Loading ...

Play interactive tourEdit tour

Analysis Report 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Overview

General Information

Sample Name:4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Analysis ID:433010
MD5:4df9b2c6531cde226bf1b0ae86d41162
SHA1:9a42c49714905ea1e5f042a683fd80ecff10fc87
SHA256:4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
    • explorer.exe (PID: 5908 cmdline: 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • svchost.exe (PID: 7084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6168 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • fullview.exe (PID: 5616 cmdline: 'C:\Users\user\Music\fullview.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
      • fullview.exe (PID: 7080 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
  • svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • fullview.exe (PID: 7088 cmdline: 'C:\Users\user\Music\fullview.exe' -boot MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
    • fullview.exe (PID: 6400 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
  • fullview.exe (PID: 5544 cmdline: 'C:\Users\user\Music\fullview.exe' -boot MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
    • fullview.exe (PID: 1668 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
  • svchost.exe (PID: 4576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Install Dir": "svchost.exe", "Install Name": "strangerstrek.duckdns.org", "Host": "True", "Port": "2090", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "Comienzo", "Version": "0.7.3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x11801:$a2: SEE_MASK_NOZONECHECKS
    • 0x11a40:$b1: [TAP]
    • 0x119b8:$c3: cmd.exe /c ping
    0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x11801:$reg: SEE_MASK_NOZONECHECKS
    • 0x115ff:$msg: Execute ERROR
    • 0x1165b:$msg: Execute ERROR
    • 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
    0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x11801:$a2: SEE_MASK_NOZONECHECKS
      • 0x11a40:$b1: [TAP]
      • 0x119b8:$c3: cmd.exe /c ping
      Click to see the 57 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.fullview.exe.46a7ead.7.raw.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x11841:$s3: Executed As
      • 0xdecd:$s5: Stub.exe
      • 0x11823:$s6: Download ERROR
      • 0x11705:$s7: shutdown -r -t 00
      12.2.fullview.exe.46a7ead.7.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
        12.2.fullview.exe.46a7ead.7.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x11a01:$a2: SEE_MASK_NOZONECHECKS
        • 0x11c40:$b1: [TAP]
        • 0x11bb8:$c3: cmd.exe /c ping
        12.2.fullview.exe.46a7ead.7.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x11a01:$reg: SEE_MASK_NOZONECHECKS
        • 0x117ff:$msg: Execute ERROR
        • 0x1185b:$msg: Execute ERROR
        • 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
        0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0x11841:$s3: Executed As
        • 0xdecd:$s5: Stub.exe
        • 0x11823:$s6: Download ERROR
        • 0x11705:$s7: shutdown -r -t 00
        Click to see the 129 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\Music\fullview.exeAvira: detection malicious, Label: HEUR/AGEN.1122310
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1122310
        Found malware configurationShow sources
        Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpackMalware Configuration Extractor: Njrat {"Install Dir": "svchost.exe", "Install Name": "strangerstrek.duckdns.org", "Host": "True", "Port": "2090", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "Comienzo", "Version": "0.7.3"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeReversingLabs: Detection: 79%
        Source: C:\Users\user\Music\fullview.exeReversingLabs: Detection: 79%
        Multi AV Scanner detection for submitted fileShow sources
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeVirustotal: Detection: 67%Perma Link
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeReversingLabs: Detection: 79%
        Yara detected NjratShow sources
        Source: Yara matchFile source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
        Source: Yara matchFile source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\Music\fullview.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeJoe Sandbox ML: detected
        Source: 16.2.fullview.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 18.2.fullview.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 16.0.fullview.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 18.0.fullview.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 11.0.fullview.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 11.2.fullview.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.759339723.0000000006710000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818685449.0000000006D70000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.833000474.00000000065D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.833594288.0000000007010000.00000002.00000001.sdmp
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\AppData\
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49768 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49769 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49770 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49771 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49772 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49773 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49774 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49777 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49778 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49779 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49780 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49781 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49782 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49783 -> 192.169.69.25:2090
        Source: TrafficSnort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49784 -> 192.169.69.25:2090
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: True
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strangerstrek.duckdns.org
        Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
        Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
        Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
        Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
        Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
        Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
        Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
        Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
        Source: svchost.exe, 00000009.00000003.731341981.00000231CFB81000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z||.||70a39ee4-92a6-4b9a-9580-ae2703a9cc56||1152921505693564220||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-09T08:39:31.1120019Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
        Source: svchost.exe, 00000009.00000003.733581218.00000231CFB8A000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","Rx% equals www.facebook.com (Facebook)
        Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Watch this video to learn how to pay us https://www.youtube.com/watch?v=Ji9IwPId5UkQThis is not a joke. This is a ransomware}Ransomware: Couldn't send address. The stub has no BTC address equals www.youtube.com (Youtube)
        Source: svchost.exe, 00000009.00000003.731322628.00000231CFB50000.00000004.00000001.sdmpString found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z||.||70a39ee4-92a6-4b9a-9580-ae2703a9cc56||1152921505693564220||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application"