Windows Analysis Report tcpmdmaus.exe

ID:	497240
Product:	CloudBasic
Start time:	15:30:09
Start date:	05.10.2021
Sample:	tcpmdmaus.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	abe13ddc14525c4c35a85224689bfb27
SHA1:	01b8022edd4ef8e9ab20807c032b7ce2849b3df3
SHA256:	8524e558dded9665e69541b332d556e43c007d0d4001fe5355ac4816c22e7a21
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: tcpmdmaus.exe	Virustotal: Detection: 85%			Perma Link
Source: tcpmdmaus.exe	Metadefender: Detection: 16%			Perma Link
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: tcpmdmaus.exe

Avira: detected

Machine Learning detection for sample

Source: tcpmdmaus.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_013114C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		0_2_013114C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_013114C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		1_2_013114C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252129 CryptGetHashParam,		1_2_01252129
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252195 CryptImportKey,LocalFree,CryptReleaseContext,		1_2_01252195
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252435 CryptVerifySignatureW,CryptDestroyHash,		1_2_01252435
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252336 CryptDestroyHash,		1_2_01252336
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		1_2_01252261
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_012522A6 CryptDuplicateHash,		1_2_012522A6
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 2_2_013114C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		2_2_013114C9
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_013114C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		7_2_013114C9
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452195 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_01452195
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452336 CryptDestroyHash,		7_2_01452336
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_014522A6 CryptDuplicateHash,		7_2_014522A6
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452129 CryptGetHashParam,		7_2_01452129
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452435 CryptVerifySignatureW,CryptDestroyHash,		7_2_01452435
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		7_2_01452261

Compliance:

Uses 32bit PE files

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 110.143.116.201 110.143.116.201

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 404Connection: Keep-AliveCache-Control: no-cacheData Raw: 94 2c 73 df ad 1a aa a2 e9 ad 40 ba 8d bb ba 87 51 2f 9b f3 3c c0 5d de 3e 13 14 42 f0 17 65 da c6 64 9a 9d e5 ae 62 71 10 d4 51 aa cd 34 1e 14 85 0d 2f 8c 64 a7 30 4e 71 11 54 3b 10 ee 2c 57 cb b4 d3 91 23 19 20 04 42 65 eb d3 ac ec 20 8f 34 d4 a4 e5 f4 60 b7 8c c8 e6 c2 c1 23 c5 4c 26 76 4c 09 d7 c7 0a 7a 8b 85 02 df a5 0b 05 2e a2 a5 48 64 e1 70 41 89 9f 86 2d d3 55 79 8f ae 2d 2a e5 24 b5 21 5e 57 46 f4 69 26 5c c5 10 28 bb 90 77 92 d0 dd ae 57 a1 49 a0 84 4b 9d 76 34 43 9c 0f 4c 9a 51 a4 fe 3a 4e 54 b0 3c 20 3f 2d 75 a9 e9 40 2d 59 87 16 e7 75 b3 c8 a4 60 9f 95 3f 70 09 6e cd fc e8 7b d6 47 88 70 19 b2 d6 55 22 30 cf 6b e6 7a a7 f3 b5 72 3e 3b 49 4f 3f 9b a1 77 5c aa ab 7e fb 0b c6 ca d1 39 f1 9d fa 93 80 2b 63 3a 28 a8 d6 7a 9f 7d 7d ea 64 68 2c db 4c 1e cb 5c f7 63 aa 16 c0 a5 1a 90 4a 7f c0 6b 6e a8 c8 92 5a 3c 7b ff 87 66 f8 e5 ae 05 6a 09 dc 4f 26 a3 17 67 57 c7 5f 16 b9 9d f6 21 9d 4c 1c 13 00 bc 2e f2 84 4d 0b 25 3d df 13 63 38 b0 3e 33 2c 88 db af 9f f2 e8 c3 de bc 59 37 38 d6 9f 57 ea b6 b5 04 fd 2e 8b 7d dd 1b c3 3f 26 27 a8 b5 77 e0 f6 d2 1f bf 03 ce 67 55 11 aa a7 a4 7c da ea df 9f fa 60 54 61 a8 e6 01 d5 49 6c 29 b3 d0 62 64 f4 b0 0d f3 5d 7d f5 10 34 bb 22 e6 db dd d8 35 15 Data Ascii: ,s@Q/<]>BedbqQ4/d0NqT;,W# Be 4`#L&vLz.HdpA-Uy-*$!^WFi&\(wWIKv4CLQ:NT< ?-u@-Yu`?pn{GpU"0kzr>;IO?w\~9+c:(z}}dh,L\cJknZ<{fjO&gW_!L.M%=c8>3,Y78W.}?&'wgU|`TaIl)bd]}4"5

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49829 -> 66.220.110.56:50000
Source: global traffic	TCP traffic: 192.168.2.3:49855 -> 197.82.220.82:8080

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119

Found strings which match to known social media urls

Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6

URLs found in memory or binary data

Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp, sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://110.143.116.201/
Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://110.143.116.201/&$
Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://110.143.116.201/-$
Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://110.143.116.201/g$
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://184.186.78.177/
Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://184.186.78.177/:$
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://197.82.220.82:8080/
Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmp	String found in binary or memory: http://197.82.220.82:8080/1
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://197.82.220.82:8080/v
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://66.220.110.56:50000/
Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmp	String found in binary or memory: http://66.220.110.56:50000/1
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://66.220.110.56:50000/f
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/
Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/#6
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/&
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/.
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443//
Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/1
Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/?6
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	String found in binary or memory: http://77.157.40.119:443/V
Source: svchost.exe, 0000000C.00000002.398521024.0000026DAA300000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.398377884.0000026DA9AEB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000003.379278531.0000026DAA390000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.379698498.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000C.00000003.380718165.0000026DAA802000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 404Connection: Keep-AliveCache-Control: no-cacheData Raw: 94 2c 73 df ad 1a aa a2 e9 ad 40 ba 8d bb ba 87 51 2f 9b f3 3c c0 5d de 3e 13 14 42 f0 17 65 da c6 64 9a 9d e5 ae 62 71 10 d4 51 aa cd 34 1e 14 85 0d 2f 8c 64 a7 30 4e 71 11 54 3b 10 ee 2c 57 cb b4 d3 91 23 19 20 04 42 65 eb d3 ac ec 20 8f 34 d4 a4 e5 f4 60 b7 8c c8 e6 c2 c1 23 c5 4c 26 76 4c 09 d7 c7 0a 7a 8b 85 02 df a5 0b 05 2e a2 a5 48 64 e1 70 41 89 9f 86 2d d3 55 79 8f ae 2d 2a e5 24 b5 21 5e 57 46 f4 69 26 5c c5 10 28 bb 90 77 92 d0 dd ae 57 a1 49 a0 84 4b 9d 76 34 43 9c 0f 4c 9a 51 a4 fe 3a 4e 54 b0 3c 20 3f 2d 75 a9 e9 40 2d 59 87 16 e7 75 b3 c8 a4 60 9f 95 3f 70 09 6e cd fc e8 7b d6 47 88 70 19 b2 d6 55 22 30 cf 6b e6 7a a7 f3 b5 72 3e 3b 49 4f 3f 9b a1 77 5c aa ab 7e fb 0b c6 ca d1 39 f1 9d fa 93 80 2b 63 3a 28 a8 d6 7a 9f 7d 7d ea 64 68 2c db 4c 1e cb 5c f7 63 aa 16 c0 a5 1a 90 4a 7f c0 6b 6e a8 c8 92 5a 3c 7b ff 87 66 f8 e5 ae 05 6a 09 dc 4f 26 a3 17 67 57 c7 5f 16 b9 9d f6 21 9d 4c 1c 13 00 bc 2e f2 84 4d 0b 25 3d df 13 63 38 b0 3e 33 2c 88 db af 9f f2 e8 c3 de bc 59 37 38 d6 9f 57 ea b6 b5 04 fd 2e 8b 7d dd 1b c3 3f 26 27 a8 b5 77 e0 f6 d2 1f bf 03 ce 67 55 11 aa a7 a4 7c da ea df 9f fa 60 54 61 a8 e6 01 d5 49 6c 29 b3 d0 62 64 f4 b0 0d f3 5d 7d f5 10 34 bb 22 e6 db dd d8 35 15 Data Ascii: ,s@Q/<]>BedbqQ4/d0NqT;,W# Be 4`#L&vLz.HdpA-Uy-*$!^WFi&\(wWIKv4CLQ:NT< ?-u@-Yu`?pn{GpU"0kzr>;IO?w\~9+c:(z}}dh,L\cJknZ<{fjO&gW_!L.M%=c8>3,Y78W.}?&'wgU|`TaIl)bd]}4"5

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_012516D8 InternetReadFile,

1_2_012516D8

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252195 CryptImportKey,LocalFree,CryptReleaseContext,		1_2_01252195
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452195 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_01452195

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly

Uses 32bit PE files

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File deleted: C:\Windows\SysWOW64\sharedsls.exe:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\sharedsls.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\sharedsls.exe

Code function: 2_2_01303567

2_2_01303567

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_01251F76 CreateProcessAsUserW,

1_2_01251F76

Sample file is different than original file name gathered from version info

Source: tcpmdmaus.exe, 00000000.00000000.290035352.0000000001353000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe, 00000001.00000000.292656535.0000000001353000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe

Contains functionality to delete services

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_012580BC _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,

1_2_012580BC

PE file contains an invalid data directory

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0xfffff000 address: 0x0

Sample is known by Antivirus

Source: tcpmdmaus.exe	Virustotal: Detection: 85%
Source: tcpmdmaus.exe	Metadefender: Detection: 16%
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

PE file has an executable .text section and no other executable section

Source: tcpmdmaus.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\tcpmdmaus.exe 'C:\Users\user\Desktop\tcpmdmaus.exe'
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe
Source: unknown	Process created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\sharedsls.exe	Process created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe			Jump to behavior
Source: C:\Windows\SysWOW64\sharedsls.exe	Process created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.troj.evad.winEXE@10/0@0/6

Contains functionality to create services

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		1_2_01258142
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		7_2_01458142

Reads ini files

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_012581F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_012581F7

Creates mutexes

Source: C:\Windows\SysWOW64\sharedsls.exe	Mutant created: \BaseNamedObjects\PEM23C
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IA9C8B900
Source: C:\Windows\SysWOW64\sharedsls.exe	Mutant created: \BaseNamedObjects\Global\IA9C8B900
Source: C:\Windows\SysWOW64\sharedsls.exe	Mutant created: \BaseNamedObjects\PEM1290
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MA9C8B900

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_01332E75 push ecx; ret		0_2_01332E98
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01332E75 push ecx; ret		1_2_01332E98
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 2_2_01332E75 push ecx; ret		2_2_01332E98
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01332E75 push ecx; ret		7_2_01332E98

PE file contains sections with non-standard names

Source: tcpmdmaus.exe	Static PE information: section name: .bT
Source: tcpmdmaus.exe	Static PE information: section name: D
Source: tcpmdmaus.exe	Static PE information: section name: .crt0
Source: tcpmdmaus.exe	Static PE information: section name: cji8

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\sharedsls.exe

Executable created and started: C:\Windows\SysWOW64\sharedsls.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

PE file moved: C:\Windows\SysWOW64\sharedsls.exe

Jump to behavior

Boot Survival:

Contains functionality to start windows services

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_012581F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_012581F7

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File opened: C:\Windows\SysWOW64\sharedsls.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\sharedsls.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedsls.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedsls.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedsls.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6268

Thread sleep time: -120000s >= -30000s

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		1_2_01257F4D
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetLastError,		1_2_01257EF4
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		7_2_01457F4D
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: EnumServicesStatusExW,GetLastError,		7_2_01457EF4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries a list of all running processes

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Process information queried: ProcessInformation

Jump to behavior

Program exit points

Source: C:\Windows\SysWOW64\sharedsls.exe

API call chain: ExitProcess graph end node

Checks the free space of harddrives

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWs
Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp, svchost.exe, 0000000C.00000002.398377884.0000026DA9AEB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_01251850 GetProcessHeap,RtlAllocateHeap,

1_2_01251850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_012515E0 mov eax, dword ptr fs:[00000030h]		1_2_012515E0
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 1_2_01252010 mov eax, dword ptr fs:[00000030h]		1_2_01252010
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 2_2_014615E0 mov eax, dword ptr fs:[00000030h]		2_2_014615E0
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 2_2_01462010 mov eax, dword ptr fs:[00000030h]		2_2_01462010
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_014515E0 mov eax, dword ptr fs:[00000030h]		7_2_014515E0
Source: C:\Windows\SysWOW64\sharedsls.exe	Code function: 7_2_01452010 mov eax, dword ptr fs:[00000030h]		7_2_01452010

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\sharedsls.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\sharedsls.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query windows version

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 1_2_0125261F RtlGetVersion,GetNativeSystemInfo,

1_2_0125261F

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORY