Loading ...

Play interactive tourEdit tour

Windows Analysis Report tcpmdmaus.exe

Overview

General Information

Sample Name:tcpmdmaus.exe
Analysis ID:497240
MD5:abe13ddc14525c4c35a85224689bfb27
SHA1:01b8022edd4ef8e9ab20807c032b7ce2849b3df3
SHA256:8524e558dded9665e69541b332d556e43c007d0d4001fe5355ac4816c22e7a21
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Machine Learning detection for sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services

Classification

Process Tree

  • System is w10x64
  • tcpmdmaus.exe (PID: 400 cmdline: 'C:\Users\user\Desktop\tcpmdmaus.exe' MD5: ABE13DDC14525C4C35A85224689BFB27)
    • tcpmdmaus.exe (PID: 6768 cmdline: C:\Users\user\Desktop\tcpmdmaus.exe MD5: ABE13DDC14525C4C35A85224689BFB27)
  • sharedsls.exe (PID: 4752 cmdline: C:\Windows\SysWOW64\sharedsls.exe MD5: ABE13DDC14525C4C35A85224689BFB27)
    • sharedsls.exe (PID: 5404 cmdline: C:\Windows\SysWOW64\sharedsls.exe MD5: ABE13DDC14525C4C35A85224689BFB27)
  • svchost.exe (PID: 6696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4140 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x5990:$snippet4: 33 C0 C7 05 80 A8 25 01 00 A0 25 01 C7 05 84 A8 25 01 00 A0 25 01 A3 88 A8 25 01 A3 8C A8 25 01 A3 90 A8 25 01 39 05 00 A0 25 01 74 1D 8D 49 00 40 A3 88 A8 25 01 83 3C C5 00 A0 25 01 00 75 F0 ...
    00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x5990:$snippet4: 33 C0 C7 05 80 A8 46 01 00 A0 46 01 C7 05 84 A8 46 01 00 A0 46 01 A3 88 A8 46 01 A3 8C A8 46 01 A3 90 A8 46 01 39 05 00 A0 46 01 74 1D 8D 49 00 40 A3 88 A8 46 01 83 3C C5 00 A0 46 01 00 75 F0 ...
      00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.tcpmdmaus.exe.1250000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.tcpmdmaus.exe.1250000.2.unpackEmotetEmotet Payloadkevoreilly
          • 0x5d90:$snippet4: 33 C0 C7 05 80 A8 25 01 00 A0 25 01 C7 05 84 A8 25 01 00 A0 25 01 A3 88 A8 25 01 A3 8C A8 25 01 A3 90 A8 25 01 39 05 00 A0 25 01 74 1D 8D 49 00 40 A3 88 A8 25 01 83 3C C5 00 A0 25 01 00 75 F0 ...
          7.2.sharedsls.exe.1450000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            7.2.sharedsls.exe.1450000.3.unpackEmotetEmotet Payloadkevoreilly
            • 0x5d90:$snippet4: 33 C0 C7 05 80 A8 45 01 00 A0 45 01 C7 05 84 A8 45 01 00 A0 45 01 A3 88 A8 45 01 A3 8C A8 45 01 A3 90 A8 45 01 39 05 00 A0 45 01 74 1D 8D 49 00 40 A3 88 A8 45 01 83 3C C5 00 A0 45 01 00 75 F0 ...
            0.2.tcpmdmaus.exe.b70000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: tcpmdmaus.exeVirustotal: Detection: 85%Perma Link
              Source: tcpmdmaus.exeMetadefender: Detection: 16%Perma Link
              Source: tcpmdmaus.exeReversingLabs: Detection: 96%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: tcpmdmaus.exeAvira: detected
              Machine Learning detection for sampleShow sources
              Source: tcpmdmaus.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 0_2_013114C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,0_2_013114C9
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_013114C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,1_2_013114C9
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252129 CryptGetHashParam,1_2_01252129
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252195 CryptImportKey,LocalFree,CryptReleaseContext,1_2_01252195
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252435 CryptVerifySignatureW,CryptDestroyHash,1_2_01252435
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252336 CryptDestroyHash,1_2_01252336
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_01252261
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_012522A6 CryptDuplicateHash,1_2_012522A6
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 2_2_013114C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,2_2_013114C9
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_013114C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,7_2_013114C9
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452195 CryptImportKey,LocalFree,CryptReleaseContext,7_2_01452195
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452336 CryptDestroyHash,7_2_01452336
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_014522A6 CryptDuplicateHash,7_2_014522A6
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452129 CryptGetHashParam,7_2_01452129
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452435 CryptVerifySignatureW,CryptDestroyHash,7_2_01452435
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_01452261
              Source: tcpmdmaus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: tcpmdmaus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe
              Source: Joe Sandbox ViewIP Address: 110.143.116.201 110.143.116.201
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 404Connection: Keep-AliveCache-Control: no-cacheData Raw: 94 2c 73 df ad 1a aa a2 e9 ad 40 ba 8d bb ba 87 51 2f 9b f3 3c c0 5d de 3e 13 14 42 f0 17 65 da c6 64 9a 9d e5 ae 62 71 10 d4 51 aa cd 34 1e 14 85 0d 2f 8c 64 a7 30 4e 71 11 54 3b 10 ee 2c 57 cb b4 d3 91 23 19 20 04 42 65 eb d3 ac ec 20 8f 34 d4 a4 e5 f4 60 b7 8c c8 e6 c2 c1 23 c5 4c 26 76 4c 09 d7 c7 0a 7a 8b 85 02 df a5 0b 05 2e a2 a5 48 64 e1 70 41 89 9f 86 2d d3 55 79 8f ae 2d 2a e5 24 b5 21 5e 57 46 f4 69 26 5c c5 10 28 bb 90 77 92 d0 dd ae 57 a1 49 a0 84 4b 9d 76 34 43 9c 0f 4c 9a 51 a4 fe 3a 4e 54 b0 3c 20 3f 2d 75 a9 e9 40 2d 59 87 16 e7 75 b3 c8 a4 60 9f 95 3f 70 09 6e cd fc e8 7b d6 47 88 70 19 b2 d6 55 22 30 cf 6b e6 7a a7 f3 b5 72 3e 3b 49 4f 3f 9b a1 77 5c aa ab 7e fb 0b c6 ca d1 39 f1 9d fa 93 80 2b 63 3a 28 a8 d6 7a 9f 7d 7d ea 64 68 2c db 4c 1e cb 5c f7 63 aa 16 c0 a5 1a 90 4a 7f c0 6b 6e a8 c8 92 5a 3c 7b ff 87 66 f8 e5 ae 05 6a 09 dc 4f 26 a3 17 67 57 c7 5f 16 b9 9d f6 21 9d 4c 1c 13 00 bc 2e f2 84 4d 0b 25 3d df 13 63 38 b0 3e 33 2c 88 db af 9f f2 e8 c3 de bc 59 37 38 d6 9f 57 ea b6 b5 04 fd 2e 8b 7d dd 1b c3 3f 26 27 a8 b5 77 e0 f6 d2 1f bf 03 ce 67 55 11 aa a7 a4 7c da ea df 9f fa 60 54 61 a8 e6 01 d5 49 6c 29 b3 d0 62 64 f4 b0 0d f3 5d 7d f5 10 34 bb 22 e6 db dd d8 35 15 Data Ascii: ,s@Q/<]>BedbqQ4/d0NqT;,W# Be 4`#L&vLz.HdpA-Uy-*$!^WFi&\(wWIKv4CLQ:NT< ?-u@-Yu`?pn{GpU"0kzr>;IO?w\~9+c:(z}}dh,L\cJknZ<{fjO&gW_!L.M%=c8>3,Y78W.}?&'wgU|`TaIl)bd]}4"5
              Source: global trafficTCP traffic: 192.168.2.3:49829 -> 66.220.110.56:50000
              Source: global trafficTCP traffic: 192.168.2.3:49855 -> 197.82.220.82:8080
              Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
              Source: unknownTCP traffic detected without corresponding DNS query: 184.186.78.177
              Source: unknownTCP traffic detected without corresponding DNS query: 184.186.78.177
              Source: unknownTCP traffic detected without corresponding DNS query: 184.186.78.177
              Source: unknownTCP traffic detected without corresponding DNS query: 197.82.220.82
              Source: unknownTCP traffic detected without corresponding DNS query: 197.82.220.82
              Source: unknownTCP traffic detected without corresponding DNS query: 197.82.220.82
              Source: unknownTCP traffic detected without corresponding DNS query: 77.157.40.119
              Source: unknownTCP traffic detected without corresponding DNS query: 77.157.40.119
              Source: unknownTCP traffic detected without corresponding DNS query: 77.157.40.119
              Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
              Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
              Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 0000000C.00000003.388529220.0000026DAA354000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-10-01T06:45:58.4458116Z||.||e7745a23-b714-4fea-8a92-51e83dc3bf63||1152921505693962166||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
              Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
              Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
              Source: svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmp, sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://110.143.116.201/
              Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://110.143.116.201/&$
              Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://110.143.116.201/-$
              Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://110.143.116.201/g$
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://184.186.78.177/
              Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://184.186.78.177/:$
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://197.82.220.82:8080/
              Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmpString found in binary or memory: http://197.82.220.82:8080/1
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://197.82.220.82:8080/v
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://66.220.110.56:50000/
              Source: sharedsls.exe, 00000007.00000003.497628409.0000000000C7D000.00000004.00000001.sdmpString found in binary or memory: http://66.220.110.56:50000/1
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://66.220.110.56:50000/f
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/
              Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/#6
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/&
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/.
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443//
              Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/1
              Source: sharedsls.exe, 00000007.00000002.557552418.0000000000C7D000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/?6
              Source: sharedsls.exe, 00000007.00000002.557518421.0000000000C48000.00000004.00000020.sdmpString found in binary or memory: http://77.157.40.119:443/V
              Source: svchost.exe, 0000000C.00000002.398521024.0000026DAA300000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: svchost.exe, 0000000C.00000002.398377884.0000026DA9AEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
              Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
              Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
              Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
              Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
              Source: svchost.exe, 0000000C.00000003.377890813.0000026DAA802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.377952164.0000026DAA38C000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
              Source: svchost.exe, 0000000C.00000003.379278531.0000026DAA390000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.379698498.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
              Source: svchost.exe, 0000000C.00000003.379226998.0000026DAA355000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
              Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
              Source: svchost.exe, 0000000C.00000003.385496071.0000026DAA3A1000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
              Source: svchost.exe, 0000000C.00000003.380718165.0000026DAA802000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
              Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 404Connection: Keep-AliveCache-Control: no-cacheData Raw: 94 2c 73 df ad 1a aa a2 e9 ad 40 ba 8d bb ba 87 51 2f 9b f3 3c c0 5d de 3e 13 14 42 f0 17 65 da c6 64 9a 9d e5 ae 62 71 10 d4 51 aa cd 34 1e 14 85 0d 2f 8c 64 a7 30 4e 71 11 54 3b 10 ee 2c 57 cb b4 d3 91 23 19 20 04 42 65 eb d3 ac ec 20 8f 34 d4 a4 e5 f4 60 b7 8c c8 e6 c2 c1 23 c5 4c 26 76 4c 09 d7 c7 0a 7a 8b 85 02 df a5 0b 05 2e a2 a5 48 64 e1 70 41 89 9f 86 2d d3 55 79 8f ae 2d 2a e5 24 b5 21 5e 57 46 f4 69 26 5c c5 10 28 bb 90 77 92 d0 dd ae 57 a1 49 a0 84 4b 9d 76 34 43 9c 0f 4c 9a 51 a4 fe 3a 4e 54 b0 3c 20 3f 2d 75 a9 e9 40 2d 59 87 16 e7 75 b3 c8 a4 60 9f 95 3f 70 09 6e cd fc e8 7b d6 47 88 70 19 b2 d6 55 22 30 cf 6b e6 7a a7 f3 b5 72 3e 3b 49 4f 3f 9b a1 77 5c aa ab 7e fb 0b c6 ca d1 39 f1 9d fa 93 80 2b 63 3a 28 a8 d6 7a 9f 7d 7d ea 64 68 2c db 4c 1e cb 5c f7 63 aa 16 c0 a5 1a 90 4a 7f c0 6b 6e a8 c8 92 5a 3c 7b ff 87 66 f8 e5 ae 05 6a 09 dc 4f 26 a3 17 67 57 c7 5f 16 b9 9d f6 21 9d 4c 1c 13 00 bc 2e f2 84 4d 0b 25 3d df 13 63 38 b0 3e 33 2c 88 db af 9f f2 e8 c3 de bc 59 37 38 d6 9f 57 ea b6 b5 04 fd 2e 8b 7d dd 1b c3 3f 26 27 a8 b5 77 e0 f6 d2 1f bf 03 ce 67 55 11 aa a7 a4 7c da ea df 9f fa 60 54 61 a8 e6 01 d5 49 6c 29 b3 d0 62 64 f4 b0 0d f3 5d 7d f5 10 34 bb 22 e6 db dd d8 35 15 Data Ascii: ,s@Q/<]>BedbqQ4/d0NqT;,W# Be 4`#L&vLz.HdpA-Uy-*$!^WFi&\(wWIKv4CLQ:NT< ?-u@-Yu`?pn{GpU"0kzr>;IO?w\~9+c:(z}}dh,L\cJknZ<{fjO&gW_!L.M%=c8>3,Y78W.}?&'wgU|`TaIl)bd]}4"5
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_012516D8 InternetReadFile,1_2_012516D8

              E-Banking Fraud:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01252195 CryptImportKey,LocalFree,CryptReleaseContext,1_2_01252195
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01452195 CryptImportKey,LocalFree,CryptReleaseContext,7_2_01452195

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: tcpmdmaus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 1.2.tcpmdmaus.exe.1250000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 7.2.sharedsls.exe.1450000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 0.2.tcpmdmaus.exe.b70000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 2.2.sharedsls.exe.1460000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000001.00000002.322257965.0000000001251000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000002.00000002.321224638.0000000001461000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000000.00000002.295437100.0000000000B71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000007.00000002.557763672.0000000001451000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: C:\Users\user\Desktop\tcpmdmaus.exeFile deleted: C:\Windows\SysWOW64\sharedsls.exe:Zone.IdentifierJump to behavior
              Source: C:\Windows\SysWOW64\sharedsls.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 2_2_013035672_2_01303567
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01251F76 CreateProcessAsUserW,1_2_01251F76
              Source: tcpmdmaus.exe, 00000000.00000000.290035352.0000000001353000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
              Source: tcpmdmaus.exe, 00000001.00000000.292656535.0000000001353000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
              Source: tcpmdmaus.exeBinary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_012580BC _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,1_2_012580BC
              Source: tcpmdmaus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0xfffff000 address: 0x0
              Source: tcpmdmaus.exeVirustotal: Detection: 85%
              Source: tcpmdmaus.exeMetadefender: Detection: 16%
              Source: tcpmdmaus.exeReversingLabs: Detection: 96%
              Source: tcpmdmaus.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\tcpmdmaus.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\tcpmdmaus.exe 'C:\Users\user\Desktop\tcpmdmaus.exe'
              Source: C:\Users\user\Desktop\tcpmdmaus.exeProcess created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\SysWOW64\sharedsls.exeProcess created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Users\user\Desktop\tcpmdmaus.exeProcess created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exeJump to behavior
              Source: C:\Windows\SysWOW64\sharedsls.exeProcess created: C:\Windows\SysWOW64\sharedsls.exe C:\Windows\SysWOW64\sharedsls.exeJump to behavior
              Source: C:\Users\user\Desktop\tcpmdmaus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: classification engineClassification label: mal84.troj.evad.winEXE@10/0@0/6
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,1_2_01258142
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,7_2_01458142
              Source: C:\Users\user\Desktop\tcpmdmaus.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_012581F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_012581F7
              Source: C:\Windows\SysWOW64\sharedsls.exeMutant created: \BaseNamedObjects\PEM23C
              Source: C:\Users\user\Desktop\tcpmdmaus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IA9C8B900
              Source: C:\Windows\SysWOW64\sharedsls.exeMutant created: \BaseNamedObjects\Global\IA9C8B900
              Source: C:\Windows\SysWOW64\sharedsls.exeMutant created: \BaseNamedObjects\PEM1290
              Source: C:\Users\user\Desktop\tcpmdmaus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MA9C8B900
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: tcpmdmaus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: tcpmdmaus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 0_2_01332E75 push ecx; ret 0_2_01332E98
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_01332E75 push ecx; ret 1_2_01332E98
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 2_2_01332E75 push ecx; ret 2_2_01332E98
              Source: C:\Windows\SysWOW64\sharedsls.exeCode function: 7_2_01332E75 push ecx; ret 7_2_01332E98
              Source: tcpmdmaus.exeStatic PE information: section name: .bT
              Source: tcpmdmaus.exeStatic PE information: section name: D
              Source: tcpmdmaus.exeStatic PE information: section name: .crt0
              Source: tcpmdmaus.exeStatic PE information: section name: cji8

              Persistence and Installation Behavior:

              barindex
              Drops executables to the windows directory (C:\Windows) and starts themShow sources
              Source: C:\Windows\SysWOW64\sharedsls.exeExecutable created and started: C:\Windows\SysWOW64\sharedsls.exeJump to behavior
              Source: C:\Users\user\Desktop\tcpmdmaus.exePE file moved: C:\Windows\SysWOW64\sharedsls.exeJump to behavior
              Source: C:\Users\user\Desktop\tcpmdmaus.exeCode function: 1_2_012581F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_012581F7

              Hooking and other Techniques for Hiding and Protection: