Edit tour

Windows Analysis Report
Android TV Tools v3_EN.exe

Overview

General Information

Sample name:	Android TV Tools v3_EN.exe
Analysis ID:	1447533
MD5:	6d4c50f647700cfcf2f06e137355671d
SHA1:	d7e53c88af4ef48e40262f73dabf3cd30b64e1f1
SHA256:	057b44e12f8052176da2407ecc4d8e2340ff9fe22b499b861b7e3d0d8b103b2e
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Found API chain indicative of debugger detection

Loading BitLocker PowerShell Module

Powershell uses Background Intelligent Transfer Service (BITS)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Android TV Tools v3_EN.exe (PID: 6736 cmdline: "C:\Users\user\Desktop\Android TV Tools v3_EN.exe" MD5: 6D4C50F647700CFCF2F06E137355671D)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6880 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6972 cmdline: C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

attrib.exe (PID: 7044 cmdline: attrib +h C:\Users\user\AppData\Local\Temp\ytmp MD5: 0E938DD280E83B1596EC6AA48729C2B0)

cmd.exe (PID: 7036 cmdline: C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7112 cmdline: C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7144 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

PING.EXE (PID: 7156 cmdline: ping google.com -n 1 MD5: B3624DD758CCECF93A1226CEF252CA12)

powershell.exe (PID: 1740 cmdline: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmdmax.exe (PID: 7136 cmdline: "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999 MD5: 34348DD557468D401AE4BFAE2E850EEE)

svchost.exe (PID: 7076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 1740, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 1740, ProcessName: powershell.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", CommandLine: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Android TV Tools v3_EN.exe", ParentImage: C:\Users\user\Desktop\Android TV Tools v3_EN.exe, ParentProcessId: 6736, ParentProcessName: Android TV Tools v3_EN.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", ProcessId: 6880, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 1740, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7076, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Android TV Tools v3_EN.exe	ReversingLabs: Detection: 13%
Source: Android TV Tools v3_EN.exe	Virustotal: Detection: 8%			Perma Link

Source: Android TV Tools v3_EN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1

Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3

Source: Joe Sandbox View

ASN Name: GITHUBUS GITHUBUS

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMTUser-Agent: Microsoft BITS/7.8Host: github.com
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMTUser-Agent: Microsoft BITS/7.8Host: objects.githubusercontent.com

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com

Source: tmp9682.bat.0.dr	String found in binary or memory: http://agrd.io/tvapk
Source: svchost.exe, 0000000B.00000002.2913070316.00000179B4A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B4928000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B4928000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B4928000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B495D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: tmp9682.bat.0.dr	String found in binary or memory: https://9to5google.com/guides/android-tv/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://adguard.com/adguard-android-tv/overview.html
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/0x192/universal-android-debloater/releases
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/Genymobile/scrcpy/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/realOxy/M3UAndroid/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://api.github.com/repos/spocky/miproja1/releases/latest
Source: tmp9682.bat.0.dr	String found in binary or memory: https://apkins.aptoide.com/AptoideTV-5.1.2.apk
Source: tmp9682.bat.0.dr	String found in binary or memory: https://atvlauncher.trekgonewild.de/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://f-droid.org/repo/news.androidtv.launchonboot_12.apk
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B49D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B49D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/0x192/universal-android-debloater#universal-android-debloater-gui
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/0x192/universal-android-debloater/wiki/FAQ
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/Genymobile/scrcpy
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%
Source: Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	String found in binary or memory: https://github.com/K3V1991/ADB-and-FastbootPlusPlus
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apk
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists
Source: tmp9682.bat.0.dr	String found in binary or memory: https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apk
Source: svchost.exe, 0000000B.00000002.2912230584.00000179AF45B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/r3
Source: svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2912591986.00000179AFD02000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	String found in binary or memory: https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe
Source: edb.log.11.dr	String found in binary or memory: https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe?C:
Source: svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913199656.00000179B4A64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe
Source: tmp9682.bat.0.dr	String found in binary or memory: https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.
Source: tmp9682.bat.0.dr	String found in binary or memory: https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk
Source: tmp9682.bat.0.dr	String found in binary or memory: https://ipinfo.io
Source: tmp9682.bat.0.dr	String found in binary or memory: https://iptv-org.github.io/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://kutt.it/stn_beta
Source: tmp9682.bat.0.dr	String found in binary or memory: https://kutt.it/stn_bridge_amazon
Source: tmp9682.bat.0.dr	String found in binary or memory: https://kutt.it/stn_bridge_atv
Source: tmp9682.bat.0.dr	String found in binary or memory: https://kutt.it/stn_stable
Source: tmp9682.bat.0.dr	String found in binary or memory: https://mirfatif.github.io/PermissionManagerX/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://mirfatif.github.io/PermissionManagerX/help/en/
Source: svchost.exe, 0000000B.00000002.2913304850.00000179B4AD9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913359677.00000179B4AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/
Source: svchost.exe, 0000000B.00000002.2913304850.00000179B4AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-
Source: svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com:443
Source: svchost.exe, 0000000B.00000003.1669856236.00000179B49D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=%%%%j
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=ar.tvplayer.tv
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.neilturner.aerialviews
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.tdtchannels.player
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.wiseplay
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=flar2.homebutton
Source: tmp9682.bat.0.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=org.xbmc.kodi
Source: tmp9682.bat.0.dr	String found in binary or memory: https://smarttubeapp.github.io/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i
Source: tmp9682.bat.0.dr	String found in binary or memory: https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with
Source: tmp9682.bat.0.dr	String found in binary or memory: https://www.androidtv-guide.com/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://www.reddit.com/r/AndroidTV/
Source: Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	String found in binary or memory: https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_
Source: tmp9682.bat.0.dr	String found in binary or memory: https://www.tdtchannels.com/listas
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/countries-list-txt.6067313/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/google-play-apk.6050959/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/c/android-tv.4276/
Source: tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/
Source: Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	String found in binary or memory: https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Code function: 0_2_0040A05E		0_2_0040A05E
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Code function: 0_2_0040C1E5		0_2_0040C1E5

Source: Android TV Tools v3_EN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@23/14@3/4

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\Android TV Tools - Aux Files

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

File created: C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat

Jump to behavior

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat"

Source: Android TV Tools v3_EN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Android TV Tools v3_EN.exe	ReversingLabs: Detection: 13%
Source: Android TV Tools v3_EN.exe	Virustotal: Detection: 8%

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

File read: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Jump to behavior

Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

graph_13-1734

Source: unknown	Process created: C:\Users\user\Desktop\Android TV Tools v3_EN.exe "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat"
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe"
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999	Jump to behavior

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Code function: 0_2_0040B641 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040B641

Source: BIT8DD.tmp.11.dr	Static PE information: real checksum: 0x0 should be: 0xe0ce
Source: Android TV Tools v3_EN.exe	Static PE information: real checksum: 0x11353 should be: 0x671de

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Code function: 0_2_00405810 push eax; ret

0_2_0040583E

Persistence and Installation Behavior

Powershell uses Background Intelligent Transfer Service (BITS)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: \KnownDlls32\BitsProxy.dll

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)			Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\Desktop\Android TV Tools - Aux Files\BIT8DD.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Code function: 0_2_004036D1		0_2_004036D1
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Code function: 0_2_00404D37		0_2_00404D37

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5353			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4400			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704	Thread sleep count: 5353 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596	Thread sleep count: 4400 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6780	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: svchost.exe, 0000000B.00000002.2913150590.00000179B4A5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2912188978.00000179AF42B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	API call chain: ExitProcess graph end node			graph_0-7160
Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe	API call chain: ExitProcess graph end node			graph_13-1880

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep

graph_0-7471

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Code function: 0_2_0040B641 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040B641

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\svchost.exe

File created: BIT8DD.tmp.11.dr

Jump to dropped file

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Android TV Tools v3_EN.exe

Code function: 0_2_00406444 EntryPoint,GetVersion,GetCommandLineA,

0_2_00406444

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 BITS Jobs	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Scripting	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	Logon Script (Windows)	1 BITS Jobs	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Android TV Tools v3_EN.exe	13%	ReversingLabs
Android TV Tools v3_EN.exe	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\Android TV Tools - Aux Files\BIT8DD.tmp	2%	ReversingLabs
C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
google.com	1%	Virustotal	Browse
github.com	0%	Virustotal	Browse
objects.githubusercontent.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe
https://ipinfo.io	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
https://kutt.it/stn_bridge_atv	0%	Avira URL Cloud	safe
https://www.tdtchannels.com/listas	0%	Avira URL Cloud	safe
https://f-droid.org/repo/news.androidtv.launchonboot_12.apk	0%	Avira URL Cloud	safe
https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with	0%	Avira URL Cloud	safe
https://atvlauncher.trekgonewild.de/	0%	Avira URL Cloud	safe
https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo	0%	Avira URL Cloud	safe
https://github.com/0x192/universal-android-debloater/wiki/FAQ	0%	Avira URL Cloud	safe
https://iptv-org.github.io/	0%	Avira URL Cloud	safe
https://www.reddit.com/r/AndroidTV/	0%	Avira URL Cloud	safe
https://www.androidtv-guide.com/	0%	Avira URL Cloud	safe
https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/	0%	Avira URL Cloud	safe
https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=com.tdtchannels.player	0%	Avira URL Cloud	safe
https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe	0%	Avira URL Cloud	safe
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe	0%	Avira URL Cloud	safe
https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=flar2.homebutton	0%	Avira URL Cloud	safe
https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest	0%	Avira URL Cloud	safe
https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest	0%	Avira URL Cloud	safe
https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts	0%	Avira URL Cloud	safe
https://api.github.com/repos/spocky/miproja1/releases/latest	0%	Avira URL Cloud	safe
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe?C:	0%	Avira URL Cloud	safe
https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot	0%	Avira URL Cloud	safe
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-	0%	Avira URL Cloud	safe
https://mirfatif.github.io/PermissionManagerX/	0%	Avira URL Cloud	safe
https://api.github.com/repos/0x192/universal-android-debloater/releases	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/	0%	Avira URL Cloud	safe
https://github.com/r3	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/countries-list-txt.6067313/	0%	Avira URL Cloud	safe
https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/	0%	Avira URL Cloud	safe
https://kutt.it/stn_bridge_amazon	0%	Avira URL Cloud	safe
https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apk	0%	Avira URL Cloud	safe
https://github.com/0x192/universal-android-debloater#universal-android-debloater-gui	0%	Avira URL Cloud	safe
https://adguard.com/adguard-android-tv/overview.html	0%	Avira URL Cloud	safe
https://api.github.com/repos/realOxy/M3UAndroid/releases/latest	0%	Avira URL Cloud	safe
https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/	0%	Avira URL Cloud	safe
https://9to5google.com/guides/android-tv/	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=%%%%j	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=com.neilturner.aerialviews	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/	0%	Avira URL Cloud	safe
https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=org.xbmc.kodi	0%	Avira URL Cloud	safe
https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=ar.tvplayer.tv	0%	Avira URL Cloud	safe
https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/	1%	Virustotal		Browse
https://github.com/Genymobile/scrcpy	0%	Avira URL Cloud	safe
https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/	0%	Virustotal		Browse
https://api.github.com/repos/Genymobile/scrcpy/releases/latest	0%	Avira URL Cloud	safe
https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=org.xbmc.kodi	0%	Virustotal		Browse
https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk	0%	Virustotal		Browse
http://crl.ver)	0%	Avira URL Cloud	safe
https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/	0%	Virustotal		Browse
https://smarttubeapp.github.io/	0%	Avira URL Cloud	safe
https://github.com/Genymobile/scrcpy	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=ar.tvplayer.tv	0%	Virustotal		Browse
https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%	0%	Avira URL Cloud	safe
https://api.github.com/repos/Genymobile/scrcpy/releases/latest	0%	Virustotal		Browse
https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv	0%	Avira URL Cloud	safe
https://kutt.it/stn_beta	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=com.wiseplay	0%	Avira URL Cloud	safe
https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md	0%	Virustotal		Browse
https://xdaforums.com/attachments/google-play-apk.6050959/	0%	Avira URL Cloud	safe
https://xdaforums.com/c/android-tv.4276/	0%	Avira URL Cloud	safe
https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv	0%	Virustotal		Browse
https://apkins.aptoide.com/AptoideTV-5.1.2.apk	0%	Avira URL Cloud	safe
https://smarttubeapp.github.io/	0%	Virustotal		Browse
https://objects.githubusercontent.com:443	0%	Avira URL Cloud	safe
https://play.google.com/store/apps/details?id=com.wiseplay	0%	Virustotal		Browse
https://github.com/K3V1991/ADB-and-FastbootPlusPlus	0%	Avira URL Cloud	safe
https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%	0%	Virustotal		Browse
https://xdaforums.com/attachments/google-play-apk.6050959/	2%	Virustotal		Browse
https://kutt.it/stn_beta	1%	Virustotal		Browse
https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists	0%	Avira URL Cloud	safe
https://xdaforums.com/c/android-tv.4276/	0%	Virustotal		Browse
https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists	0%	Virustotal		Browse
https://objects.githubusercontent.com/	0%	Avira URL Cloud	safe
https://mirfatif.github.io/PermissionManagerX/help/en/	0%	Avira URL Cloud	safe
http://agrd.io/tvapk	0%	Avira URL Cloud	safe
http://agrd.io/tvapk	0%	Virustotal		Browse
https://apkins.aptoide.com/AptoideTV-5.1.2.apk	0%	Virustotal		Browse
https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apk	0%	Avira URL Cloud	safe
https://kutt.it/stn_stable	0%	Avira URL Cloud	safe
https://objects.githubusercontent.com/	1%	Virustotal		Browse
https://mirfatif.github.io/PermissionManagerX/help/en/	0%	Virustotal		Browse
https://github.com/K3V1991/ADB-and-FastbootPlusPlus	0%	Virustotal		Browse
https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apk	0%	Virustotal		Browse
https://kutt.it/stn_stable	0%	Virustotal		Browse
https://objects.githubusercontent.com:443	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.com	142.250.184.238	true	false	1%, Virustotal, Browse	unknown
github.com	140.82.121.3	true	true	0%, Virustotal, Browse	unknown
objects.githubusercontent.com	185.199.109.133	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://atvlauncher.trekgonewild.de/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://kutt.it/stn_bridge_atv	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.tdtchannels.com/listas	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://f-droid.org/repo/news.androidtv.launchonboot_12.apk	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/0x192/universal-android-debloater/wiki/FAQ	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://iptv-org.github.io/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.reddit.com/r/AndroidTV/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.androidtv-guide.com/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_	Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.11.dr, qmgr.db.11.dr	false	URL Reputation: safe	unknown
https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://play.google.com/store/apps/details?id=com.tdtchannels.player	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe	svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913199656.00000179B4A64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.11.dr, qmgr.db.11.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=flar2.homebutton	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.11.dr, qmgr.db.11.dr	false	URL Reputation: safe	unknown
https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/spocky/miproja1/releases/latest	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe?C:	edb.log.11.dr	false	Avira URL Cloud: safe	unknown
https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-	svchost.exe, 0000000B.00000002.2913304850.00000179B4AE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mirfatif.github.io/PermissionManagerX/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/0x192/universal-android-debloater/releases	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/r3	svchost.exe, 0000000B.00000002.2912230584.00000179AF45B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/countries-list-txt.6067313/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000B.00000003.1669856236.00000179B49D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	false	URL Reputation: safe	unknown
https://kutt.it/stn_bridge_amazon	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apk	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/0x192/universal-android-debloater#universal-android-debloater-gui	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://adguard.com/adguard-android-tv/overview.html	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.github.com/repos/realOxy/M3UAndroid/releases/latest	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/	Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://9to5google.com/guides/android-tv/	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://play.google.com/store/apps/details?id=%%%%j	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://play.google.com/store/apps/details?id=com.neilturner.aerialviews	tmp9682.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://play.google.com/store/apps/details?id=org.xbmc.kodi	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://play.google.com/store/apps/details?id=ar.tvplayer.tv	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Genymobile/scrcpy	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.github.com/repos/Genymobile/scrcpy/releases/latest	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000000B.00000002.2913070316.00000179B4A00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://smarttubeapp.github.io/	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://kutt.it/stn_beta	tmp9682.bat.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io	tmp9682.bat.0.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=com.wiseplay	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xdaforums.com/attachments/google-play-apk.6050959/	tmp9682.bat.0.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xdaforums.com/c/android-tv.4276/	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000000B.00000003.1669856236.00000179B49D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	false	URL Reputation: safe	unknown
https://apkins.aptoide.com/AptoideTV-5.1.2.apk	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://objects.githubusercontent.com:443	svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/K3V1991/ADB-and-FastbootPlusPlus	Android TV Tools v3_EN.exe, 00000000.00000002.2911860916.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://agrd.io/tvapk	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://objects.githubusercontent.com/	svchost.exe, 0000000B.00000002.2913304850.00000179B4AD9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913225702.00000179B4A8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2913359677.00000179B4AFC000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mirfatif.github.io/PermissionManagerX/help/en/	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apk	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://kutt.it/stn_stable	tmp9682.bat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.199.109.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
142.250.184.238	google.com	United States	15169	GOOGLEUS	false
140.82.121.3	github.com	United States	36459	GITHUBUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447533
Start date and time:	2024-05-25 20:58:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Android TV Tools v3_EN.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@23/14@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:58:57	API Interceptor	41x Sleep call for process: powershell.exe modified
14:58:58	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.109.133	http://pub-fb0561fd3a5e439f9388777913d353d9.r2.dev/ax24.html	Get hash	malicious	Unknown	Browse
	http://nervous-seed-snowplow.glitch.me	Get hash	malicious	Unknown	Browse
	http://selliliar.live	Get hash	malicious	Unknown	Browse
	http://shreya-mjn.github.io/netflixclone	Get hash	malicious	Unknown	Browse
	cuObZRxN0x.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse
	MicrosoftCorporation.exe	Get hash	malicious	AsyncRAT, PrivateLoader	Browse
	file01 - copia (2).ps1	Get hash	malicious	Xmrig	Browse
	https://github.com/limiteci/WannaCry	Get hash	malicious	Wannacry	Browse
	https://github.com/oLDschollBozz/BF2042Galaxy	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	https://setopsaccom-my.sharepoint.com/:b:/g/personal/mcolchado_setopsac_com/EdegGaEQdopEuWC71vxM2u8BC1AoyqcAfqM5GjJo_9SU8A?e=4%3a15DEva&at=9&xsdata=MDV8MDJ8bmljb2xlLmNhbXBvc0BzZ3MuY29tfDhkNmZiOTRlOTA4ODQ5Y2E3OTE2MDhkYzZmODNmYjM5fGU5NmZhNzJiYzhkNjQ5NTc5NmJkYzdmOGRjMzBjYzg4fDB8MHw2Mzg1MDc4NTk4Mzk4OTM2NjZ8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=Uk5oNFRzTUVyNXRpVFNuRWZoaEJRdzhySVlGR1p5NnhBVjQ3aWNGM3ZRZz0%3d	Get hash	malicious	Unknown	Browse
140.82.121.3	6glRBXzk6i.exe	Get hash	malicious	RedLine	Browse	github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
	firefox.lnk	Get hash	malicious	CobaltStrike	Browse	github.com/john-xor/temp/blob/main/index.html?raw=true
	0XzeMRyE1e.exe	Get hash	malicious	Amadey, Vidar	Browse	github.com/neiqops/ajajaj/raw/main/file_22613.exe
	MzRn1YNrbz.exe	Get hash	malicious	Vidar	Browse	github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
	RfORrHIRNe.doc	Get hash	malicious	Unknown	Browse	github.com/ssbb36/stv/raw/main/5.mp3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
objects.githubusercontent.com	https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zip	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://io-trezorsuite.com/	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zip	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://github.com/jmeubank/tdm-gcc/releases/download/v10.3.0-tdm64-2/tdm64-gcc-10.3.0-2.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
github.com	SecuriteInfo.com.Win32.Malware-gen.11603.24824.exe	Get hash	malicious	Unknown	Browse	140.82.121.10
	SecuriteInfo.com.Win32.Malware-gen.11603.24824.exe	Get hash	malicious	Unknown	Browse	140.82.121.9
	KpPUQs67Wj.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zip	Get hash	malicious	Unknown	Browse	140.82.121.4
	Proof of payment.jar	Get hash	malicious	STRRAT	Browse	140.82.121.3
	Proof of payment.jar	Get hash	malicious	STRRAT	Browse	140.82.121.3
	https://io-trezorsuite.com/	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zip	Get hash	malicious	Unknown	Browse	140.82.121.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://tryubv01.pages.dev/	Get hash	malicious	Unknown	Browse	151.101.129.16
	http://att-109494-103297.square.site/	Get hash	malicious	Unknown	Browse	151.101.129.46
	http://delicious-decorous-army.glitch.me/public/RRENFCONL0.HTML	Get hash	malicious	HTMLPhisher	Browse	151.101.192.84
	https://uuyy112200.wixsite.com/my-site-2	Get hash	malicious	Unknown	Browse	151.101.194.217
	http://servty467.wixsite.com/csuadmin24	Get hash	malicious	Unknown	Browse	151.101.194.217
	https://lucah141.my-telegram.my.id/	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://dna-id-xv-news.resmi69.my.id/	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://clientes-entrega.top/gin/billing.php	Get hash	malicious	Unknown	Browse	151.101.1.229
GITHUBUS	SecuriteInfo.com.Win32.Malware-gen.11603.24824.exe	Get hash	malicious	Unknown	Browse	140.82.121.10
	SecuriteInfo.com.Win32.Malware-gen.11603.24824.exe	Get hash	malicious	Unknown	Browse	140.82.121.9
	KpPUQs67Wj.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zip	Get hash	malicious	Unknown	Browse	140.82.121.4
	Proof of payment.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	Proof of payment.jar	Get hash	malicious	STRRAT	Browse	140.82.121.4
	http://toenpocket.pro/	Get hash	malicious	HTMLPhisher	Browse	140.82.112.21
	https://io-trezorsuite.com/	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zip	Get hash	malicious	Unknown	Browse	140.82.121.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://alsamah.ae/products/&ved=2ahUKEwjF9YHzr6WGAxW4EFkFHSf6BdcQjBB6BAgVEAE&usg=AOvVaw3Td0ZMPQIvFh2L-u6lkLFb	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	RRzU5xqSZH.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	IGHpHq1KPO.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	https://clncapassasetmanement.store/T8lld8	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	http://azuremail.ca/passerelle.php?id_envoi_courriel=5806909&lien=//xenbel.net/checker2	Get hash	malicious	HTMLPhisher	Browse	185.199.109.133 140.82.121.3
	https://forwigjoeeiorjegoeirjhhjeri.azurewebsites.net/	Get hash	malicious	TechSupportScam	Browse	185.199.109.133 140.82.121.3
	https://serviceclient.akomeryemrentals.inovaperf.me/aurelie.--_--boichard%40/bellatrix.l--_--estrange%40/daniell--_--marchand/innocenti.--_--patrick/	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	http://moctle.com/	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	https://rechrgerte.sbs/	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	https://rechrgerte.xyz/	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3272696992787443
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrF:KooCEYhgYEL0In
MD5:	F0F44458BB1F63931B258CB6C8C40832
SHA1:	5C464026914A24223AA50F645C87140C464E3CEB
SHA-256:	3BAB738315052DDC64031B18B84122E2FC6C7DAFCA87D05C86C2DF32D80BCE66
SHA-512:	9728D1B04FF171746D0CC942EDAD334F5757B7C51513B2E479BECE80538B207D7701B5DD50FCA4D33542BC08C428B1FAC111536B7874001AC24812315DBD6431
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x7fce232b, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42214811027704024
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
MD5:	EFC6DD0DF6E7F0370154E543EF78DFBA
SHA1:	C88ED7A560F40A95EC6E03870D68951602975A67
SHA-256:	873ACE74D9A2AD445FEE447BB65CA6D8F92F472892B6AB6F9F01C4C5318ED3B8
SHA-512:	FE38146591EC6EDDB3EAE53CD14E32970C5D68E2E2F5A317CCC0FDB37A03E467244C618C09F695F0B5F76824D4AE9DD5D19B82B1211141CEACCC82FBD6340CE3
Malicious:	false
Preview:	..#+... .......A.......X\...;...{......................0.!..........{A.::...\|y.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................0.::...\|......................::...\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07745098261875773
Encrypted:	false
SSDEEP:	3:v/8Yeo565Cjn13a/O5ff8illcVO/lnlZMxZNQl:vUzTk53qO5ffZOewk
MD5:	3A717D38D7EE31E4A9F9E5D8F6E77299
SHA1:	26B933106174D8A481FEEA0C71E08F6E688F1832
SHA-256:	B838E8CDBD4F55EC2F650062CF7EF07A29B60CC37BC1DDB41AADA8540D1D8BA2
SHA-512:	767FE524D940F4877DD1F91F68079D081578106581A58556959A7E973CEC6055F8FBA4A8C81F283D93E735AF70D4B28390F3D81F2F12F4C5DEEFDEEF07E227C2
Malicious:	false
Preview:	........................................;...{..::...\|.......{A..............{A......{A..........{A]....................::...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2036
Entropy (8bit):	5.549976576105704
Encrypted:	false
SSDEEP:	48:jyFWSU4xymI4RfoUeU+mZ9tK8NWR85YdWMUR11XWKmEqD:jmLHxvIIwLEZ2KWmYdWLRbrvqD
MD5:	0D5D5B85156DDBCEC3B69786D958ED0B
SHA1:	CFA061FACD2D71108F409AED3B7D862C0FA53ECA
SHA-256:	5F6912C0757676F32AC9F1E88FE4BAC00AF200D5D65F0817F81FB8F0EAC85FBC
SHA-512:	314407ED10655D9543BAB0E7CCC049D10CABBB4CED0DD4C43F462BF173EEE0EBCA88AC97F5FD43FAF27B936E952F84499BE77E3BCA3798E0968A1F5ECA4C1DF0
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egiulgnn.r1p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoepv1jm.3w0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4uk5vgg.x3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utelv5le.g33.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe

Download File

Process:	C:\Users\user\Desktop\Android TV Tools v3_EN.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.3735572622751855
Encrypted:	false
SSDEEP:	3:bO:bO
MD5:	3C52638971EAD82B5929D605C1314EE0
SHA1:	7318148A40FACA203AC402DFF51BBB04E638545C
SHA-256:	5614459EC05FDF6110FA8CE54C34E859671EEFFBA2B7BB4B1AD6C2C6706855AB
SHA-512:	46F85F730E3CA9A57F51416C6AB4D03F868F895568EEE8F7943CD249B2F71D2A3E83C34E7132715C983D3EFAA865A9CB599A4278C911130A0A6948A535C0573B
Malicious:	false
Preview:	RCHELICOPTERFTW

C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat

Download File

Process:	C:\Users\user\Desktop\Android TV Tools v3_EN.exe
File Type:	DOS batch file, ISO-8859 text, with very long lines (309), with CRLF line terminators
Category:	dropped
Size (bytes):	295263
Entropy (8bit):	4.999830876796776
Encrypted:	false
SSDEEP:	1536:Es1zJjo5+su5zJTbfSQQ0XgtozeRPzKqVLeAzpn+EKN5ABdVnfX6Zi/tUT9Iqbzk:EvKNCnKCkz1j54d/u3djG
MD5:	3EF920AF75172A91BD43BD393A85532E
SHA1:	B49F65FA3A5726421EEF5FA13EEADE11B5B7A6EF
SHA-256:	047EA4FD06BD244091ADB10B0AF901F454FBF83FFFE0A2C848FB1B21B8F8397B
SHA-512:	C5B84FB33BCEA17444E02575E9670F29F594532196036FF402F4C4EEF0AC1BC678A16961A23337883BED8376502706C676BE632522EBB1AB1CA319326577422D
Malicious:	true
Preview:	@echo off..set ztmp=C:\Users\user\AppData\Local\Temp\ytmp..set MYFILES=C:\Users\user\AppData\Local\Temp\afolder..set bfcec=tmp5972.exe..set cmdline=..SHIFT /0..@echo off..:: Programado por bernarbernuli..:: Versi.n 3.0..:: 05 de febrero de 2024..::..:: changelog..:: v1.0 (29Dic23) - Versi.n inicial. 3706 lineas..:: v2.0 (05Feb24) - A.adidos nuevos enlaces de consulta. (opc 7.3) // corregido enlace de descarga drivers adb y driver aapt. // Mejorado m.todo de instalaci.n de Projectivy Launcher y FLauncher..:: Ahora siempre descarga la .ltima versi.n disponible de drivers ADB,Universal Android Debloater, scrcpy, SmartTube y Projectivy Launcher..:: a.adido acceso directo de Play Store para que se muestre en tu launcher (opc. 1.9)...:: Arreglado bloqueador de publicidad //A.adida 2. p.gina en opcion 7 (Otras herramientas) // a.adido instalar tiendas alternativas como Aurora Store y Aptoide TV (Opc 7.11)..:: A.adido instal

C:\Users\user\Desktop\Android TV Tools - Aux Files\BIT8DD.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.805931866786917
Encrypted:	false
SSDEEP:	384:8qjyLkmCWzyQFqvf5J0rxzeDhLDooH6wkKmTJrFnO3OgGb+fn:7rSyQYvf5MiDqg6wkKmtlO+gjfn
MD5:	34348DD557468D401AE4BFAE2E850EEE
SHA1:	936CCC900EDFEC3EC50CB8F80669091966F33ECC
SHA-256:	7027C3EAC1C4D4F3724262EBC1FE2443422BCE232F1634C3DE7AEBE9380770E5
SHA-512:	096A1DBA362575BC2A03E59D441B4986F63521E255EC766EEC76D32E8C91601920F4AFB8C682E4CD75AF71CC41F94BFE46524216912DC77F6794C149463CC9F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R.................D...4......p........`....@.............................................................................<...............................4....................................................................................text....C.......D.................. ..`.rdata..i....`.......H..............@..@.data...."...p.......J..............@....idata..0............\..............@....reloc..2............b..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.805931866786917
Encrypted:	false
SSDEEP:	384:8qjyLkmCWzyQFqvf5J0rxzeDhLDooH6wkKmTJrFnO3OgGb+fn:7rSyQYvf5MiDqg6wkKmtlO+gjfn
MD5:	34348DD557468D401AE4BFAE2E850EEE
SHA1:	936CCC900EDFEC3EC50CB8F80669091966F33ECC
SHA-256:	7027C3EAC1C4D4F3724262EBC1FE2443422BCE232F1634C3DE7AEBE9380770E5
SHA-512:	096A1DBA362575BC2A03E59D441B4986F63521E255EC766EEC76D32E8C91601920F4AFB8C682E4CD75AF71CC41F94BFE46524216912DC77F6794C149463CC9F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R.................D...4......p........`....@.............................................................................<...............................4....................................................................................text....C.......D.................. ..`.rdata..i....`.......H..............@..@.data...."...p.......J..............@....idata..0............\..............@....reloc..2............b..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.040273584869553
Encrypted:	false
SSDEEP:	6:Pz3U3nvmWxHLTIBh+isWZLnINcwAFeMmvVOIHJFxMVlmJHaVFtIk3:Pby5pTONs8kDAFSkIrxMVlmJHaVPN
MD5:	ABAE037780C144538CEA36D834B70B66
SHA1:	8CDD20BF0EFF1225050FC055507A40E7A1C5F8F5
SHA-256:	6997D612B30F024959EF423FC18E6457952224D98C5B7724284A61ED6D18F596
SHA-512:	EC0EA785CD1D21EDDB21A88EB5D1531AE5E063AA1D0FE7986A3B62449B630A631E790D01FFB8CC823210E83106A52BF30F93D1DD7A9C77D2798FBA7864B4DA6A
Malicious:	false
Preview:	..Pinging google.com [142.250.184.238] with 32 bytes of data:..Reply from 142.250.184.238: bytes=32 time=6ms TTL=109....Ping statistics for 142.250.184.238:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 6ms, Maximum = 6ms, Average = 6ms..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.880388405585972
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Android TV Tools v3_EN.exe
File size:	377'128 bytes
MD5:	6d4c50f647700cfcf2f06e137355671d
SHA1:	d7e53c88af4ef48e40262f73dabf3cd30b64e1f1
SHA256:	057b44e12f8052176da2407ecc4d8e2340ff9fe22b499b861b7e3d0d8b103b2e
SHA512:	23cb8d458d72da604c6f157c3ec287866b97bc73ed80075868db8b8acbb60a95604769a4eb16524f41b19453a77287c1d7645e39033b177657535e4e8bd7b246
SSDEEP:	6144:rbY3pmVJLekTbDaMuxyaWUNnZdthDl2Lo526kqOjxlf7b:HY3pmMxQUNPOo526kL
TLSH:	B384175519BA3710E4D728F0819345A64AF8CD1E230FD323EA526253AE3D93BEDB5DE0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..oN..oN..oN..sB..oN.`pE..oN..s@..oN..p]..oN..oO..oN.`pD..oN.0iH..oN.Rich.oN.................PE..L....d.S...................

File Icon


Icon Hash:	4005646064656980

Static PE Info

General

Entrypoint:	0x406444
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x53DD6401 [Sat Aug 2 22:19:45 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d247a55625cd61e3f91a266bce0cd371

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040D120h
push 00408A70h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040D034h]
xor edx, edx
mov dl, ah
mov dword ptr [00415ED8h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00415ED4h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00415ED0h], ecx
shr eax, 10h
mov dword ptr [00415ECCh], eax
push 00000000h
call 00007F8C98FAF9DFh
pop ecx
test eax, eax
jne 00007F8C98FAD54Ah
push 0000001Ch
call 00007F8C98FAD5DFh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007F8C98FAE649h
call dword ptr [0040D030h]
mov dword ptr [00F0EE84h], eax
call 00007F8C98FAF887h
mov dword ptr [00415F14h], eax
call 00007F8C98FAF630h
call 00007F8C98FAF572h
call 00007F8C98FACDF5h
mov eax, dword ptr [00415EE8h]
mov dword ptr [00415EECh], eax
push eax
push dword ptr [00415EE0h]
push dword ptr [00415EDCh]
call 00007F8C98FA804Dh
add esp, 0Ch
mov dword ptr [ebp-1Ch], eax
push eax
call 00007F8C98FACDFAh
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]
mov ecx, dword ptr [ecx]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5c0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0f000	0x3560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbff6	0xc000	3d664f3f72f1bfbfc0d2510699e922c8	False	0.5731404622395834	data	6.540685415161986	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0xb60	0x1000	ec6ae981726c690fd83605a870e200cf	False	0.351806640625	data	4.294764655260049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0xb00e98	0x2000	6bf7c5205870937332494d743b17a8e6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb0f000	0x3560	0x4000	780e11dda525dd5af0491d49e6a64bcb	False	0.106201171875	data	4.286815465620729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb0f0f0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 0, resolution 3780 x 3780 px/m	English	United States	0.10186915887850467
RT_GROUP_ICON	0xb12318	0x14	data	English	United States	1.3
RT_VERSION	0xb1232c	0x234	data			0.5088652482269503

Imports

DLL

Import

KERNEL32.dll

GetTempPathA, GetModuleFileNameA, GetStdHandle, Sleep, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, GetTickCount, GetConsoleMode, ExitProcess, TerminateProcess, GetCurrentProcess, GetCommandLineA, GetVersion, GetLastError, GetFileAttributesA, HeapFree, CloseHandle, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, WriteFile, ReadFile, GetProcAddress, GetModuleHandleA, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapAlloc, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, VirtualAlloc, HeapReAlloc, SetStdHandle, FlushFileBuffers, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, CreateFileA, GetCPInfo, GetACP, GetOEMCP, LoadLibraryA, CompareStringA, CompareStringW, SetEnvironmentVariableA, SetEndOfFile, LCMapStringA, LCMapStringW, WriteConsoleA, ReadConsoleInputA, SetConsoleMode

WINMM.dll

timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2024 20:59:03.100931883 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.100974083 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:03.101063013 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.102617025 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.102636099 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:03.797698021 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:03.797786951 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.801012039 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.801024914 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:03.801434994 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:03.843452930 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.881689072 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:03.922537088 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.094012976 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.097961903 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.098037004 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.098066092 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.098107100 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.098114967 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.098193884 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.098213911 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.098228931 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.098242044 CEST	49733	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.098248005 CEST	443	49733	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.153155088 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.153191090 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.153431892 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.153759956 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.153779030 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.666728973 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.666940928 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.669408083 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.669434071 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.669948101 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.671967983 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.718498945 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.864234924 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.864346027 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.864553928 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.864595890 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.864615917 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.864615917 CEST	49734	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:04.864625931 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.864634037 CEST	443	49734	185.199.109.133	192.168.2.4
May 25, 2024 20:59:04.892781973 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.892819881 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:04.893008947 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.893224001 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:04.893251896 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.605505943 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.608406067 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.608434916 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.609064102 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.609071970 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.922610044 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.925400019 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.925543070 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.925610065 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.925610065 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.925926924 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.925926924 CEST	49735	443	192.168.2.4	140.82.121.3
May 25, 2024 20:59:05.925972939 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.925988913 CEST	443	49735	140.82.121.3	192.168.2.4
May 25, 2024 20:59:05.927119970 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:05.927149057 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:05.927220106 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:05.927376986 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:05.927381992 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.464834929 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.465681076 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.465692043 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.466402054 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.466407061 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.644663095 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.648305893 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.648426056 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.648475885 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.648494005 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.648559093 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.651299000 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.654814959 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.654881954 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.654891014 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.657229900 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.657295942 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.657304049 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.659600019 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.659667015 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.659674883 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.666948080 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.667001963 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.667010069 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.718466043 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.733319998 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.736787081 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.736912966 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.736922026 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.737941027 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.737993956 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.738002062 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.740799904 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.740856886 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.740864992 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.741003036 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.741059065 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.741102934 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.741116047 CEST	443	49736	185.199.109.133	192.168.2.4
May 25, 2024 20:59:06.741132021 CEST	49736	443	192.168.2.4	185.199.109.133
May 25, 2024 20:59:06.741137981 CEST	443	49736	185.199.109.133	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2024 20:58:57.035573959 CEST	50897	53	192.168.2.4	1.1.1.1
May 25, 2024 20:58:57.042866945 CEST	53	50897	1.1.1.1	192.168.2.4
May 25, 2024 20:59:03.087138891 CEST	50294	53	192.168.2.4	1.1.1.1
May 25, 2024 20:59:03.100039005 CEST	53	50294	1.1.1.1	192.168.2.4
May 25, 2024 20:59:04.099802017 CEST	53749	53	192.168.2.4	1.1.1.1
May 25, 2024 20:59:04.152160883 CEST	53	53749	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 25, 2024 20:58:57.050039053 CEST	192.168.2.4	142.250.184.238	4d5a		Echo
May 25, 2024 20:58:57.056359053 CEST	142.250.184.238	192.168.2.4	555a		Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 25, 2024 20:58:57.035573959 CEST	192.168.2.4	1.1.1.1	0x5bf9	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:03.087138891 CEST	192.168.2.4	1.1.1.1	0xe507	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:04.099802017 CEST	192.168.2.4	1.1.1.1	0x1e5c	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 25, 2024 20:58:57.042866945 CEST	1.1.1.1	192.168.2.4	0x5bf9	No error (0)	google.com	142.250.184.238	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:03.100039005 CEST	1.1.1.1	192.168.2.4	0xe507	No error (0)	github.com	140.82.121.3	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:04.152160883 CEST	1.1.1.1	192.168.2.4	0x1e5c	No error (0)	objects.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:04.152160883 CEST	1.1.1.1	192.168.2.4	0x1e5c	No error (0)	objects.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:04.152160883 CEST	1.1.1.1	192.168.2.4	0x1e5c	No error (0)	objects.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
May 25, 2024 20:59:04.152160883 CEST	1.1.1.1	192.168.2.4	0x1e5c	No error (0)	objects.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

objects.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	140.82.121.3	443	7076	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 18:59:03 UTC	183	OUT	HEAD /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: github.com
2024-05-25 18:59:04 UTC	997	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sat, 25 May 2024 18:59:03 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-05-25 18:59:04 UTC	3021	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	185.199.109.133	443	7076	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 18:59:04 UTC	661	OUT	HEAD /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: objects.githubusercontent.com
2024-05-25 18:59:04 UTC	814	IN	HTTP/1.1 200 OK Connection: close Content-Length: 27136 Content-Type: application/octet-stream Content-MD5: NDSN1VdGjUAa5L+uLoUO7g== Last-Modified: Wed, 08 Dec 2021 04:12:16 GMT ETag: "0x8D9BA00EB94CF21" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: e755e90b-201e-0070-6ff3-8758a2000000 x-ms-version: 2020-10-02 x-ms-creation-time: Wed, 18 Aug 2021 01:46:03 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=cmdmax-x86.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Age: 0 Date: Sat, 25 May 2024 18:59:04 GMT X-Served-By: cache-iad-kcgs7200171-IAD, cache-nyc-kteb1890029-NYC X-Cache: HIT, MISS X-Cache-Hits: 9, 0 X-Timer: S1716663545.775077,VS0,VE43

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	140.82.121.3	443	7076	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 18:59:05 UTC	234	OUT	GET /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMT User-Agent: Microsoft BITS/7.8 Host: github.com
2024-05-25 18:59:05 UTC	997	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sat, 25 May 2024 18:59:03 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-05-25 18:59:05 UTC	3020	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	185.199.109.133	443	7076	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 18:59:06 UTC	712	OUT	GET /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMT User-Agent: Microsoft BITS/7.8 Host: objects.githubusercontent.com
2024-05-25 18:59:06 UTC	811	IN	HTTP/1.1 200 OK Connection: close Content-Length: 27136 Content-Type: application/octet-stream Content-MD5: NDSN1VdGjUAa5L+uLoUO7g== Last-Modified: Wed, 08 Dec 2021 04:12:16 GMT ETag: "0x8D9BA00EB94CF21" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: e755e90b-201e-0070-6ff3-8758a2000000 x-ms-version: 2020-10-02 x-ms-creation-time: Wed, 18 Aug 2021 01:46:03 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=cmdmax-x86.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Date: Sat, 25 May 2024 18:59:06 GMT Age: 2263 X-Served-By: cache-iad-kcgs7200171-IAD, cache-ewr18181-EWR X-Cache: HIT, HIT X-Cache-Hits: 164, 1 X-Timer: S1716663547.568013,VS0,VE36
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 c4 e4 52 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 03 00 00 44 00 00 00 34 00 00 00 00 00 00 70 17 00 00 00 10 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELRD4p`@
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 45 e6 0f bf 45 e4 40 66 89 45 fc 66 c7 45 fe b9 0b e9 19 01 00 00 83 7d 08 07 0f 85 fa 00 00 00 6a 0a 6a 00 8b 45 0c 8b 40 04 50 e8 0e 03 00 00 83 c4 0c 66 89 45 ec 6a 0a 6a 00 8b 45 0c 8b 40 08 50 e8 f7 02 00 00 83 c4 0c 66 89 45 ee 66 c7 45 e0 00 00 66 c7 45 e2 00 00 6a 0a 6a 00 8b 45 0c 8b 40 0c 50 e8 d4 02 00 00 83 c4 0c 66 89 45 e4 6a 0a 6a 00 8b 45 0c 8b 40 10 50 e8 bd 02 00 00 83 c4 0c 66 89 45 e6 6a 0a 6a 00 8b 45 0c 8b 40 14 50 e8 a6 02 00 00 83 c4 0c 40 66 89 45 fc 6a 0a 6a 00 8b 45 0c 8b 40 18 50 e8 8e 02 00 00 83 c4 0c 40 66 89 45 fe 0f bf 45 e4 0f bf 4d fc 3b c1 0f 8e 09 00 00 00 0f bf 45 e4 40 66 89 45 fc 0f bf 45 fe 0f bf 4d e6 3b c1 0f 8d 09 00 00 00 0f bf 45 e6 40 66 89 45 fe 8b 45 0c 8b 40 04 0f be 00 83 f8 6e 0f 85 19 00 00 00 8b 45 0c Data Ascii: EE@fEfE}jjE@PfEjjE@PfEfEfEjjE@PfEjjE@PfEjjE@P@fEjjE@P@fEEM;E@fEEM;E@fEE@nE
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 00 00 00 80 eb 05 bf ff ff ff 7f 8b 4c 24 1c 85 c9 74 02 89 31 f7 c5 02 00 00 00 74 02 f7 df 8b c7 5d 5f 5e 5b 83 c4 04 c3 8b 4c 24 1c 85 c9 74 06 8b 44 24 18 89 01 33 c0 5d 5f 5e 5b 83 c4 04 c3 cc cc cc cc cc cc cc cc cc cc cc 8b 54 24 0c 8b 4c 24 04 85 d2 74 47 33 c0 8a 44 24 08 57 8b f9 83 fa 04 72 2d f7 d9 83 e1 03 74 08 2b d1 88 07 47 49 75 fa 8b c8 c1 e0 08 03 c1 8b c8 c1 e0 10 03 c1 8b ca 83 e2 03 c1 e9 02 74 06 f3 ab 85 d2 74 06 88 07 47 4a 75 fa 8b 44 24 08 5f c3 8b 44 24 04 c3 cc cc cc cc cc cc cc cc 64 a1 00 00 00 00 55 8b ec 6a ff 68 00 60 40 00 68 90 36 40 00 50 64 89 25 00 00 00 00 83 ec 10 53 56 57 89 65 e8 ff 15 34 a1 40 00 33 d2 8b c8 8a d4 81 e1 ff 00 00 00 c1 e8 10 89 15 94 75 40 00 89 0d 90 75 40 00 a3 88 75 40 00 c1 e1 08 03 ca 89 0d Data Ascii: L$t1t]_^[L$tD$3]_^[T$L$tG3D$Wr-t+GIuttGJuD$_D$dUjh`@h6@Pd%SVWe4@3u@u@u@
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 8d 44 24 28 8b 8c 24 5c 02 00 00 0f be d3 50 51 52 e8 a4 07 00 00 83 c4 0c 8b 84 24 60 02 00 00 ff 84 24 60 02 00 00 8a 18 84 db 0f 85 e3 fd ff ff 8b 44 24 28 5d 5f 5e 5b 81 c4 48 02 00 00 c3 83 ce 20 eb d4 83 ce 10 eb cf 81 ce 00 08 00 00 eb c7 0f be cb 83 e9 43 83 f9 35 0f 87 ed 04 00 00 33 c0 8a 81 a4 23 40 00 ff 24 85 60 23 40 00 f7 c6 30 08 00 00 75 06 81 ce 00 08 00 00 f7 c6 10 08 00 00 8d 84 24 64 02 00 00 50 0f 84 75 04 00 00 e8 23 08 00 00 83 c4 04 50 8d 44 24 5c 50 e8 45 20 00 00 83 c4 08 8b f8 85 ff 0f 8d 66 04 00 00 c7 44 24 48 01 00 00 00 e9 59 04 00 00 c7 44 24 4c 01 00 00 00 80 c3 20 83 ce 40 8d 44 24 58 83 7c 24 1c 00 89 44 24 18 0f 8d 78 03 00 00 c7 44 24 1c 06 00 00 00 e9 7a 03 00 00 f7 c6 30 08 00 00 75 06 81 ce 00 08 00 00 83 7c 24 1c Data Ascii: D$($\PQR$`$`D$(]_^[H C53#@$`#@0u$dPu#PD$\PE fD$HYD$L @D$X\|$D$xD$z0u\|$
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: c6 00 01 00 00 74 07 c6 44 24 12 2d eb 1c f7 c6 01 00 00 00 74 07 c6 44 24 12 2b eb 0d f7 c6 02 00 00 00 74 0d c6 44 24 12 20 c7 44 24 38 01 00 00 00 8b 44 24 34 2b c7 2b 44 24 38 f7 c6 0c 00 00 00 89 44 24 20 75 1c 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 20 50 51 52 6a 20 e8 47 02 00 00 83 c4 10 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 38 50 8d 44 24 16 51 52 50 e8 68 02 00 00 83 c4 10 f7 c6 08 00 00 00 74 24 f7 c6 04 00 00 00 75 1c 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 20 50 51 52 6a 30 e8 fc 01 00 00 83 c4 10 83 7c 24 3c 00 74 49 85 ff 7e 45 8b 6c 24 18 8d 5f ff 8b c5 8d 4c 24 14 66 8b 00 83 c5 02 50 51 e8 b4 1a 00 00 83 c4 08 85 c0 7e 3f 8d 4c 24 28 8b 94 24 5c 02 00 00 51 52 50 8d 44 24 20 50 e8 f5 01 00 00 83 c4 10 8b cb 4b 85 c9 75 c4 eb 1b Data Ascii: tD$-tD$+tD$ D$8D$4++D$8D$ uD$($\T$ PQRj GD$($\T$8PD$QRPht$uD$($\T$ PQRj0\|$<tI~El$_L$fPQ~?L$($\QRPD$ PKu
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 40 00 51 8b 4c 24 14 51 6a 01 50 e8 46 1a 00 00 83 c4 1c 85 c0 75 06 b8 ff ff ff 7f c3 83 e8 02 c3 cc cc cc cc cc a1 74 82 40 00 85 c0 74 02 ff d0 68 10 70 40 00 68 08 70 40 00 e8 d6 00 00 00 83 c4 08 68 04 70 40 00 68 00 70 40 00 e8 c4 00 00 00 83 c4 08 c3 8b 44 24 04 6a 00 6a 00 50 e8 32 00 00 00 83 c4 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 6a 00 6a 01 50 e8 12 00 00 00 83 c4 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc c7 05 c0 75 40 00 01 00 00 00 83 7c 24 08 00 53 56 8b 5c 24 14 88 1d bc 75 40 00 75 3f 83 3d 78 82 40 00 00 74 24 8b 35 70 82 40 00 83 ee 04 3b 35 78 82 40 00 72 13 8b 06 85 c0 74 02 ff d0 83 ee 04 3b 35 78 82 40 00 73 ed 68 1c 70 40 00 68 14 70 40 00 e8 27 00 00 00 83 c4 08 68 24 70 40 00 68 20 70 40 00 e8 15 00 Data Ascii: @QL$QjPFut@thp@hp@hp@hp@D$jjP2D$jjPu@\|$SV\$u@u?=x@t$5p@;5x@rt;5x@shp@hp@'h$p@h p@
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 00 00 a1 74 78 40 00 50 6a 08 ff d2 83 c4 08 89 3d 74 78 40 00 eb 10 c7 40 08 00 00 00 00 8b 40 04 50 ff d2 83 c4 04 b8 ff ff ff ff 5f 89 35 78 78 40 00 5e c3 8b 4c 24 10 51 ff 15 40 a1 40 00 5f 5e c3 cc ba f0 77 40 00 8b 4c 24 04 39 0a 74 16 83 c2 0c a1 70 78 40 00 8d 04 40 8d 04 85 f0 77 40 00 3b c2 77 e6 8b 02 2b c1 83 f8 01 1b c0 23 c2 c3 cc 83 ec 04 8b 15 b8 72 40 00 53 56 57 33 f6 55 80 3a 00 74 1a 80 3a 3d 74 01 46 8b fa b9 ff ff ff ff 2b c0 f2 ae f7 d1 03 d1 80 3a 00 75 e6 8d 04 b5 04 00 00 00 50 e8 a5 11 00 00 a3 a4 75 40 00 83 c4 04 8b d8 85 db 75 0a 6a 09 e8 70 eb ff ff 83 c4 04 8b 2d b8 72 40 00 8b c5 80 7d 00 00 74 5e 8b fd b9 ff ff ff ff 2b c0 f2 ae f7 d1 89 4c 24 10 80 7d 00 3d 74 3d 51 e8 62 11 00 00 83 c4 04 89 03 85 c0 75 0a 6a 09 e8 32 Data Ascii: tx@Pj=tx@@@P_5xx@^L$Q@@_^w@L$9tpx@@w@;w+#r@SVW3U:t:=tF+:uPu@ujp-r@}t^+L$}=t=Qbuj2
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: c4 04 c3 33 c0 5d 5f 5e 5b 83 c4 04 c3 cc cc cc cc cc 8b 44 24 04 83 ec 18 53 56 57 55 50 e8 cf 01 00 00 83 c4 04 8b e8 39 2d 8c 79 40 00 75 0a 33 c0 5d 5f 5e 5b 83 c4 18 c3 85 ed 75 0f e8 5f 02 00 00 33 c0 5d 5f 5e 5b 83 c4 18 c3 c7 44 24 10 00 00 00 00 b8 b0 79 40 00 39 28 0f 84 9b 00 00 00 83 c0 30 ff 44 24 10 3d a0 7a 40 00 72 ea 8d 44 24 14 50 55 ff 15 5c a1 40 00 83 f8 01 0f 85 43 01 00 00 bf 88 78 40 00 33 c0 b9 40 00 00 00 f3 ab aa 83 7c 24 14 01 0f 86 06 01 00 00 8d 74 24 1a 38 44 24 1a 74 2c 8a 4e 01 84 c9 74 25 33 c0 33 d2 8a 06 8a d1 3b d0 72 11 80 88 89 78 40 00 04 40 33 c9 8a 4e 01 3b c8 73 ef 83 c6 02 80 3e 00 75 d4 b8 01 00 00 00 80 88 89 78 40 00 08 40 3d ff 00 00 00 72 f1 55 89 2d 8c 79 40 00 e8 4d 01 00 00 83 c4 04 e9 af 00 00 00 bf 88 Data Ascii: 3]_^[D$SVWUP9-y@u3]_^[u_3]_^[D$y@9(0D$=z@rD$PU\@Cx@3@\|$t$8D$t,Nt%33;rx@@3N;s>ux@@=rU-y@M
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: 89 43 0c ff 54 8f 08 8b 7b 08 8d 0c 76 8b 34 8f eb a1 b8 00 00 00 00 eb 1c b8 01 00 00 00 eb 15 55 8d 6b 10 6a ff 53 e8 3a f3 ff ff 83 c4 08 5d b8 01 00 00 00 5d 5f 5e 5b 8b e5 5d c3 55 8b 4c 24 08 8b 29 8b 41 1c 50 8b 41 18 50 e8 15 f3 ff ff 83 c4 08 5d c2 04 00 cc cc cc cc cc cc cc cc a1 c4 72 40 00 83 f8 01 74 0d 85 c0 75 2e 83 3d c8 72 40 00 01 75 25 68 fc 00 00 00 e8 1f 00 00 00 83 c4 04 a1 98 7d 40 00 85 c0 74 02 ff d0 68 ff 00 00 00 e8 07 00 00 00 83 c4 04 c3 cc cc cc 81 ec a8 01 00 00 33 c0 b9 10 7d 40 00 53 8b 94 24 b0 01 00 00 56 57 55 39 11 74 0c 83 c1 08 40 81 f9 98 7d 40 00 72 f0 39 14 c5 10 7d 40 00 8d 1c c5 00 00 00 00 0f 85 a7 01 00 00 83 3d c4 72 40 00 01 0f 84 5f 01 00 00 83 3d c4 72 40 00 00 75 0d 83 3d c8 72 40 00 01 0f 84 49 01 00 00 Data Ascii: CT{v4UkjS:]]_^[]UL$)APAP]r@tu.=r@u%h}@th3}@S$VWU9t@}@r9}@=r@_=r@u=r@I
2024-05-25 18:59:06 UTC	1378	IN	Data Raw: ff ff 5f c7 05 7c 75 40 00 09 00 00 00 c7 05 80 75 40 00 00 00 00 00 5e 5b c3 cc cc cc cc 56 ff 05 78 75 40 00 8b 74 24 08 68 00 10 00 00 e8 fb 01 00 00 83 c4 04 89 46 08 85 c0 74 0d 83 4e 0c 08 c7 46 18 00 10 00 00 eb 11 83 4e 0c 04 8d 46 14 89 46 08 c7 46 18 02 00 00 00 8b 46 08 89 06 c7 46 04 00 00 00 00 5e c3 cc cc cc cc cc 8b 54 24 04 39 15 68 81 40 00 77 03 33 c0 c3 8b c2 83 e2 1f 83 e0 e7 c1 f8 03 8b 88 70 81 40 00 33 c0 8a 44 d1 04 83 e0 40 c3 cc cc cc cc cc cc 8b 4c 24 04 83 ec 04 85 c9 75 06 33 c0 83 c4 04 c3 83 3d 38 7e 40 00 00 75 2b 66 81 7c 24 0c ff 00 76 13 b8 ff ff ff ff 83 c4 04 c7 05 7c 75 40 00 2a 00 00 00 c3 8a 44 24 0c 88 01 b8 01 00 00 00 83 c4 04 c3 8d 44 24 00 8b 15 d4 77 40 00 c7 44 24 00 00 00 00 00 50 6a 00 52 a1 48 7e 40 00 51 Data Ascii: _\|u@u@^[Vxu@t$hFtNFNFFFFF^T$9h@w3p@3D@L$u3=8~@u+f\|$v\|u@*D$D$w@D$PjRH~@Q

Target ID:	0
Start time:	14:58:55
Start date:	25/05/2024
Path:	C:\Users\user\Desktop\Android TV Tools v3_EN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Android TV Tools v3_EN.exe"
Imagebase:	0x400000
File size:	377'128 bytes
MD5 hash:	6D4C50F647700CFCF2F06E137355671D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Imagebase:	0x430000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping google.com -n 1
Imagebase:	0x4b0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:58:56
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"
Imagebase:	0x500000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:58:57
Start date:	25/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:59:10
Start date:	25/05/2024
Path:	C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe
Wow64 process (32bit):	true
Commandline:	"Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999
Imagebase:	0x400000
File size:	27'136 bytes
MD5 hash:	34348DD557468D401AE4BFAE2E850EEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	1374
Total number of Limit Nodes:	25

Executed Functions

Function 00404D37 Relevance: 5.2, APIs: 3, Instructions: 661
timesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

timeGetTime.WINMM ref: 0040552B
Sleep.KERNELBASE(00000003), ref: 00405585
timeGetTime.WINMM ref: 0040558F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: 34695182426c4961b278ce684a6b6519380ca38d5c9cabf86c5f4d6901f888cf
Instruction ID: b751e6467f139353cb55b9ffbe826672e87d8d943d97ab80e4bb7b2c357d5605
Opcode Fuzzy Hash: 34695182426c4961b278ce684a6b6519380ca38d5c9cabf86c5f4d6901f888cf
Instruction Fuzzy Hash: E3120FE7C4020476F7106AA17C4BF9B752C5B2131EF48097EB90D751C3F97AA3684AAB

Function 004036D1 Relevance: 4.5, APIs: 3, Instructions: 42
timesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

timeGetTime.WINMM ref: 004036E5
Sleep.KERNELBASE(00000003), ref: 0040373F
timeGetTime.WINMM ref: 00403749

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: cc85ca76a26f2f31c0325530f9469c6ef665bb5aae36b1bad800a382faa1d765
Instruction ID: eae6611afc9ea53c4c174798e7303799e140014dd54562b74f488a96469025fd
Opcode Fuzzy Hash: cc85ca76a26f2f31c0325530f9469c6ef665bb5aae36b1bad800a382faa1d765
Instruction Fuzzy Hash: FC01EDB1C00208EBDB04DF94C94579D7FB4EF0030DF20C0A9E90A6B241D735AB959B99

Function 00406444 Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 0040646A

Part of subcall function 0040893C: HeapCreate.KERNELBASE(00000000,00001000,00000000,004064A2,00000000), ref: 0040894D
Part of subcall function 0040893C: HeapDestroy.KERNEL32 ref: 0040896B

GetCommandLineA.KERNEL32 ref: 004064B8

Part of subcall function 00406548: ExitProcess.KERNEL32 ref: 00406565

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID:
API String ID: 1387771204-0
Opcode ID: 8f64078e7c1048c80ea45f85acce868f71707771f6b24207ebeb838d2c4f3778
Instruction ID: 011fcb3a6802012f724db4fd9d8ba721985a1d622206a0a919988acb22e904e2
Opcode Fuzzy Hash: 8f64078e7c1048c80ea45f85acce868f71707771f6b24207ebeb838d2c4f3778
Instruction Fuzzy Hash: FE11A2B1D00B01EFD708AF66DD06BB93B64EB84308F10803FF505A62E1DA7849008F6D

Function 00401000 Relevance: 60.5, APIs: 3, Strings: 31, Instructions: 1032
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00401223
GetModuleFileNameA.KERNEL32(00000000,00413298,00000104), ref: 0040123A
GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\), ref: 00401455

Strings

SativaSmok, xrefs: 004012E4, 004012FC, 00401314, 0040132C, 00401344, 0040135C, 00401374, 0040138C, 004013A4, 004013BC, 004013F6
C:\Users\user\AppData\Local\Temp\ytmp, xrefs: 004015E4, 0040161F, 0040167B, 004016B8, 004016FA, 00401767, 004019A0
%s%s%s%s%s, xrefs: 00401BD2
%s%s%s%s%s%s%s%s, xrefs: 004014D5
if not exist , xrefs: 004015F1
C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe, xrefs: 00401771
@echo off, xrefs: 00401E21
%s%s%s%s%s, xrefs: 004015DF
if not exist , xrefs: 004014E7
%s%s, xrefs: 004019AC
C:\Users\user\AppData\Local\Temp\, xrefs: 0040142A, 0040144B, 00401468, 00401476, 004014D0, 004015DA
%s%s%s%s, xrefs: 004016FF
%s%s, xrefs: 004016C2
C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe", xrefs: 00401704, 00401711, 00401B62, 00401BCD, 00401BD7, 00401D51, 00401D63, 00401E3D
%s%s%s%s%s, xrefs: 00401B93
%s%s, xrefs: 00401747
377128, xrefs: 004012C7
%s%s%s, xrefs: 0040176C
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00401E26
%s%s, xrefs: 004019CC
C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat, xrefs: 00401716
%s%s%s%s%s%s%s%s, xrefs: 00401B4E
.exe, xrefs: 00401737
.bat, xrefs: 004016E5
C:\Users\user\AppData\Local\Temp\afolder, xrefs: 004014DA, 00401515, 00401571, 004019C0
attrib +h , xrefs: 004016BD
377128, xrefs: 004012CC
mkdir , xrefs: 00401543
mkdir , xrefs: 0040164D
set cmdline=, xrefs: 00401DA8
, xrefs: 00401C8D

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: FileHandleModuleNamePathTemp
String ID: $ 377128$ 377128$ mkdir $ mkdir $%s%s$%s%s$%s%s$%s%s$%s%s%s$%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s%s$%s%s%s%s%s%s%s%s$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$.bat$.exe$@echo off$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\afolder$C:\Users\user\AppData\Local\Temp\ytmp$C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe$C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat$C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat "C:\Users\user\Desktop\Android TV Tools v3_EN.exe"$SativaSmok$attrib +h $if not exist $if not exist $set cmdline=
API String ID: 582120069-2232961405
Opcode ID: 463d37616fd5927b5e3275e9d21ef53b86b473988ab558a244dd7b08ceaf7d10
Instruction ID: 1f264d1c5fa84f41fc915c775896d5a35dae581fe8400ea8a73f093551c495cf
Opcode Fuzzy Hash: 463d37616fd5927b5e3275e9d21ef53b86b473988ab558a244dd7b08ceaf7d10
Instruction Fuzzy Hash: FB72C7F2D4061476E7106BA1AC07F9B362D9B2131DF4404BAF90D712C2F9BB57684EAB

Function 0040B7EC Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(00000000,00000000,0040D514,00000001,0040D514,00000001,00000000,012C0DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B82A
CompareStringA.KERNEL32(00000000,00000000,0040D510,00000001,0040D510,00000001,?,00406910,00000000,?,00000000,?), ref: 0040B847
CompareStringA.KERNEL32(?,004055BA,00000000,?,?,00000000,00000000,012C0DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B8A5
GetCPInfo.KERNEL32(?,00000000,00000000,012C0DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B8F6
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B975
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9D6
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9E9
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA35
CompareStringW.KERNEL32(?,004055BA,00000000,00000000,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA4D

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 1febd849295bec1ab59561060e3b41c03fe70713722d6c16647b5fdedf78774c
Instruction ID: 8202621e738749456c253d6a474982a5d9dbd0abdc63befaa9d84c019e8fc6d1
Opcode Fuzzy Hash: 1febd849295bec1ab59561060e3b41c03fe70713722d6c16647b5fdedf78774c
Instruction Fuzzy Hash: CB71AD72A00249AFCF21AF948C45AEF7BB9EB05314F14803BF955B22A0D3398D55DB9D

Function 0040A78C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000001,80000000,00000040,0000000C,00000001,00000080,00000000,00000041,?,00000000), ref: 0040A938
GetFileType.KERNELBASE(00000000), ref: 0040A945
CloseHandle.KERNEL32(00000000), ref: 0040A950
GetLastError.KERNEL32 ref: 0040A956

Strings

H, xrefs: 0040A9A5
@, xrefs: 0040A96F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: b2e6a79cf8b840c5e042042894f39d002ec681136d129e220ea756b77ed9d5fc
Instruction ID: adf26b6370af484567565b22fdbdb287164912d56f4e7350506426c4a6c7ea82
Opcode Fuzzy Hash: b2e6a79cf8b840c5e042042894f39d002ec681136d129e220ea756b77ed9d5fc
Instruction Fuzzy Hash: 73811672E043459AEF249B6889447EE7B60AB01368F14C13BE9517B3C1D3BC8966DB4B

Function 00408E8F Relevance: 10.7, APIs: 7, Instructions: 180
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(004067F3,004067F3,00000000,00000000,00000001,000000FF,0040D108,00000000,?,?,0040D108,00000000,0040E414), ref: 00408FEC
GetLastError.KERNEL32 ref: 00408FF4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409031
GetExitCodeProcess.KERNELBASE(?,?), ref: 0040903E
CloseHandle.KERNEL32(?), ref: 00409047
CloseHandle.KERNEL32(?), ref: 00409054
CloseHandle.KERNEL32(0040684F), ref: 00409064

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: c5a49d4fad8cc15bb5dc8a8dd04d4969f40e02af60581ae3535133ee7cc71e77
Instruction ID: f038399a60921c0561f0a6f99f2b11a9d98f7d6fd060fb6637cb1a89438f4955
Opcode Fuzzy Hash: c5a49d4fad8cc15bb5dc8a8dd04d4969f40e02af60581ae3535133ee7cc71e77
Instruction Fuzzy Hash: 63511030D042099FDB218F64CD44AEEBBB5EB85314F10847FE4A5BB2D2CB799806CB58

Function 004075BC Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 00407615
GetFileType.KERNEL32(00000800), ref: 004076BB
GetStdHandle.KERNEL32(-000000F6), ref: 00407714
GetFileType.KERNELBASE(00000000), ref: 00407722
SetHandleCount.KERNEL32 ref: 00407759

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 94766c67cce12e496a6129a5d9d2d5104d7cb2a8cdf1c8256d655f198b1c79a6
Instruction ID: dd20ea5e2ad15785f978a9490fc45cc3bf13d48b7b8c0b4060476bf1d8323b67
Opcode Fuzzy Hash: 94766c67cce12e496a6129a5d9d2d5104d7cb2a8cdf1c8256d655f198b1c79a6
Instruction Fuzzy Hash: 50512331D086058BD7208B2CCD487663B90BB12374F194E3AE4A6AB3E1D779F849D75A

Function 00407A37 Relevance: 6.2, APIs: 4, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000100,00000000), ref: 00407ABB
GetLastError.KERNEL32 ref: 00407AC5
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 00407B8C
GetLastError.KERNEL32 ref: 00407B96

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 0d5067df5a756ab654c47183697cafa53bf190f3cee5e65e26fac1f14512f9f4
Instruction ID: 3c71f4a4c914093daa4e111219e29098325ab7dc149a3d367288bca257ac33ee
Opcode Fuzzy Hash: 0d5067df5a756ab654c47183697cafa53bf190f3cee5e65e26fac1f14512f9f4
Instruction Fuzzy Hash: FD619F30E0C2899FDB118F58C844BAA7BB0BB12308F1444ABE451AB3D1D379B946CB5B

Function 00407767 Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0040783F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: aff254ac8d8d06b1c375933265a01826a9e1b8ea15b91dc9473dc59729e29b07
Instruction ID: c19b3d791ab711fa8c5ef569e7948fa19eb36375cf462a63fb87303f5cca5c05
Opcode Fuzzy Hash: aff254ac8d8d06b1c375933265a01826a9e1b8ea15b91dc9473dc59729e29b07
Instruction Fuzzy Hash: 9251E571D04208EFDB11DF68C888ADE7BB0FB41340F2085BAE815AB2D0D334EA44CB5A

Function 00409EB2 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,00409C7A,?,?,?,00000100), ref: 00409EDA
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F0E
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F28
HeapFree.KERNEL32(00000000,?,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F3F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 0d56ca5cad879738d64fea35e25317797a88da85582025049e091cafbee42b77
Instruction ID: 16a10c85fc288a3fd0697e0b5d36225c66a208a9a462dcf54f8a75511906bb86
Opcode Fuzzy Hash: 0d56ca5cad879738d64fea35e25317797a88da85582025049e091cafbee42b77
Instruction Fuzzy Hash: 1E115E30201209DFC720DF99ED45E22BBB6FB84724B10492AF256E75F1D7709846EF04

Function 00407337 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000100,00000000,?,00000000,0040AA21,00000000), ref: 0040739C
GetLastError.KERNEL32(?,00000000,0040AA21,00000000), ref: 004073A6

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: f1965d678b67d3615b11a71d6e08b8914040d033c00d52028fdbc15ec9fa0c97
Instruction ID: b84c0215f91ab881d8f446bb9404d36fe1e38b0d3790a2a0251880d5805ce127
Opcode Fuzzy Hash: f1965d678b67d3615b11a71d6e08b8914040d033c00d52028fdbc15ec9fa0c97
Instruction Fuzzy Hash: 41113A32E083089BF6105765AD49B2B3358AB42769F11457FEC04B62D2DBFCF844E11B

Function 00407522 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,004077C5,00000000,?,00000000,?,?,004077C5,?,00000000,00000002,00000001,?,?), ref: 00407571
GetLastError.KERNEL32 ref: 0040757E

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d79cffe0eace2165adb95f6e1714898f50e239d9efe542db10b5d1d8fd5a1575
Instruction ID: 43fb3ff8955d71c7df25f22854cb706fbbd21b76865ed93209a7189df02148de
Opcode Fuzzy Hash: d79cffe0eace2165adb95f6e1714898f50e239d9efe542db10b5d1d8fd5a1575
Instruction Fuzzy Hash: 61110831D08701ABC700CBB8DD48A9537A4AB41379F204B7EF525E76D2E7B8E945D70A

Function 0040893C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004064A2,00000000), ref: 0040894D

Part of subcall function 00409815: HeapAlloc.KERNEL32(00000000,00000140,00408961), ref: 00409822

HeapDestroy.KERNEL32 ref: 0040896B

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: e8bba990ccffa2263e0e2a483a6bb437c4793ec73d8d994b3a1b54e875279d9f
Instruction ID: 2aac7c1394e53d3f3e241b4ce236eb09025fc4cfcb4860e37ea7bfaf2a03933a
Opcode Fuzzy Hash: e8bba990ccffa2263e0e2a483a6bb437c4793ec73d8d994b3a1b54e875279d9f
Instruction Fuzzy Hash: 76E05B757553019BEB102B709E49B7635D5BB8478AF00443AF988D81E5EB74C444A505

Function 00406869 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(0040E414,004067CD,?,00000000,00000000,0040E414,?,?,?,0040D108,0040D108), ref: 0040686D
GetLastError.KERNEL32(?,?,?,0040D108,0040D108), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: cc82ef407f6d86054e7289c396e8563b88531115bb3fcb10dbfc04f215eba6d2
Instruction ID: 190a03a2e6e8e0156cf8b8d81b12f4a57a4c620664e03452b76d7cf4d8f2981d
Opcode Fuzzy Hash: cc82ef407f6d86054e7289c396e8563b88531115bb3fcb10dbfc04f215eba6d2
Instruction Fuzzy Hash: 9BE08631406700D9DF0427749D0C75B3A606F8136DF55CB7AE866A01F0C77D88559609

Function 00408DE6 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,00408DCA,000000E0,00408DB7,?,004075CD,00000100), ref: 00408E14

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3204e1776a58b5f8538dd2b3008e8bd4b1f4afee07a9b8d4f3e541a377c3b46d
Instruction ID: 87bc941ac8621733d738759247a0ee1dbd76439509efa145d36000547ea8371e
Opcode Fuzzy Hash: 3204e1776a58b5f8538dd2b3008e8bd4b1f4afee07a9b8d4f3e541a377c3b46d
Instruction Fuzzy Hash: 61E0C232802131A7DA206614BE007DB3724BF10370F060136FC84BB2E19B342C5155CC

Non-executed Functions

Function 0040C1E5 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

e, xrefs: 0040C2DD
-, xrefs: 0040C3E3
0, xrefs: 0040C453
9, xrefs: 0040C254
1, xrefs: 0040C45D
0, xrefs: 0040C2C1
c, xrefs: 0040C2D4
1, xrefs: 0040C42A
E, xrefs: 0040C2CF
+, xrefs: 0040C2B7
C, xrefs: 0040C2C6
0, xrefs: 0040C484
0, xrefs: 0040C30F
0, xrefs: 0040C386
+, xrefs: 0040C3DA
-, xrefs: 0040C2BC
9, xrefs: 0040C432
9, xrefs: 0040C2FA
9, xrefs: 0040C476
9, xrefs: 0040C2A6
9, xrefs: 0040C466

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 91c198814475ad20b00baa46edb7cd0f32e5d43a7861d63c3a379bfb68159c14
Instruction ID: 2579d61e5318648577aea87276846eeb8dacae63ee80e8af8a22806d5028b4ca
Opcode Fuzzy Hash: 91c198814475ad20b00baa46edb7cd0f32e5d43a7861d63c3a379bfb68159c14
Instruction Fuzzy Hash: ADE1F131D55219DEEB248FA4C9957BE7BB1BB00300F28467BD401B62C2D37C9982DB5E

Function 0040B641 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00408CA5,?,Microsoft Visual C++ Runtime Library,00012010,?,0040D484,?,0040D4D4,?,?,?,Runtime Error!Program: ), ref: 0040B653
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040B66B
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040B67C
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040B689

Strings

GetLastActivePopup, xrefs: 0040B67E
user32.dll, xrefs: 0040B64E
GetActiveWindow, xrefs: 0040B676
MessageBoxA, xrefs: 0040B665

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 867288824564334f3619757082f0dbebd42382dfb6261171ba2e325262ccdaa6
Instruction ID: de74ab1525ea14d435eb6cc6dd20cd1ff6ab2bca9f2c39baf57a699a0f35d6ad
Opcode Fuzzy Hash: 867288824564334f3619757082f0dbebd42382dfb6261171ba2e325262ccdaa6
Instruction Fuzzy Hash: C8017531B40201AFCB11DFF59C80A677EE9DA58744301483BB609E31A0D779D8159BAE

Function 0040A05E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 2d158c1009ae456f37a5d11eca89f62052bc5679d8e3b992de952646bde8a11f
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 79B16C3590030ADFDB15CF04C5D0AA9BBA1BB58318F14C1AED81A6F382D735EA52CB94

Function 00408B81 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00408BEE
GetStdHandle.KERNEL32(000000F4,0040D484,00000000,?,00000000,00000000), ref: 00408CC4
WriteFile.KERNEL32(00000000), ref: 00408CCB

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00408C9A
<program name unknown>, xrefs: 00408BFE
Runtime Error!Program: , xrefs: 00408C54
..., xrefs: 00408C40
x@, xrefs: 00408B8F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $x@
API String ID: 3784150691-2704448551
Opcode ID: df2143502b701b13a0ead86e14fd4dc7c5c6fe193ade6b65076ebd06141f7b20
Instruction ID: 38fcf710f914df7c8948c21a669aeb727ca3293119fd2f73b68b07cef56c78a5
Opcode Fuzzy Hash: df2143502b701b13a0ead86e14fd4dc7c5c6fe193ade6b65076ebd06141f7b20
Instruction Fuzzy Hash: DC31C772A012086EEB20AB61CD49F9B777CEB45314F50047BF584F61C0DA78A9958F6D

Function 0040BE20 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0040D514,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BE62
LCMapStringA.KERNEL32(00000000,00000100,0040D510,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BE7E
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BEC7
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BEFF
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BF57
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BF6D
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BFA0
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040C008

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: eae2aa2bde7858584f9a91431d64d86d5fae59c2fa5213f05ca84d6fd01fc824
Instruction ID: caf144f6782c282f1fb5cc2b4170338e13de84eb125e1eeb8fe7c591b5a57659
Opcode Fuzzy Hash: eae2aa2bde7858584f9a91431d64d86d5fae59c2fa5213f05ca84d6fd01fc824
Instruction Fuzzy Hash: B9513A71900209EFCF228F94CD45ADB7FB9FB48754F20412AF915B22A0D3398965DFA9

Function 0040880A Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408825
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408839
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408865
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004064C8), ref: 0040889D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004064C8), ref: 004088BF
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,004064C8), ref: 004088D8
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004064C8), ref: 004088EB
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00408929

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 2128200c2dec99112e6e3d97e987e26460640e4f1291a272db4ce0cace52e8e4
Instruction ID: eb6923129fc198a291aa4392daaae0253ef6126e5f38dd87825d6eb0f0d04450
Opcode Fuzzy Hash: 2128200c2dec99112e6e3d97e987e26460640e4f1291a272db4ce0cace52e8e4
Instruction Fuzzy Hash: 893137B38042155FD7203BB56E8483B769CEA49348B51453FF5C1F3381EE388C42926E

Function 0040A643 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0040D514,00000001,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A682
GetStringTypeA.KERNEL32(00000000,00000001,0040D510,00000001,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A69C
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A6D0
MultiByteToWideChar.KERNEL32(0040B53F,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A708
MultiByteToWideChar.KERNEL32(0040B53F,00000001,00000100,00000020,?,00000100,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?), ref: 0040A75E
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?), ref: 0040A770

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 2eecb771c646a8312660574022f2fa4698ce1d4a762b91853752a18b02e08ce0
Instruction ID: d8b8f3ae18008e25f8c65a2e95e7f3221f58a96c8a8c78502c253b54901eb93f
Opcode Fuzzy Hash: 2eecb771c646a8312660574022f2fa4698ce1d4a762b91853752a18b02e08ce0
Instruction Fuzzy Hash: E4416071900209AFCF209F94CC85EEF7FB9EB08754F108536F915A2290C339C9659BAA

Function 0040CDFA Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6300edd1b72ee42fb2a2c78bbbcfa209d2ba629295c382778fc1eb378479e2
Instruction ID: e457cf3dc0a161c47f043460bd6a0560b05df537884281ffeb8cb34ae73c9f8f
Opcode Fuzzy Hash: 4f6300edd1b72ee42fb2a2c78bbbcfa209d2ba629295c382778fc1eb378479e2
Instruction Fuzzy Hash: 3121B33A900105EACF21DB94DE81AAF37B9EB44314F1002BBF511F22E0E3358949DBAC

Function 00404D05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404D10
GetTickCount.KERNEL32 ref: 00404D19
Sleep.KERNEL32(00000001,?,?,00404A76), ref: 00404D2B

Strings

vJ@, xrefs: 00404D1F

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: CountTick$Sleep
String ID: vJ@
API String ID: 4250438611-3547802607
Opcode ID: 28b246be3bc00e080162425e568454d690fb55889d731836eae1020fd3b864f0
Instruction ID: 49849d38280906807e8ee4edd28df9028b76a086347d3e99f882293cb68a1183
Opcode Fuzzy Hash: 28b246be3bc00e080162425e568454d690fb55889d731836eae1020fd3b864f0
Instruction Fuzzy Hash: 89E0E6B494410CEBD7009FD4E61965CBB74AF44305F1041A6E90DA2150C7759605966D

Function 00407F1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00405EFC), ref: 00407F21
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00407F31

Strings

IsProcessorFeaturePresent, xrefs: 00407F2B
KERNEL32, xrefs: 00407F1C

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 801503ef7e27cf9a43a024029164bff861d2c6805bca75d3ab28725c527fc555
Instruction ID: e56adbcfc5baa1e8a41b4ee712c6b816f41ba93bc4bb42817cd1dab545e2ce80
Opcode Fuzzy Hash: 801503ef7e27cf9a43a024029164bff861d2c6805bca75d3ab28725c527fc555
Instruction Fuzzy Hash: 5CC01230FCC30267DA202BF24D09B1628081B40B42F2040F6A209F60D4CE78E80A802E

Function 0040B9A7 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9D6
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9E9
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA35
CompareStringW.KERNEL32(?,004055BA,00000000,00000000,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA4D

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: e230329e4d0f1b617e8e9b9b07688b33fe91b266f24df33c89f9663b5fb6963c
Instruction ID: 70f0504ceda5a75237d31f75ca127f3a46736c60405e54fa0e2596185df07c21
Opcode Fuzzy Hash: e230329e4d0f1b617e8e9b9b07688b33fe91b266f24df33c89f9663b5fb6963c
Instruction Fuzzy Hash: 8A21E632D00249ABCF219F848D45ADE7FB5FB48360F10812AFA14721A0D3369A619B98

Function 0040B4A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0040B4B4

Strings

, xrefs: 0040B4FD
, xrefs: 0040B4D9

Memory Dump Source

Source File: 00000000.00000002.2911287583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2911273452.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911304833.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911321953.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2911768623.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_EN.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: b27c5241f401bb9353d1679f267d54306c1b93cc1f0b37af77394cc5f842b60e
Instruction ID: 3ed02c847eb8ff4f8ce161b6e6d196eebb5d09d3f5d5ded90353173e0599949d
Opcode Fuzzy Hash: b27c5241f401bb9353d1679f267d54306c1b93cc1f0b37af77394cc5f842b60e
Instruction Fuzzy Hash: 90415A3100425C2AEB128794DD9ABF77F99EB05708F1808F6D545E62D2C3794904EBFE

Analysis Process: cmdmax.exePID: 7136, Parent PID: 7144COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	436
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401091 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 213
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 004010EB
GetProcAddress.KERNEL32(00000000), ref: 004010F2
GetStdHandle.KERNEL32(000000F5), ref: 00401116
GetLargestConsoleWindowSize.KERNEL32(00000001), ref: 0040112D
ExitProcess.KERNEL32 ref: 0040128B
GetConsoleWindow.KERNELBASE(00000000,?,?,00000000,00000000,00000001), ref: 004012EF
SetWindowPos.USER32(00000000), ref: 004012F6
SetConsoleScreenBufferSize.KERNELBASE(00000007,02270D28), ref: 00401304
SetConsoleWindowInfo.KERNELBASE(00000007,00000001,00000000), ref: 00401314
SetConsoleScreenBufferSize.KERNELBASE(00000007,02270D28), ref: 00401322
SetConsoleWindowInfo.KERNELBASE(00000007,00000001,00000000), ref: 00401332

Strings

kernel32.dll, xrefs: 004010E6
Usage: cmdmax [<pos_x> <pos_y> <win_w> <win_h> <buf_w> <buf_h>] pos_x, pos_y are in pixels win_w, win_h, buf_w, buf_h are in characters buf_w, buf_h must be greater or equal to win_w, win_h if both pos_x, pos_y are set to letter 'n', xrefs: 0040127C
%d %d %d %d %d %d, xrefs: 004012C6
CMDMAX_DEBUG, xrefs: 00401291
GetConsoleWindow, xrefs: 004010E1

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: Console$Window$Size$BufferHandleInfoScreen$AddressExitLargestModuleProcProcess
String ID: %d %d %d %d %d %d$CMDMAX_DEBUG$GetConsoleWindow$Usage: cmdmax [<pos_x> <pos_y> <win_w> <win_h> <buf_w> <buf_h>] pos_x, pos_y are in pixels win_w, win_h, buf_w, buf_h are in characters buf_w, buf_h must be greater or equal to win_w, win_h if both pos_x, pos_y are set to letter 'n'$kernel32.dll
API String ID: 3954929148-2401392774
Opcode ID: 51c1bba1868696b56766017a525fd275070f8669f06dd8a5ee0a9d837f02c277
Instruction ID: 8c665b8b8e7dd296a86b3b68ad36f009cdc48b0ece15f37bffc1b1e9df652cec
Opcode Fuzzy Hash: 51c1bba1868696b56766017a525fd275070f8669f06dd8a5ee0a9d837f02c277
Instruction Fuzzy Hash: 5F815275D00208AADB00DFE4D98AFBF77B8AF08715F104066F904FB2A1E7789A55C75A

Function 00404140 Relevance: 13.8, APIs: 9, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNELBASE(00000000,00000000,00407E20,00000001,00407E20,00000001,02270D28,?,?,FFFFFFFE,?,FFFFFFFE), ref: 00404162
CompareStringW.KERNEL32(00000000,00000000,00407E24,00000001,00407E24,00000001,?,?,?,?,0040129B,CMDMAX_DEBUG), ref: 004041A2
CompareStringA.KERNEL32(?,?,?,?,?,?,02270D28,?,?,FFFFFFFE,?,FFFFFFFE), ref: 004041FB

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 1ff1008ee3a4a55d8727752ad5fe31d2fa36966b366071291e4c568b1e8beb1f
Instruction ID: e767498d96deb41678ceb7339b19bbc0015ffd8f8e65b5060bc0486a620b20b8
Opcode Fuzzy Hash: 1ff1008ee3a4a55d8727752ad5fe31d2fa36966b366071291e4c568b1e8beb1f
Instruction Fuzzy Hash: FA912BB27043006BD7209B95EC85B6BB7A8D7C5365F44047FFB40E6280D27EE94987A7

Function 00403490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 004034F8
GetFileType.KERNEL32(00000000), ref: 004035A6
GetStdHandle.KERNEL32(FFFFFFF6), ref: 0040360E
GetFileType.KERNELBASE(00000000), ref: 00403618
SetHandleCount.KERNEL32(00000020), ref: 00403655

Strings

@, xrefs: 0040363F

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: @
API String ID: 1710529072-2766056989
Opcode ID: 63df62efcc3922071b0c15ba09ff141fc4bde9c6b434e268c60b1111de638fc9
Instruction ID: 372a2bf32b0bdc82c37bf4d41fc824613e188a480a206bcbb4d6fa6d6a21597a
Opcode Fuzzy Hash: 63df62efcc3922071b0c15ba09ff141fc4bde9c6b434e268c60b1111de638fc9
Instruction Fuzzy Hash: 595122719042449BD7318F38CE8471A7FA8AB02325F18467ED895AB3E1D738D946C79A

Function 00401770 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00401796

Part of subcall function 00403670: HeapCreate.KERNELBASE(00000001,00001000,00000000,004017CC), ref: 00403679

Part of subcall function 00403490: GetStartupInfoA.KERNEL32(?), ref: 004034F8
Part of subcall function 00403490: GetFileType.KERNEL32(00000000), ref: 004035A6

GetCommandLineA.KERNEL32 ref: 004017DD

Part of subcall function 00403020: GetEnvironmentStringsW.KERNEL32 ref: 00403036
Part of subcall function 00403020: GetEnvironmentStringsW.KERNEL32 ref: 0040308F

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: EnvironmentStrings$CommandCreateFileHeapInfoLineStartupTypeVersion
String ID:
API String ID: 796813354-0
Opcode ID: f6e6d59e7de11bbe1f9c79c4729ef30da786d8d204601ce81188c11fc54d5798
Instruction ID: bae357295b154c56a0da60b6029cb3d48fad92364151424cd4935dcd8c5fbeea
Opcode Fuzzy Hash: f6e6d59e7de11bbe1f9c79c4729ef30da786d8d204601ce81188c11fc54d5798
Instruction Fuzzy Hash: CB2163B1D04644AFD710EF69AE0675A7BA8EB04315F10063FF419B37E2E77C65008B6A

Function 00402780 Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 004027F7

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 54e3e19046fbf29639bf15c34da984302160871c38c6a1032c6c2c714584590b
Instruction ID: 801cb8b31a74135f60e5dde2dc570042dc3b1dfd1c2c9a6f8921881583090a25
Opcode Fuzzy Hash: 54e3e19046fbf29639bf15c34da984302160871c38c6a1032c6c2c714584590b
Instruction Fuzzy Hash: 9CF0AF769042009AEF20AB79EF8DB6677A0A750705F10457FF880731E1D6B8BC448A7F

Function 00403670 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000001,00001000,00000000,004017CC), ref: 00403679

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 07373dfd54a1dc70f1ee3f471f143bd0286662016e5a5ba00e92ec479078b4e4
Instruction ID: 5d6950380f6a30326c0bb27adfbe44092808890bba6650e2d3bb44798f57916f
Opcode Fuzzy Hash: 07373dfd54a1dc70f1ee3f471f143bd0286662016e5a5ba00e92ec479078b4e4
Instruction Fuzzy Hash: 10B012702813009EE3100B305F06F4435206708B42F100024B2807C1E4CAF01051850D

Non-executed Functions

Function 00404790 Relevance: 15.2, APIs: 10, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringA.KERNEL32(00000000,00000100,00407E20,00000001,00000000,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 004047B5
LCMapStringW.KERNEL32(00000000,00000100,00407E24,00000001,00000000,00000000,?,?,?,?,?,0000000A), ref: 004047D4
LCMapStringA.KERNEL32(00000001,00000001,00000001,?,00000200,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 00404838
MultiByteToWideChar.KERNEL32(?,00000009,00000001,?,00000000,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 0040486F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,0000000A), ref: 004048AE
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,0000000A), ref: 004048C8
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?), ref: 004048FD

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 91689ef6a8061157262080b5655910052be4cc0885f97463720962df06819704
Instruction ID: 2c29ff3f2fb97a1670f5a264d2ad8a999c8045613722e7b8bdd10dfdb192a7e9
Opcode Fuzzy Hash: 91689ef6a8061157262080b5655910052be4cc0885f97463720962df06819704
Instruction Fuzzy Hash: AD517CF67043006BE210EBA5AC41F6B7798DBC9755F14043AF744E72D0DA79EC018BAA

Function 00403020 Relevance: 15.2, APIs: 10, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00403036
GetEnvironmentStrings.KERNEL32 ref: 0040304E
GetEnvironmentStringsW.KERNEL32 ref: 0040308F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030CF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030F6
FreeEnvironmentStringsW.KERNEL32(?), ref: 0040310C
FreeEnvironmentStringsW.KERNEL32(?), ref: 0040311D

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 33bbc3f1baf684cecbe4868c8c978916208efd2582274dfbb109430b9d872f4c
Instruction ID: 4005c8ad7f123dcd08d34e7d596d0a2ed273d4a167ce10c24e384bddb9be3eea
Opcode Fuzzy Hash: 33bbc3f1baf684cecbe4868c8c978916208efd2582274dfbb109430b9d872f4c
Instruction Fuzzy Hash: AF412576B403045BE7206F64BC497673B98E784333F54003BED05A6381E77EA90CC29A

Function 00404B40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,0040394A,?,Microsoft Visual C++ Runtime Library,00012010,?,?,00000000), ref: 00404B52
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404B6A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404B7B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404B88

Strings

GetActiveWindow, xrefs: 00404B75
MessageBoxA, xrefs: 00404B5E
user32.dll, xrefs: 00404B4D
GetLastActivePopup, xrefs: 00404B7D

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 4a9723a7828e76fe50fc032433e0afbaf72be46e8f0aae19df462a7516b8695a
Instruction ID: bd30521effc3bf44185d56dacefefe439e8c1685cf67d71c121490aaf00fd7e0
Opcode Fuzzy Hash: 4a9723a7828e76fe50fc032433e0afbaf72be46e8f0aae19df462a7516b8695a
Instruction Fuzzy Hash: CD0184B1A063565BD310AFA5DD84F2B77E8DBC4B5271401B6E900F2290C7B8EC44CBEA

Function 004037B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00403830
GetStdHandle.KERNEL32(000000F4,?,?,00000000), ref: 00403967
WriteFile.KERNEL32(?,?,FFFFFFFE,00000000,00000000,?,?,00000000), ref: 0040398D

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00403939
..., xrefs: 00403882
Runtime Error!Program: , xrefs: 00403890
<program name unknown>, xrefs: 00403836

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a436efcfc72d5c591da5e93a6fc445f4f5db0aa4265214052baa93e641a77d96
Instruction ID: 9c3b1f96b856c350f621c52e0a91f0f66bf3b15c1bfcf1076c0cd6de472e1383
Opcode Fuzzy Hash: a436efcfc72d5c591da5e93a6fc445f4f5db0aa4265214052baa93e641a77d96
Instruction Fuzzy Hash: 974113367046050BD728DA389A1477E7BD6EFC4321F50473EFA26B76D0CAB9AE048256

Function 004049F0 Relevance: 9.1, APIs: 6, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStringTypeA.KERNEL32(00000000,00000001,00407E20,00000001,?,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404A16
GetStringTypeW.KERNEL32(00000001,00407E24,00000001,?,?,?,?,0000000A), ref: 00404A31
GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404A7F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404AB6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,?,?,?,?,0000000A), ref: 00404AE2
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 00404AF8

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 9088a58cb0110ca152e68b03d436b7ab7cd9faafc8e28d45a1373a8a13234b3e
Instruction ID: 871e9140d8e42ba65fb42cff073d1d9aef57c38841bfaff7c614589857a5e468
Opcode Fuzzy Hash: 9088a58cb0110ca152e68b03d436b7ab7cd9faafc8e28d45a1373a8a13234b3e
Instruction Fuzzy Hash: 803190B27452006BE210DB65EC85F3B73A9E7C9715F04013AFB44B7280D6B9FC058BAA

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040101D
SetConsoleTitleA.KERNEL32(?), ref: 00401044
Sleep.KERNEL32(00000064), ref: 00401052
FindWindowA.USER32(00000000,?), ref: 00401061

Strings

CMDMAX:%d, xrefs: 00401024

Memory Dump Source

Source File: 0000000D.00000002.1790176789.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.1790164665.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790190291.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.1790215371.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_cmdmax.jbxd

Similarity

API ID: ConsoleCurrentFindProcessSleepTitleWindow
String ID: CMDMAX:%d
API String ID: 960006182-1358362588
Opcode ID: 48520546924323c45bbdf36bac6515e9c5ea32c08305208bdbf8af8f6b11a226
Instruction ID: 5a933a1f5bc0470be587deae832df0d0f7ca835772c44b334be0bbb2aee9f6c3
Opcode Fuzzy Hash: 48520546924323c45bbdf36bac6515e9c5ea32c08305208bdbf8af8f6b11a226
Instruction Fuzzy Hash: 9C018171900218EBEB50AB94DE49B99B77CFB00306F1080A6F685F6091DBB45A888F66

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
Tactics:	Defense Evasion, Persistence
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Android TV Tools v3_EN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egiulgnn.r1p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoepv1jm.3w0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4uk5vgg.x3g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utelv5le.g33.psm1

C:\Users\user\AppData\Local\Temp\ytmp\tmp5972.exe

C:\Users\user\AppData\Local\Temp\ytmp\tmp9682.bat

C:\Users\user\Desktop\Android TV Tools - Aux Files\BIT8DD.tmp

C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Android TV Tools v3_EN.exe

Function 00404D37 Relevance: 5.2, APIs: 3, Instructions: 661
timesleepCOMMON

Function 004036D1 Relevance: 4.5, APIs: 3, Instructions: 42
timesleepCOMMON

Function 00406444 Relevance: 3.1, APIs: 2, Instructions: 62
COMMON