggOCMrfxqkmjpQoY2kQDvwKhWDcTAc6wzO0xW5MYLHVUlZiL8TL9gJVDKD0vHqlXHVFQ1FmkuwAJ10v4gj9SMk9qeWp9Yn3qMghTwGDGTpeQawHC6k6ngMqKgRSaNSidPZSdANtdBcf0gxuWp6fp5uXtJvC7UgAsAXOr2zsxXa2fsBjRfaQNtSTKhwT1bh7l142iqc977kmwVM8S2eZhRK1rDNSCsxzPoU13m252KAnXaqbA555ntRX0YkvIu8T1R8rcXlWlumZWRCQtTiOqwKokOkSDz436zmbCq9tccBsVu0QWK5e6FVKshToVF8uWA0Ju8aR5XDudkJliZlEp3MX5We42S0OT7GhqJ1AHSHKFm2227MJd3B7SOUvVrpkTF3WtUqwMtnWk5RM3s0JusyIcyE4MCwjbszzQOlELkLCUKGftiY2YzgKDivCHcvrDnjzfhJvlRwmoUCf0x1gXMOMPDnaxMJMK7P8Qf0iwBU0X9FYpbur7T2UC3TaXQkurBAVop2nfdagQRq9urzPcOvx4Z52qxxihOgZH1XeDkJcuYBs !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Jump to dropped file

Yara detected DarkSide Ransomware

Source: Yara match	File source: 00000000.00000002.192029416.0000000000579000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.217291433.0000000000538000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211708521.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.202907412.000000000064A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211626153.0000000002AC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211662182.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.212129998.00000000005DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211721573.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211608024.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211636740.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211748701.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211763458.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.192572788.0000000000587000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.212148927.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbi.exe PID: 6776, type: MEMORY
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED

Changes the wallpaper picture

Source: C:\Users\user\Desktop\fbi.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\2c9ccbf3.BMP

Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00403451 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,

0_2_00403451

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\QCFWYSKMHA.png	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg	Jump to behavior

System Summary:

PE file has a writeable .text section

Source: fbi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402E50 NtQueryInstallUILanguage,NtQueryDefaultUILanguage,	0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401D54 RegCreateKeyExW,RegQueryValueExW,memcpy,RtlFreeHeap,NtClose,RtlFreeHeap,	0_2_00401D54
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401ECB NtOpenProcessToken,NtQueryInformationToken,LookupAccountSidW,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,NtClose,	0_2_00401ECB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040998D CommandLineToArgvW,NtClose,NtClose,NtClose,NtClose,NtClose,RtlFreeHeap,OpenMutexW,NtClose,CreateMutexW,ReleaseMutex,NtClose,NtClose,NtClose,	0_2_0040998D
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404849 RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_00404849
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040624A wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,SetFileAttributesW,CreateFileW,RtlAllocateHeap,ReadFile,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040624A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040574A NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040574A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403451 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,	0_2_00403451
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405C57 SetFileAttributesW,CreateFileW,PathIsNetworkPathW,SetFilePointerEx,ReadFile,memcmp,NtClose,	0_2_00405C57
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405558 RtlAllocateHeap,NtQueryObject,RtlReAllocateHeap,RtlFreeHeap,_wcsicmp,RtlFreeHeap,	0_2_00405558
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040745B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040576C NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040576C
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040216F NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,NtAdjustPrivilegesToken,RtlFreeHeap,NtClose,	0_2_0040216F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401B6F NtSetInformationThread,	0_2_00401B6F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00409271 NtSetThreadExecutionState,wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathFindExtensionW,_wcsicmp,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,PathIsNetworkPathW,PathIsUNCServerW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,wcslen,RtlAllocateHeap,RtlFreeHeap,wcscat,RtlFreeHeap,RtlFreeHeap,wcsstr,wcscat,RtlFreeHeap,RtlFreeHeap,	0_2_00409271
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402376 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,	0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403A7B SHGetSpecialFolderPathW,wcscat,wcslen,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,wcscpy,wcscat,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,SHChangeNotify,	0_2_00403A7B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00409611 _swprintf,_swprintf,OpenEventW,OpenFileMappingW,NtClose,MapViewOfFile,NtClose,NtClose,GetVolumePathNameW,GetDriveTypeW,UnmapViewOfFile,NtClose,SetEvent,NtClose,SetEvent,UnmapViewOfFile,NtClose,NtClose,GetProcessId,_swprintf,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,NtClose,	0_2_00409611
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402012 NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,	0_2_00402012
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040701B CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_0040701B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405E20 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,RtlAllocateHeap,wcscpy,wcscat,MoveFileExW,CreateFileW,CreateIoCompletionPort,NtClose,RtlAllocateHeap,NtClose,memcpy,memcpy,PostQueuedCompletionStatus,RtlFreeHeap,NtClose,InterlockedIncrement,RtlFreeHeap,RtlFreeHeap,	0_2_00405E20
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403222 memset,OpenWindowStationW,NtSetSecurityObject,OpenDesktopW,NtSetSecurityObject,CloseDesktop,CloseWindowStation,	0_2_00403222
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00407127 memset,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,wcslen,CreateFileW,wcsrchr,NtClose,CreateFileW,DeviceIoControl,NtClose,memset,FindNextVolumeW,FindVolumeClose,	0_2_00407127
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00406B3C GetModuleFileNameW,PathQuoteSpacesW,GetProcessId,_swprintf,_swprintf,CreateFileMappingW,MapViewOfFile,NtClose,wcscpy,UnmapViewOfFile,_swprintf,CreateEventW,NtClose,wcslen,RtlAllocateHeap,NtClose,NtClose,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,NtClose,NtClose,_swprintf,CreateFileMappingW,ResumeThread,NtClose,WaitForSingleObject,NtClose,NtClose,RtlFreeHeap,	0_2_00406B3C
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402FC2 NtQueryInformationProcess,	0_2_00402FC2
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004055C5 NtQueryObject,_wcsicmp,RtlFreeHeap,	0_2_004055C5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004056C8 PathFindFileNameW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,NtOpenProcess,NtDuplicateObject,PathFindFileNameW,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,PathFindFileNameW,NtTerminateProcess,WaitForSingleObject,NtClose,NtClose,memset,memset,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_004056C8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004027C8 RegisterServiceCtrlHandlerW,SetServiceStatus,NtOpenProcessToken,NtDuplicateToken,NtSetInformationToken,memset,memset,CreateProcessAsUserW,NtClose,NtClose,NtClose,NtClose,SetServiceStatus,	0_2_004027C8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004030CC CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_004030CC
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004054D4 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,	0_2_004054D4
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004069D9 CreateIoCompletionPort,CreateThread,CreateThread,Sleep,PostQueuedCompletionStatus,PostQueuedCompletionStatus,WaitForMultipleObjects,NtClose,NtClose,	0_2_004069D9
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004088E4 memset,RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_004088E4
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004083E5 WaitForSingleObject,NtClose,	0_2_004083E5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004022E8 NtSetInformationProcess,NtSetInformationProcess,	0_2_004022E8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401AF0 NtDuplicateToken,NtSetInformationThread,NtClose,	0_2_00401AF0
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004078F7 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,	0_2_004078F7
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004087FB RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_004087FB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405CFC SetFilePointerEx,NtClose,	0_2_00405CFC
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00406F85 CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_00406F85
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404887 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_00404887
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040818E RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040818E
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040339B NtOpenProcessToken,NtQueryInformationToken,ConvertSidToStringSidW,wcscpy,RtlFreeHeap,NtClose,	0_2_0040339B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040559F NtQueryObject,_wcsicmp,RtlFreeHeap,	0_2_0040559F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00407DA5 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_00407DA5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004048A9 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_004048A9
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401CAA CreateFileW,WriteFile,NtClose,	0_2_00401CAA
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004059AB GetCurrentThread,SetThreadPriority,GetQueuedCompletionStatus,PostQueuedCompletionStatus,NtClose,RtlFreeHeap,ReadFile,Sleep,ReadFile,WriteFile,Sleep,WriteFile,WriteFile,Sleep,WriteFile,Sleep,NtClose,RtlFreeHeap,InterlockedIncrement,	0_2_004059AB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004086AD RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_004086AD
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004098AD NtSetThreadExecutionState,GetTickCount,GetTickCount,	0_2_004098AD
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004054AF NtQueryInformationFile,	0_2_004054AF
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004020B2 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose,	0_2_004020B2

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00407127: memset,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,wcslen,CreateFileW,wcsrchr,NtClose,CreateFileW,DeviceIoControl,NtClose,memset,FindNextVolumeW,FindVolumeClose,

0_2_00407127

Contains functionality to delete services

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_0040274E OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0040274E

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00406B3C GetModuleFileNameW,PathQuoteSpacesW,GetProcessId,_swprintf,_swprintf,CreateFileMappingW,MapViewOfFile,NtClose,wcscpy,UnmapViewOfFile,_swprintf,CreateEventW,NtClose,wcslen,RtlAllocateHeap,NtClose,NtClose,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,NtClose,NtClose,_swprintf,CreateFileMappingW,ResumeThread,NtClose,WaitForSingleObject,NtClose,NtClose,RtlFreeHeap,

0_2_00406B3C

Creates files inside the system directory

Source: C:\Users\user\Desktop\fbi.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402E50		0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404A7C		0_2_00404A7C

Sample file is different than original file name gathered from version info

Source: fbi.exe, 00000002.00000002.217759035.0000000002930000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs fbi.exe
Source: fbi.exe, 00000002.00000002.217743616.00000000028E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs fbi.exe

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Uses 32bit PE files

Source: fbi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: fbi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: fbi.exe

Static PE information: Section: .data ZLIB complexity 0.996012369792

Source: classification engine

Classification label: mal96.rans.evad.winEXE@21/112@1/2

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00408422 GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcslen,RtlReAllocateHeap,

0_2_00408422

Source: C:\Users\user\Desktop\fbi.exe

Code function: OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00402A2B StartServiceCtrlDispatcherW,

0_2_00402A2B

Source: C:\Users\user\Desktop\fbi.exe

File created: C:\Users\README.2c9ccbf3.TXT

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\89f3671df4dda4177e202fbdb1910c9c
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4440:120:WilError_01

Source: C:\Users\user\Desktop\fbi.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Windows\System32\VSSVC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}\InprocServer32

Jump to behavior

Source: fbi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00401867 LoadLibraryA,GetProcAddress,

0_2_00401867

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .text1

PE file contains an invalid checksum

Source: fbi.exe

Static PE information: real checksum: 0xe0fc should be: 0x1837b

PE file contains sections with non-standard names

Source: fbi.exe

Static PE information: section name: .text1

Source: initial sample

Static PE information: section name: .text entropy: 7.92008086482

Source: C:\Users\user\Desktop\fbi.exe	File created: C:\\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Recovery\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Music\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Recent\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Searches\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Videos\README.2c9ccbf3.TXT	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA

0_2_004049CA

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA rdtsc

0_2_004049CA

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\fbi.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,memset,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RtlFreeHeap,

0_2_004046B3

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\fbi.exe

API coverage: 4.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1320	Thread sleep time: -120000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\fbi.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,	0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,	0_2_00401BA0

Source: C:\Users\user\Desktop\fbi.exe

0_2_0040745B

Source: svchost.exe, 0000000D.00000002.462876038.0000024294C62000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.459389392.000002627F445000.00000004.00000001.sdmp	Binary or memory string: ar&Prod_VMware_SATA_CD00#5&280b6
Source: svchost.exe, 00000019.00000002.340253298.0000023A50483000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000D.00000002.459723393.000002428F629000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.340399301.0000023A504E7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.459361449.00000161CEE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.459553359.000001C2BFA29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\fbi.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA rdtsc

0_2_004049CA

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00402376 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,

0_2_00402376

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00401867 LoadLibraryA,GetProcAddress,

0_2_00401867

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402376 mov ebx, dword ptr fs:[00000030h]	0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004016D2 mov eax, dword ptr fs:[00000030h]	0_2_004016D2
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040A288 mov ecx, dword ptr fs:[00000030h]	0_2_0040A288
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004017AE mov eax, dword ptr fs:[00000030h]	0_2_004017AE

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_0040222A wcscpy,wcschr,LogonUserW,wcslen,

0_2_0040222A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fbi.exe

Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA cpuid

0_2_004049CA

Queries the product ID of Windows

Source: C:\Users\user\Desktop\fbi.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00408592 GetUserNameW,RtlAllocateHeap,GetUserNameW,RtlFreeHeap,

0_2_00408592

Source: C:\Users\user\Desktop\fbi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000015.00000002.459529907.000001E37BC56000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000015.00000002.459582745.000001E37BD02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.103.62.217	baroquetees.com	Ukraine		59729	ITL-BG	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
baroquetees.com	176.103.62.217	true

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: fbi.exe

Avira: detected

Machine Learning detection for sample

Source: fbi.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: fbi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\fbi.exe	File created: C:\\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Recovery\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Music\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Recent\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Searches\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Videos\README.2c9ccbf3.TXT	Jump to behavior

Source: unknown

HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,	0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,	0_2_00401BA0

Source: C:\Users\user\Desktop\fbi.exe

0_2_0040745B

Networking:

Found Tor onion address

Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp	String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO
Source: README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2B4W9AHNO029UXBI1M9AZXJW0OLHGK4JBUO

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z\|\|.\|\|63a8cd71-0d2d-48fc-a533-1b6561177791\|\|1152921505693287777\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328709410.0000023A50D59000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-16T12:12:39.3275175Z\|\|.\|\|63a8cd71-0d2d-48fc-a533-1b6561177791\|\|1152921505693287777\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.328779807.0000023A50D3D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507059906,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6","PackageId":"7b9f9b48-4628-9d74-0c76-8a35ce1ffd98-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4000.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000019.00000003.321615766.0000023A50D3F000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321567590.0000023A50D54000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000019.00000003.321624374.0000023A50D4B000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: baroquetees.com

Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/P1SIQAOM77FWLVIE0BXHWMEXNEFVT2
Source: svchost.exe, 00000019.00000003.314993166.0000023A50D36000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000D.00000002.462302940.0000024294C00000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000D.00000002.463011800.0000024294C70000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000D.00000002.463212207.0000024294E30000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000013.00000002.311176652.00000236AE413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000F.00000002.459311229.00000161CEE3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.327229545.0000023A50D57000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000013.00000002.311305996.00000236AE45E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000002.311299530.00000236AE458000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000002.311317275.00000236AE465000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.310503610.00000236AE45C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000013.00000003.310486406.00000236AE461000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000019.00000003.317722644.0000023A50DA3000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317830302.0000023A50D45000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.317674160.0000023A50D66000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000013.00000003.288689128.00000236AE431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000013.00000003.310544873.00000236AE43D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: fbi.exe, 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, fbi.exe, 00000008.00000002.212210317.0000000002AA4000.00000004.00000001.sdmp, README.2c9ccbf3.TXT0.8.dr	String found in binary or memory: https://torproject.org/
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000019.00000003.316120367.0000023A50D45000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000019.00000003.327184502.0000023A50D8A000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326887582.0000023A50D69000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 176.103.62.217:443 -> 192.168.2.3:49713 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Source: C:\README.2c9ccbf3.TXT

Jump to dropped file

Yara detected DarkSide Ransomware

Source: Yara match	File source: 00000000.00000002.192029416.0000000000579000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.217291433.0000000000538000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211708521.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211650846.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.202907412.000000000064A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211626153.0000000002AC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211662182.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.212129998.00000000005DD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211721573.0000000002AB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211608024.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211636740.0000000002AB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211748701.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.211763458.000000000060A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.192572788.0000000000587000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.212148927.000000000060A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbi.exe PID: 6776, type: MEMORY
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED
Source: Yara match	File source: C:\README.2c9ccbf3.TXT, type: DROPPED

Changes the wallpaper picture

Source: C:\Users\user\Desktop\fbi.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\2c9ccbf3.BMP

Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\fbi.exe

0_2_00403451

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\QCFWYSKMHA.png	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File moved: C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg	Jump to behavior

System Summary:

PE file has a writeable .text section

Source: fbi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402E50 NtQueryInstallUILanguage,NtQueryDefaultUILanguage,	0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401D54 RegCreateKeyExW,RegQueryValueExW,memcpy,RtlFreeHeap,NtClose,RtlFreeHeap,	0_2_00401D54
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401ECB NtOpenProcessToken,NtQueryInformationToken,LookupAccountSidW,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,NtClose,	0_2_00401ECB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040998D CommandLineToArgvW,NtClose,NtClose,NtClose,NtClose,NtClose,RtlFreeHeap,OpenMutexW,NtClose,CreateMutexW,ReleaseMutex,NtClose,NtClose,NtClose,	0_2_0040998D
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404849 RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_00404849
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040624A wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,SetFileAttributesW,CreateFileW,RtlAllocateHeap,ReadFile,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040624A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040574A NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040574A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403451 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,	0_2_00403451
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405C57 SetFileAttributesW,CreateFileW,PathIsNetworkPathW,SetFilePointerEx,ReadFile,memcmp,NtClose,	0_2_00405C57
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405558 RtlAllocateHeap,NtQueryObject,RtlReAllocateHeap,RtlFreeHeap,_wcsicmp,RtlFreeHeap,	0_2_00405558
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040745B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040745B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040576C NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_0040576C
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040216F NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,NtAdjustPrivilegesToken,RtlFreeHeap,NtClose,	0_2_0040216F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401B6F NtSetInformationThread,	0_2_00401B6F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00409271 NtSetThreadExecutionState,wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathFindExtensionW,_wcsicmp,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,PathIsNetworkPathW,PathIsUNCServerW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,wcslen,RtlAllocateHeap,RtlFreeHeap,wcscat,RtlFreeHeap,RtlFreeHeap,wcsstr,wcscat,RtlFreeHeap,RtlFreeHeap,	0_2_00409271
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402376 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,	0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403A7B SHGetSpecialFolderPathW,wcscat,wcslen,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,wcscpy,wcscat,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,SHChangeNotify,	0_2_00403A7B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00409611 _swprintf,_swprintf,OpenEventW,OpenFileMappingW,NtClose,MapViewOfFile,NtClose,NtClose,GetVolumePathNameW,GetDriveTypeW,UnmapViewOfFile,NtClose,SetEvent,NtClose,SetEvent,UnmapViewOfFile,NtClose,NtClose,GetProcessId,_swprintf,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,NtClose,	0_2_00409611
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402012 NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,	0_2_00402012
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040701B CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_0040701B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405E20 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,RtlAllocateHeap,wcscpy,wcscat,MoveFileExW,CreateFileW,CreateIoCompletionPort,NtClose,RtlAllocateHeap,NtClose,memcpy,memcpy,PostQueuedCompletionStatus,RtlFreeHeap,NtClose,InterlockedIncrement,RtlFreeHeap,RtlFreeHeap,	0_2_00405E20
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403222 memset,OpenWindowStationW,NtSetSecurityObject,OpenDesktopW,NtSetSecurityObject,CloseDesktop,CloseWindowStation,	0_2_00403222
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00407127 memset,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,wcslen,CreateFileW,wcsrchr,NtClose,CreateFileW,DeviceIoControl,NtClose,memset,FindNextVolumeW,FindVolumeClose,	0_2_00407127
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00406B3C GetModuleFileNameW,PathQuoteSpacesW,GetProcessId,_swprintf,_swprintf,CreateFileMappingW,MapViewOfFile,NtClose,wcscpy,UnmapViewOfFile,_swprintf,CreateEventW,NtClose,wcslen,RtlAllocateHeap,NtClose,NtClose,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,NtClose,NtClose,_swprintf,CreateFileMappingW,ResumeThread,NtClose,WaitForSingleObject,NtClose,NtClose,RtlFreeHeap,	0_2_00406B3C
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402FC2 NtQueryInformationProcess,	0_2_00402FC2
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004055C5 NtQueryObject,_wcsicmp,RtlFreeHeap,	0_2_004055C5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004056C8 PathFindFileNameW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,NtOpenProcess,NtDuplicateObject,PathFindFileNameW,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,PathFindFileNameW,NtTerminateProcess,WaitForSingleObject,NtClose,NtClose,memset,memset,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_004056C8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004027C8 RegisterServiceCtrlHandlerW,SetServiceStatus,NtOpenProcessToken,NtDuplicateToken,NtSetInformationToken,memset,memset,CreateProcessAsUserW,NtClose,NtClose,NtClose,NtClose,SetServiceStatus,	0_2_004027C8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004030CC CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_004030CC
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004054D4 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,	0_2_004054D4
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004069D9 CreateIoCompletionPort,CreateThread,CreateThread,Sleep,PostQueuedCompletionStatus,PostQueuedCompletionStatus,WaitForMultipleObjects,NtClose,NtClose,	0_2_004069D9
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004088E4 memset,RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_004088E4
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004083E5 WaitForSingleObject,NtClose,	0_2_004083E5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004022E8 NtSetInformationProcess,NtSetInformationProcess,	0_2_004022E8
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401AF0 NtDuplicateToken,NtSetInformationThread,NtClose,	0_2_00401AF0
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004078F7 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,	0_2_004078F7
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004087FB RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_004087FB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00405CFC SetFilePointerEx,NtClose,	0_2_00405CFC
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00406F85 CreateThread,WaitForSingleObject,GetExitCodeThread,NtClose,	0_2_00406F85
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404887 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_00404887
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040818E RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040818E
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040339B NtOpenProcessToken,NtQueryInformationToken,ConvertSidToStringSidW,wcscpy,RtlFreeHeap,NtClose,	0_2_0040339B
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040559F NtQueryObject,_wcsicmp,RtlFreeHeap,	0_2_0040559F
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00407DA5 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,MapViewOfFile,UnmapViewOfFile,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_00407DA5
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004048A9 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,	0_2_004048A9
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401CAA CreateFileW,WriteFile,NtClose,	0_2_00401CAA
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004059AB GetCurrentThread,SetThreadPriority,GetQueuedCompletionStatus,PostQueuedCompletionStatus,NtClose,RtlFreeHeap,ReadFile,Sleep,ReadFile,WriteFile,Sleep,WriteFile,WriteFile,Sleep,WriteFile,Sleep,NtClose,RtlFreeHeap,InterlockedIncrement,	0_2_004059AB
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004086AD RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,	0_2_004086AD
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004098AD NtSetThreadExecutionState,GetTickCount,GetTickCount,	0_2_004098AD
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004054AF NtQueryInformationFile,	0_2_004054AF
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004020B2 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose,	0_2_004020B2

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\fbi.exe

0_2_00407127

Contains functionality to delete services

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_0040274E OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_0040274E

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\fbi.exe

0_2_00406B3C

Creates files inside the system directory

Source: C:\Users\user\Desktop\fbi.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402E50		0_2_00402E50
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404A7C		0_2_00404A7C

Sample file is different than original file name gathered from version info

Source: fbi.exe, 00000002.00000002.217759035.0000000002930000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs fbi.exe
Source: fbi.exe, 00000002.00000002.217743616.00000000028E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs fbi.exe

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Uses 32bit PE files

Source: fbi.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: fbi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: fbi.exe

Static PE information: Section: .data ZLIB complexity 0.996012369792

Source: classification engine

Classification label: mal96.rans.evad.winEXE@21/112@1/2

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00408422 GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcslen,RtlReAllocateHeap,

0_2_00408422

Source: C:\Users\user\Desktop\fbi.exe

Code function: OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00402A2B StartServiceCtrlDispatcherW,

0_2_00402A2B

Source: C:\Users\user\Desktop\fbi.exe

File created: C:\Users\README.2c9ccbf3.TXT

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\89f3671df4dda4177e202fbdb1910c9c
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4440:120:WilError_01

Source: C:\Users\user\Desktop\fbi.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe 'C:\Users\user\Desktop\fbi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Windows\System32\VSSVC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}\InprocServer32

Jump to behavior

Source: fbi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00401867 LoadLibraryA,GetProcAddress,

0_2_00401867

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .text1

PE file contains an invalid checksum

Source: fbi.exe

Static PE information: real checksum: 0xe0fc should be: 0x1837b

PE file contains sections with non-standard names

Source: fbi.exe

Static PE information: section name: .text1

Source: initial sample

Static PE information: section name: .text entropy: 7.92008086482

Source: C:\Users\user\Desktop\fbi.exe	File created: C:\\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Recovery\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\3D Objects\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Contacts\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Downloads\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Links\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Music\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\OneDrive\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Recent\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Saved Games\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Searches\README.2c9ccbf3.TXT	Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	File created: C:\Users\user\Videos\README.2c9ccbf3.TXT	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004026B5 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_004026B5

Source: C:\Users\user\Desktop\fbi.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA

0_2_004049CA

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA rdtsc

0_2_004049CA

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\fbi.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,memset,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RtlFreeHeap,

0_2_004046B3

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\fbi.exe

API coverage: 4.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1320	Thread sleep time: -120000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\fbi.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404052 wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,	0_2_00404052
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00403F75 wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00403F75
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00404137 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00404137
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040669A wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_0040669A
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00401BA0 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,	0_2_00401BA0

Source: C:\Users\user\Desktop\fbi.exe

0_2_0040745B

Source: svchost.exe, 0000000D.00000002.462876038.0000024294C62000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.459389392.000002627F445000.00000004.00000001.sdmp	Binary or memory string: ar&Prod_VMware_SATA_CD00#5&280b6
Source: svchost.exe, 00000019.00000002.340253298.0000023A50483000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000D.00000002.459723393.000002428F629000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.340399301.0000023A504E7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.459361449.00000161CEE67000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.459553359.000001C2BFA29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000002.223966626.00000200E4060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.278652656.000002027D940000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.460714765.00000161CFB40000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.298912954.00000203F30C0000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.341354818.0000023A51400000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\fbi.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA rdtsc

0_2_004049CA

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\fbi.exe

0_2_00402376

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00401867 LoadLibraryA,GetProcAddress,

0_2_00401867

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_00402376 mov ebx, dword ptr fs:[00000030h]	0_2_00402376
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004016D2 mov eax, dword ptr fs:[00000030h]	0_2_004016D2
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_0040A288 mov ecx, dword ptr fs:[00000030h]	0_2_0040A288
Source: C:\Users\user\Desktop\fbi.exe	Code function: 0_2_004017AE mov eax, dword ptr fs:[00000030h]	0_2_004017AE

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_0040222A wcscpy,wcschr,LogonUserW,wcslen,

0_2_0040222A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fbi.exe

Process created: C:\Users\user\Desktop\fbi.exe C:\Users\user\Desktop\fbi.exe -work worker0 job0-6368

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_004049CA cpuid

0_2_004049CA

Queries the product ID of Windows

Source: C:\Users\user\Desktop\fbi.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior
Source: C:\Users\user\Desktop\fbi.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fbi.exe

Code function: 0_2_00408592 GetUserNameW,RtlAllocateHeap,GetUserNameW,RtlFreeHeap,

0_2_00408592

Source: C:\Users\user\Desktop\fbi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000015.00000002.459529907.000001E37BC56000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000015.00000002.459582745.000001E37BD02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

ID:	372394
Product:	CloudBasic
Start time:	11:27:21
Start date:	20.03.2021
Sample:	fbi.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2031e1ce62d6f433ac77c78c24bc8bee
SHA1:	6f67030df8f735a59ea8af7753893f708ae6965c
SHA256:	b11371b6ab50cf5d8f8fae63880e6c2f00ea3a42274a334278f7f146439e8d83
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\2c9ccbf3.BMP	PC bitmap, Windows 3.x format, 1280 x 1024 x 16	F79ACD07D00941CB485226DF3316FC88	92EC814569BD960E356883C107E6A0731EB7F1CA	EC57EE2255EEBC15D6C60DF7352C074BE05D0524FA49E15C3832E78709C84167
C:\ProgramData\2c9ccbf3.ico	MS Windows icon resource - 5 icons, 64x64, 32 bits/pixel, 48x48, 32 bits/pixel	4F57D54D01CCBDAF3EBFAC3EC0AC3FD7	BC529DC03674D08D64D8442C4E1D1A3E3464E953	28B6841AA125225CD01BE09FBD2F1D7B3C2102D9FFC7DC8546700E67C2A6E3BC
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	B9C9418CE592E33EC6EED96842230FF3	687A94E4973ED5B5885C5A62E11693FD0B031C96	8EFF2CA507B545E1CC2A4EFAA74E5591B5AEB8873C9C3A364365987C534E5F0F
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xaee6283d, page size 16384, DirtyShutdown, Windows version 10.0	F977C73F67F901113103206911146419	ED4CFD6BE662DCE3EBE80B54CCCAFDD8DDE632E6	013853F1F380083A1C8DFB1898596B03CD89BD9ED2378E660920E546E61A8349
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	5B034E75C7E4E3A5B7B7DCE3434C5C39	D2F541F3674513CD1612E3B1FDA9A866E3CE6B81	C98BC59B7A57EE7B57A002D6A79F23D57C9BFC8FEF3E86C22E714254AA8A6C2C
C:\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Recovery\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\3D Objects\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Contacts\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\GAOBCVIQIJ.pdf.2c9ccbf3	data	9E3548411284D15855B5F5FAB932CE8B	0237A16F4E723671665D5590A88053B3331CB88D	616AD72013406F39BFB4860BE5FDEFE94033F17736FDD37C03C074443F4A9240
C:\Users\user\Desktop\GRXZDKKVDB\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\LSBIHQFDVT.docx.2c9ccbf3	data	41E628ED53276B6C5FA5F6656F3439CF	721CF1B01708709FDCAAD3631203C6F7205045ED	411A2E01BE39891C84BF87ACF2BA4F103B9064C816B0DADA590E80D055386444
C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf.2c9ccbf3	data	A6C9C7782E6B4BEF77FFCFE141BA2A10	C9507422416119DF05DC190707074189686D758C	15939DC332B31C7F2017AB5AAFC61D5ED7CCDC8561B6F45DEBAD3BE69A41FFA2
C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx.2c9ccbf3	data	94761D6C1E9269932D663B6D48C59621	C1ED3DCA40A939BF0CC54B5C3C633EC62B852BE4	8B8D3857D90F836D07F040C791CDD05360CE1428F79ADF0B8023B874E54E8BB3
C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3.2c9ccbf3	data	CBF5064CB0E2330AFEAFC84F9BB0552D	4D3188CD61BF3BB89759CF85FA6673F5D1FE0891	C375404DFD08C1DE9CCAB514472F3F36E33ECC8616C788A32AFAF7134CF7EF9B
C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png.2c9ccbf3	data	4685465AD8B4AB403364B45CF0264E49	65A5C2C95AFF3EBACD59AC6542C617CCF5C38E0B	9EF4E9E25AAB61AF340795F65A9C5C282C129016A83E4F25FBAAC622F54CD299
C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg.2c9ccbf3	data	788264F8E211D61BD0C96B444B232785	B0745E822886CDF8C36A58B8F8A6807F679CB8DF	DD53B13003564F384C50EFAA2973EC6C278995ACB0FDC732EDAA3D162F9B644F
C:\Users\user\Desktop\LSBIHQFDVT\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx.2c9ccbf3	data	462942E0C79F2A7FA4DE319B609A6117	6EB0C2DFDF0D3135E4F103467ECE4F1F8CCE67EE	E1AA9B073AC3E9039D7A61EAE9604ACC5989935E96CE259FA33E13DFDDFDC088
C:\Users\user\Desktop\NVWZAPQSQL.mp3.2c9ccbf3	data	B5769DB04FF5322358F3A54EAB233F90	62363246AF4E7556F080B35F6E9440AFCBFD7E54	31D2C2D14DD715A79E9FB4F42237BEBF191572F24BB7EB97F69C8C75C44386AA
C:\Users\user\Desktop\PALRGUCVEH\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\PIVFAGEAAV.jpg.2c9ccbf3	data	75F41417801A680B1594DE254512FFD1	56D7DE5667B51355829A3BA45BFF9437C74150ED	1DAF3CFB1A4E7E4F4AD7B16AAD71AE71789FD7A0E892E127562C05AC7373BA10
C:\Users\user\Desktop\PIVFAGEAAV\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\PWCCAWLGRE.mp3.2c9ccbf3	data	62D268A681E86178BC258560BB56236D	6A656366C03125821EA785301C1A6B309C2D2FC0	C97F5C3C0BD7C762F4C7C64DE03E89375F02880F537B86AA20108FDE8E03C63E
C:\Users\user\Desktop\PWCCAWLGRE.pdf.2c9ccbf3	data	128EAA69F91F18E8CAAD456E06826173	430DEEBDB792F2DACBB1076F0376CBC84496F9D1	ACAF4CDE1BC56D5659AF94CD8F424B8ADCBAF43E3C6AA91B016DE34659ABA358
C:\Users\user\Desktop\QCFWYSKMHA.png.2c9ccbf3	data	1276A1D7D2FE7DC8D9A124F55667A666	1349884C775279945E6E7B7DB63CED8D65160B45	909B3FEBB8B2BB2DE0056AFA1DA0C8F94DD2E469AF97B37B89E689786544BCA8
C:\Users\user\Desktop\QNCYCDFIJJ.jpg.2c9ccbf3	data	ABC564FEF081BB718FA6C2E80121ADF4	E8F87DF47D63AF862321146C0A7B610129B6C8B2	6A91A4FE6F55FB2EE0F890D2E674D9C765B0650E5B2CFF6C139B85C66C55489E
C:\Users\user\Desktop\QNCYCDFIJJ.xlsx.2c9ccbf3	data	F0F70650FD620521ABDC7727DC7EF83F	D23448B96B7366434A0A7CF98DA7B4E2CF003365	9E8F3336E9A36B3CAAD7D9377B2FB3E806F6A5D6E0E946355C97CE107D817A7A
C:\Users\user\Desktop\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\SQSJKEBWDT.png.2c9ccbf3	data	8B536D3D1F5E220730C7391501F654B1	9C080D547A47ABBE02DD9E03B62DD7686583113E	DE2EFD109E0C2E3965718D663A5067F0876102C31EB827DFFFC51CF32E52E303
C:\Users\user\Desktop\SUAVTZKNFL\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\ZQIXMVQGAH.docx.2c9ccbf3	data	F3860DDE216EC565F7B600FA88B5BA2A	AEBF1D85311AF2AA448E5315081A9A67A2930671	B6B97A34CC3CBEE9220B7ED73EAB61A9F2533609668473ECC8AD04DF7D126C43
C:\Users\user\Desktop\ZQIXMVQGAH.xlsx.2c9ccbf3	data	31BA0B5172B96C5E24B63000F73DEE5F	F0F1D3EDDEB14D4BA69531DEFBAB987661756040	2219056DD9F25038538D3F57F99787AF17EF44F53C0687E1F83DC3A020125EB8
C:\Users\user\Desktop\ZQIXMVQGAH\NVWZAPQSQL.mp3.2c9ccbf3	data	1BD1ABEB369EDBBA95AA79A56B03275C	26F684B12B18FC48BCFBD6D4F77DA1FC10F4AAA8	523A1B0ECA696FFB3EBA8D04A23E7D010C6462F44233EEC2EDD3140D21404191
C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg.2c9ccbf3	data	8775C490CCF7F4CE8C57F2D6232FFC26	865E1682553F991CC7D560D144B4CEFF37A01428	A9092688E172BC2396C06EE55E5E0CDD86CC7BDD8A286D687918832A48C50167
C:\Users\user\Desktop\ZQIXMVQGAH\PWCCAWLGRE.pdf.2c9ccbf3	data	3B8FE5FAB00E8F255D54B09128A5EA58	CEA7EFD210683D41E79670D8224530BCF1C33225	3BA2B51A67FF530F593942FC86D2F7C2B726B183AB85CDA15E758F91D55DE2CC
C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.2c9ccbf3	data	8CF0FC1D7592EAF431AD885D5B78FCF8	72D7562E00E7C57FBEE353788F01DEE7079C41AC	1B5EFDE26D6B4FB06172E6522873BC4BC89963E547BE6D17A0B1BEB9BDDF3EF5
C:\Users\user\Desktop\ZQIXMVQGAH\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Desktop\ZQIXMVQGAH\SQSJKEBWDT.png.2c9ccbf3	data	13939E3F329F761E1CAAE2B0D9FDBFC9	CE52977A3D13ECA5E880B1C4B44D971EA984A092	A226917515A59C4CF939BB8123FF0CE1A28E7555CFBDEB50296BE50AEE34ADDE
C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx.2c9ccbf3	data	BE0D7546A69FACCC3D3178809BB1C263	0C0EF5BDEAEBE0D789F07009D64C12C2641C21AD	3CBB314C51DC603AAD02212D22F33D6D66FF314D73F476C466D2D6D33A04C1CF
C:\Users\user\Documents\GAOBCVIQIJ.pdf.2c9ccbf3	data	398E77A9476552DBFC093A793AA3FDD8	960D5F5D63C994CB4D8CA96F27085BEDFDFA5625	E05FB075A4E024BCE1C18E4B6E1CF4D278F30F110B3D6A887306CABD0B744EF5
C:\Users\user\Documents\GRXZDKKVDB\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\LSBIHQFDVT.docx.2c9ccbf3	data	790E51A150FB09F1B31CED46CF04C39F	FC7DE01B9BDAC967BA66102947DE283318A5A57D	6FE3C0C2C287888B29AB70695C4F575019DBCB3EC96BE3B01C70965C69686459
C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf.2c9ccbf3	data	A7044761AB2B402C2DDFF783CF42962C	F21FBBB7494E22B7D2B699C5C6C5102B0B1B8A2D	15E03860BF8029AAF6A28E39E5E55A9C9CF4E4593AB8710969BB9829FF770471
C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx.2c9ccbf3	data	A57B4872DBAAAFA25C67CA8C8106A3D9	1E18791B1DE8DD14E653093B8DF08CBB1831C32F	39A304C35C13967EB6D1F8237ECC2BAA04B3C3E82B5419DD3A7382D0DEF6DA16
C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.mp3.2c9ccbf3	data	EB2C8F9D4303E0E96DCD3665F5B36115	D6227EFE16E8F4DC7E447DDF4FCEF422A707DDB3	9A8361C42CBEFCB41D2D80AC6906D9EAB370ECFD895F1835119DDDA7B23B0C1E
C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.png.2c9ccbf3	data	19EF3F6DC4ADE0F377A67E8217F55D15	E3B4F8F5C550571FA5439E9D157B290656FA797A	5C207C61B0199CAD618089B45F7BE178B5714B990BF285E80E090827AC770281
C:\Users\user\Documents\LSBIHQFDVT\QNCYCDFIJJ.jpg.2c9ccbf3	data	67F73678D91749404FCB53BC54BE3309	9B8CAB2AE376558051DD58F2D5BC97ABA4E0A7CD	D2AEDDD42C44948B8AD0F6098CC669EB7768BC8D1465EE71F817B15B3D85B917
C:\Users\user\Documents\LSBIHQFDVT\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx.2c9ccbf3	data	C320B8F823025E7C0188EE4E83E32899	83D597D8B027DA3D054D1397D8EAC604870AE933	4A1CE8F363374B12663D958F7007F5FC2CB258A864852B5CE8EEA7E4AAAA2469
C:\Users\user\Documents\NVWZAPQSQL.mp3.2c9ccbf3	data	6CACDD5BFA8B9A7E83D88AC552D05AEC	A9C27DBD0AF292B83CF829378F295C6043071A26	FD06EE88CBF0006C3A39017A35A8B66211D19347814B7B8C86F632A450F50687
C:\Users\user\Documents\PALRGUCVEH\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\PIVFAGEAAV.jpg.2c9ccbf3	data	94C4E15894CB21B24891BBC078D5143B	7AEACE0452FF3DCC1F663F110876763F4899F232	DCBCC69D65DF2B38FE63C706E5D4F0B9F2220E9326DBF663175BDD9FA65B5C65
C:\Users\user\Documents\PIVFAGEAAV\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\PWCCAWLGRE.mp3.2c9ccbf3	data	99CF3C93FB708979B92B4D09BE63B026	1AD1621F0E6D0289F55E815102A183662EC339B8	79C2647A80B01476D88E120DCC68E18FD506A879C712F4D1A90760A7116DC410
C:\Users\user\Documents\PWCCAWLGRE.pdf.2c9ccbf3	data	6B42482F38F9795BAD5037F766EF7554	87AFFA85CCC4013A90ED2B822CBF57D899E9C10E	F6F00A8F936A4AD11DDD525460D622011EA16B88A5EC07FFF2F99576A39A17DE
C:\Users\user\Documents\QCFWYSKMHA.png.2c9ccbf3	data	C4E4F61B9ECB2628AA845257931D09CA	B095FBE61E4F965549F5B820FBCC71BD51C0A1ED	122A2DCF2186161A67D73F9F07DC7CE910EC6B0B3A1D4A220D0879B49DDD9E7C
C:\Users\user\Documents\QNCYCDFIJJ.jpg.2c9ccbf3	data	E633F08970D5E2D22DDDD74F3360284D	EE5ED2AAB91FEDCC54ABF07178054F3A3D835705	502C5AFAA0BC4419EEF63254CFD74E817F4E9FA62C27FF70EBBB8A2F75384B86
C:\Users\user\Documents\QNCYCDFIJJ.xlsx.2c9ccbf3	data	FEC8C6655CACE197C23B996CEFDE7627	891044F33EEE04AE9DC15BEF2D5F595C47E6B10A	46203F75F0B48AA06CC3FC44D0F9C448AC598947832D56CC22EBA64FF12AE2C5
C:\Users\user\Documents\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\SQSJKEBWDT.png.2c9ccbf3	data	E97B5B356BC5367E49FA00DE9E0EB4BE	7BCB1F6178C22EC8FE13A67F04BF85FD5C08EBD4	E8E0DD85A72DA65EF293253075C3008B53B725856F70E20272A2E467CD5445C9
C:\Users\user\Documents\SUAVTZKNFL\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\ZQIXMVQGAH.docx.2c9ccbf3	data	D748A3A97B670459B81CE34FF755F04F	83CA6E5280695A2956F88E022063FD8795B1747A	27953B686F317757CE3C6446B2E0796EAECCFA506403693B7E1D22AEB493CFCB
C:\Users\user\Documents\ZQIXMVQGAH.xlsx.2c9ccbf3	data	874660709537FA6B378241432BA52547	F83CE8112CEC657789F74F8E49E6F0A4F42696DA	9341636A6D1E683C466ED7D41BB7BF140D7C0D3A58DD553AC3D0C0A5221B2DC7
C:\Users\user\Documents\ZQIXMVQGAH\NVWZAPQSQL.mp3.2c9ccbf3	data	ECE7BA7A7D67AB3ACE9000D70EB3549B	BB952F3AE63FC9F3F1E303A99DFBA1A11C319FD9	E6CFBD934E60ABC29B7B55E9F558CD2412B8F1F435779984816D9F1799AFD49D
C:\Users\user\Documents\ZQIXMVQGAH\PIVFAGEAAV.jpg.2c9ccbf3	data	2985D513E709D608591E7DB98DF57D69	760BE80A9CF482231EA0C65AF60F5D49CC9EA2B8	7DA551113FFE27AB41DE1D7EE8132874F99C56EB13779E9AF0057B77C240B8A4
C:\Users\user\Documents\ZQIXMVQGAH\PWCCAWLGRE.pdf.2c9ccbf3	data	B07416F187FDC20F3493D3173ACC8BA4	3DBE4ED70FBF99EB88EE30FDC252D7BC31D85842	73A2C4AE05DA90DAB2DC7C2F995F097A0443BFFAB50E8F8D04E392F5B9F4533A
C:\Users\user\Documents\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.2c9ccbf3	data	C3C035E9370841F05EC0F7E967678632	1276E17DB9CE2FC0579AF727845933551EE6BB6A	3CABC49C3CDE3672B8F685166F9C2084D9A8E4A1A54B6D9C561058D81D35CAD2
C:\Users\user\Documents\ZQIXMVQGAH\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Documents\ZQIXMVQGAH\SQSJKEBWDT.png.2c9ccbf3	data	3EFEDE387B93F31F3BE31F51122488A7	46833E24F47AFCAE87CC2CD9F35EBA198C0CD7AD	503DDFEC4BA9B39578A024123A7F9FB35A8E3FA9FAF5FC638F5FCF3E86CABACB
C:\Users\user\Documents\ZQIXMVQGAH\ZQIXMVQGAH.docx.2c9ccbf3	data	5FC47341F2184D71F862C1658A1968E4	094F41B2AEF30DDD9A4965D4DDEBD27BCD20B59E	4C5882CB32856014B62585ACFEE55873FAE6C233F49B44450D817ECFD3EA42F8
C:\Users\user\Downloads\GAOBCVIQIJ.pdf.2c9ccbf3	data	925CF746C124F74B5B0B443A9881A923	BC5AD8CA02C357B5646F1409DCFE2F771CC73B3D	4EFFDA392284FACA53D12BD7A6CF864250B284C5A5FC7F704D715EF63CA15DE5
C:\Users\user\Downloads\LSBIHQFDVT.docx.2c9ccbf3	data	FF83169046B52F2AB2828A66704A0752	21E9D19DC0C5675B117D01A856086D8C62D57670	190F224072580BF5E4FB1A917EB94D27A8375A058626A1128C07956DB4752996
C:\Users\user\Downloads\NVWZAPQSQL.mp3.2c9ccbf3	data	3ACA0D5C695F67D3FFBC4E45C1B5E1AB	9E0DB30BBF2FAFD94B32DD25041CAE6DCD9B1101	C794DD1D81E015A1041F4E496D04984754C03776883C49DBB9FA5FA80FECF6C8
C:\Users\user\Downloads\PIVFAGEAAV.jpg.2c9ccbf3	SysEx File -	4A161FBDC1833A293775B2C04D488011	097D47B610DCBA6337FC33892151BC6AA55609A9	532FFB61DA4301004E1EC193A1F909FCDEE8CCE35A50401DAE33B8A9EC06D737
C:\Users\user\Downloads\PWCCAWLGRE.mp3.2c9ccbf3	data	E345C073D994A7DE2855F1939459FD88	DF9570CB64E7E526AC3E04C395654C71F74CC840	65571DBCD5A27BD839479CF8CB878EA63A7386E586AB525B690BBE040E1E245F
C:\Users\user\Downloads\PWCCAWLGRE.pdf.2c9ccbf3	data	816A581C3DD198ACD9748E8A5103DCE6	2FB106D9C73746F94E131476A7174D84260CADCC	32772EF02A5724F01C94E8B52743561597AFB2B89761B08B3BEB78041EBF5FB1
C:\Users\user\Downloads\QCFWYSKMHA.png.2c9ccbf3	data	34127746E431F3FEA2ED23CC18B57737	168B0BEA7AB7840462F817BDA550CAFF8C097AC2	3A6A7EEA3695CF3E2A603D5561DE27065F30386C09FAF3BBD5F28FEFA95AA5D2
C:\Users\user\Downloads\QNCYCDFIJJ.jpg.2c9ccbf3	data	99F51A6142D02387C6EB54FCC4E08B5A	D50C1A19993752FDEAA3420031DF979C58AA4CFF	6A779D5B106571BBC0ABCDDC0285217510506C2F13A11778453D98DCB71AC9DC
C:\Users\user\Downloads\QNCYCDFIJJ.xlsx.2c9ccbf3	data	E1151ED9B028FCEEE4859AF719796A36	12866E92915DBBE8CBF8175BEB09049BD95C3275	328519768ED361A16411AE609D72697D7DD69972DE89B2EE147F3AC1B359541C
C:\Users\user\Downloads\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Downloads\SQSJKEBWDT.png.2c9ccbf3	data	FC95EC6192D367F680DB6C0099CF0735	99D484EBFD04CBB622E63B5BE8B5C9AE5DB4091C	9B4B0F4A5724443D9D8F00EC8A538D8008BB70D7CBC54AFF5591E4583BFE5E34
C:\Users\user\Downloads\ZQIXMVQGAH.docx.2c9ccbf3	data	8B0D4E3470DF562D0D89D6B63CC3DC81	61664171A44CD0CB0222712E9FF037B1C044350D	48C1CE71B95A32600812AE76D23BD4DB9D92E5971BE57315D228A248BE6B26F6
C:\Users\user\Downloads\ZQIXMVQGAH.xlsx.2c9ccbf3	data	CFE801DDA2B8BB94A05FC4E676227C7E	39C96EE5C9C642097B0B22AB6E6B0AB2A01AA17C	8B7128F04459C4A8B940934068F158473CC1F66ABBD9A5FDC9465E9F9A1F557A
C:\Users\user\Favorites\Amazon.url.2c9ccbf3	data	234895D3CEBFB8FCE7686DC3951C85F7	A45273A64F9C9B81AA23D8EA7FB267F9B25ECC30	8E74E5C846F44CB6EA95AFE598328D1FBF534E7C1B8E9925FC54D2033F5E5A0E
C:\Users\user\Favorites\Bing.url.2c9ccbf3	data	60E2E865689B7804683EE40A1EC08ACE	5841DD7901A6B7CC3DFABD779F1AD16C4146C54B	5F62FC1FDD5F9001FB6451377D243231EE3C25BDBE83F51359BE393A566C36FC
C:\Users\user\Favorites\Facebook.url.2c9ccbf3	data	714BA3F543B3D51C17BCF5DD7189EEA1	B3EB48105A3C83D00DEA1968730BE2D71CC8FEAB	82B65B4DEB6DCAB993D079487A40C463CDCF9DE82CB10344DDBD30A8B4629EF1
C:\Users\user\Favorites\Google.url.2c9ccbf3	data	B211339E1BF2C4687A4B9FED10837C72	B62AB7E84A1AA571645428F4DB01A30BEAE286B5	696F0A1620DB59187BEE6916787DA263F3417D2886D828CC851338CE024A6F5D
C:\Users\user\Favorites\Links\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Favorites\Live.url.2c9ccbf3	data	DAABF7A7991EC7E19BA1110538F3BE55	A713A54B09C3A423A6C978C5E2668A7DF263F620	F7C381EBB70EF098F2C3DFCE2CA4F763899956E962F4059AA0EEE11917C66651
C:\Users\user\Favorites\NYTimes.url.2c9ccbf3	data	FC1C4756809D8F194EED9BD69061FB12	BFF588CA9AEFBE1A87D6C4E4E46B20F9B790208B	71501F1889A4C639E54032749991A35EC2D62D0ED8F4017532C6F1C1F30967E9
C:\Users\user\Favorites\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Favorites\Reddit.url.2c9ccbf3	data	A1F7B1AA5A375A76837C0730A4A485E9	EC45BFFE9F09DAC9BCDE7F4A25C31553F909BFBE	C2D54EE31B6095C2C5D3AC51B6CF2D44D017F4205C9984FFEC3EDF648ADC7A0E
C:\Users\user\Favorites\Twitter.url.2c9ccbf3	data	42D64277E22EC242A6C6A93764BAB9C6	B87E17B8E028B29F5487C7488C9683DF54BDC4D9	6AA57B8C069A5D5243A91D65D4A241F35BC726966A7F17596B6E7F0326E0465E
C:\Users\user\Favorites\Wikipedia.url.2c9ccbf3	data	902090C7074318791BD2B25B4E516DD0	3F273F286C2B6F38B920AD06A44577F1BB9DDCDB	E1FAEFEAD4104E93579E1815531E75336ECE462E27192DA2AA840587B34B238B
C:\Users\user\Favorites\Youtube.url.2c9ccbf3	data	6B0B8AD63A92BE72C296717B38BBA2B0	3F3EDECB43349A36DE60C23DB352AAD3D6C6BD0C	E10B6CD1F7967170AC78B18059D43D0F12C43A53E209CFB98B8596C852C0BD15
C:\Users\user\Links\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Music\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\OneDrive\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Pictures\Camera Roll\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Pictures\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Recent\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Saved Games\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Searches\Everywhere.search-ms.2c9ccbf3	data	F49832AC114D2D3A061E141EA0ACFFC0	3560F07BFCBA67E64FF92223E88349C32586864E	A9B610237950A3C68E7C0A646FAD0FE8FB02C3A495ECB40A16746EE14914F1AD
C:\Users\user\Searches\Indexed Locations.search-ms.2c9ccbf3	data	00F96D60071FF3D8CE4D64C96299E3A3	700D5F43E710A194D8E9BC300F7A79E818D6B838	DC3FBC817797B91EFEC37B8E2751CC9008360BF8E3D05C73788CBFC7C8F52289
C:\Users\user\Searches\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Users\user\Videos\README.2c9ccbf3.TXT	ASCII text, with very long lines, with CRLF line terminators	C623DA91F964B142EAC3A4AE9A88C8D3	5FA8EB485D4969E30212B5D6B71C31ABEE91A6E8	0727BD037C8C7EC64EC75F77FE61C94AD32705DB1A8EBD2785392F61CA716CC7
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	data	A95DB7DA24B7ED1B87A4CF8208B24D81	1A6BB2A61B2DD755286D3DCCF8AAC77103BDA921	5B7F5381D0EFC8EAEE8F8476C578F0E25E6CDF58BA94F49A7349810F3B08C00A
C:\bootTel.dat.2c9ccbf3	data	E23D82BBB2E7D1CDEEF5E36C530863A9	EEED665383D5E2EB3DB8C9B0D7591EE09B469CCB	9526A34CD6EC68627F92405D482C8CF1BEA5D60D73579102297F86EF28F5D402

Analysis Report fbi.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains