Question Unknown file downloaded. Possible malware/ransomware?

[Nova2288]

Hi, I have NordVPN installed on my PC. It scans for all downloaded files for threats and report on them.

KwownGameList.bin was downloaded twice this month. This is the first time this file was ever downloaded to this pc. It never appeared on the downloaded files list on NordVPN before.

I have never downloaded this file myself and read online that it is a ransomware trojan or something to do with xbox game bar.

NordVPN stated the file were downloaded from an unknown host which I found weird since if it a xbox related thing, shouldn't it be mircosoft?

They were downloaded to the same folder

C:\Users\Username\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache

I tried locating the file but failed. That folder does not contain any file, hidden or not. Is this normal?

I was able to find a file with the same name under C:\Windows\bcastdvr but the file was last modified before both files were downloaded.

I never used anything related to xbox so I am not sure why if it is a xbox thing, it will be downloaded to my pc therefore, I am very worried that it is a ransomware.

If someone can shed any light on this, it will be much appreciated.

 

[Ralston18]

Run Windows Defender/Security and Malwarebytes.

For the record, while searching on the .bin filename, I noted your thread at Microsoft:

https://answers.microsoft.com/en-us...elistbin/fd28b0dc-e045-4ffa-844f-4a9e5e1d783a

Posting the link so everyone will be "in the loop" here.

 

[Grobe]

You can always upload the file to virustotal.com - then the file would be analyzed by multiple anti virus databases, and it will also provide a unique url for that particular file so that you may share for secondary opinions.

 

[Nova2288]

Thanks for the reply.

I have done a full scan with Malwarebytes and it came back with nothing.

I have now done scans with mrt, windows denfender, Norton 360, Kasperkey Virus Removal Tool and Malwarebytes and all came back negative.

Regaring VirusTotal, I have already done a scan on C:\Windows\bcastdvr\KnownGameList.bin and it came back as clean. A person on microsoft community has confirmed the SHA256 hash is the same as the one on their 2 PCs. I assume that means that the file is genuine.

But just becasue C:\Windows\bcastdvr\KnownGameList.bin is genuine

Does that mean the files being downloaded is genuine and although it was shown to be from an unknown host, it is actually for microsoft and safe? If that is true, I'm curious as to why they never appeared on NordVPN's download list before. I have been using this PC for a while and had NordVPN from the start.

 

[Ralston18]

Nord VPN - may be a false positive.

On the other hand:

"KwownGameList.bin" Not "KnownGameList.bin".

"Kwown" vs "Known" - seemed to be a logical typo.

Confirm the correct file name as being flagged by NordVPN.

 

[Nova2288]

Sorry, it was a typo. It is KnownGameList.bin

 

[Unolocogringo]

Sorry, it was a typo. It is KnownGameList.bin

Windows updates can be downloaded from a different computer on your network or a computer on the internet. It does not have to come directly from Microsoft.
Go to Settings-Security and updates- Download optimizations and make sure all of your updates come from microsoft.

 

[Nova2288]

Just checked and the updates came from either Microsoft or Microsoft cache server.

I am not as worried now but is just curious why NordVPN are suddenly catching these downloads and the fact that the 2nd one on the 19th does not correspond to any update.