Edit tour

Windows Analysis Report
https://github.com/frankwick/t/raw/main/tinytask.exe

Overview

General Information

Sample URL:	https://github.com/frankwick/t/raw/main/tinytask.exe
Analysis ID:	1322068
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Queries the volume information (name, serial number etc) of a device

Drops PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to simulate mouse events

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7272 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 7324 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

tinytask.exe (PID: 7528 cmdline: C:\Users\user\Desktop\download\tinytask.exe MD5: 8FD3551654F0F5281DDBD7E32CB73054)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\download\tinytask.exe

Virustotal: Detection: 16%

Perma Link

Source: unknown	HTTPS traffic detected: 192.30.255.113:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_00403B09 CreateFileA,GetFileAttributesA,CreateFileA,CloseHandle,FindFirstFileA,FindClose,FindClose,FindNextFileA,FindClose,FindClose,

3_2_00403B09

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: wget.exe, 00000002.00000002.1621595336.0000000000100000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://github.com/frankwick/t/raw/main/tinytask.exe
Source: wget.exe, 00000002.00000002.1621867674.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frankwick/t/raw/main/tinytask.exeROC
Source: wget.exe, 00000002.00000002.1621867674.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frankwick/t/raw/main/tinytask.exeVEW
Source: wget.exe, 00000002.00000002.1621856211.0000000001015000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621271341.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621284943.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frankwick/t/raw/main/tinytask.exey
Source: cmdline.out.0.dr	String found in binary or memory: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe
Source: wget.exe, 00000002.00000002.1621867674.0000000001115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeV
Source: wget.exe, 00000002.00000003.1609715184.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeZ
Source: wget.exe, 00000002.00000002.1621814188.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621296179.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exex
Source: wget.exe, 00000002.00000003.1609715184.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621148867.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1621856211.0000000001015000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621271341.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621284943.0000000001014000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1609715184.0000000001017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://render.githubusercontent.com
Source: tinytask.exe.2.dr	String found in binary or memory: https://www.tinytask.net

Source: unknown

DNS traffic detected: queries for: github.com

Source: global traffic	HTTP traffic detected: GET /frankwick/t/raw/main/tinytask.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /frankwick/t/main/tinytask.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: raw.githubusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 192.30.255.113:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\download\tinytask.exe	Code function: 3_2_00401489 DestroyWindow,BeginPaint,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,BitBlt,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,EndPaint,GetWindowRect,DestroyCursor,DeleteObject,DeleteObject,DeleteObject,KillTimer,PostQuitMessage,GetModuleHandleA,CreateCursor,PostMessageA,GetCursor,SetCursor,KillTimer,KillTimer,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,Sleep,PostMessageA,GetTickCount,wsprintfA,GetTickCount,wsprintfA,GetWindowTextA,FindWindowExA,FindWindowExA,FindWindowExA,KillTimer,GetClientRect,GetVersion,GetVersion,CreateWindowExA,GetStockObject,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,ShowWindow,UpdateWindow,UpdateWindow,InvalidateRect,InvalidateRect,UpdateWindow,InvalidateRect,UpdateWindow,SendMessageA,SetFocus,DeleteFileA,SetWindowTextA,GetModuleHandleA,GetModuleFileNameA,CopyFileA,CreateFileA,GetFileSize,SetFilePointer,ReadFile,wsprintfA,SetFilePointer,WriteFile,CloseHandle,wsprintfA,GetModuleHandleA,MessageBoxIndirectA,SetTimer,MessageBoxA,DefWindowProcA,		3_2_00401489
Source: C:\Users\user\Desktop\download\tinytask.exe	Code function: 3_2_004034C6 GetKeyState,GetKeyState,GetKeyState,GetSystemMetrics,mouse_event,mouse_event,mouse_event,GetSystemMetrics,GetSystemMetrics,mouse_event,SetCursorPos,MapVirtualKeyA,keybd_event,GetSystemMetrics,GetSystemMetrics,mouse_event,SetCursorPos,Sleep,SetTimer,GetDoubleClickTime,Sleep,PostMessageA,		3_2_004034C6

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_00402148 mouse_event,keybd_event,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,MapVirtualKeyA,keybd_event,SetKeyboardState,GetAsyncKeyState,GetKeyState,VkKeyScanA,VkKeyScanA,VkKeyScanA,MapVirtualKeyA,MapVirtualKeyA,keybd_event,MapVirtualKeyA,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,VkKeyScanA,MapVirtualKeyA,keybd_event,Sleep,GetCursorPos,GetKeyState,GetTickCount,SetTimer,KillTimer,GetTickCount,SetWindowTextA,InvalidateRect,DefWindowProcA,

3_2_00402148

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe"
Source: unknown	Process created: C:\Users\user\Desktop\download\tinytask.exe C:\Users\user\Desktop\download\tinytask.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: classification engine

Classification label: mal56.win@5/2@2/2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\wget.exe

Code function: 2_2_00ADA52D push eax; iretd

2_2_00ADA539

Source: C:\Windows\SysWOW64\wget.exe

File created: C:\Users\user\Desktop\download\tinytask.exe

Jump to dropped file

Source: C:\Users\user\Desktop\download\tinytask.exe	Code function: 3_2_00401000 GetModuleHandleA,GetModuleFileNameA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetSystemMetrics,GetSystemMetrics,GetPrivateProfileIntA,GetPrivateProfileIntA,KiUserCallbackDispatcher,SetRect,GetDC,RectVisible,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,LoadIconA,RegisterClassExA,MessageBoxA,CreateWindowExA,ShowWindow,UpdateWindow,GetModuleHandleA,GetModuleFileNameA,PostMessageA,GetMessageA,KiUserCallbackDispatcher,TranslateMessage,DispatchMessageA,	3_2_00401000
Source: C:\Users\user\Desktop\download\tinytask.exe	Code function: 3_2_0040392F GetPrivateProfileIntA,GetPrivateProfileStringA,GetSystemMetrics,LoadImageA,GetObjectA,GetSystemMetrics,MessageBoxA,WritePrivateProfileStringA,DeleteObject,GetModuleHandleA,LoadImageA,DeleteObject,DeleteObject,GetObjectA,KiUserCallbackDispatcher,GetSystemMetrics,GetSystemMetrics,	3_2_0040392F
Source: C:\Users\user\Desktop\download\tinytask.exe	Code function: 3_2_00402D18 GetPrivateProfileStringA,WritePrivateProfileStringA,GetWindowLongA,SetWindowLongA,SetWindowPos,InvalidateRect,UpdateWindow,DefWindowProcA,	3_2_00402D18

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_00403B09 CreateFileA,GetFileAttributesA,CreateFileA,CloseHandle,FindFirstFileA,FindClose,FindClose,FindNextFileA,FindClose,FindClose,

3_2_00403B09

Source: C:\Users\user\Desktop\download\tinytask.exe

API call chain: ExitProcess graph end node

graph_3-1178

Source: wget.exe	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.1621744965.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_0040424C GetProcessHeap,HeapAlloc,

3_2_0040424C

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe" > cmdline.out 2>&1

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_004034C6 GetKeyState,GetKeyState,GetKeyState,GetSystemMetrics,mouse_event,mouse_event,mouse_event,GetSystemMetrics,GetSystemMetrics,mouse_event,SetCursorPos,MapVirtualKeyA,keybd_event,GetSystemMetrics,GetSystemMetrics,mouse_event,SetCursorPos,Sleep,SetTimer,GetDoubleClickTime,Sleep,PostMessageA,

3_2_004034C6

Source: C:\Users\user\Desktop\download\tinytask.exe

3_2_004034C6

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\download\tinytask.exe

Code function: 3_2_00401489 DestroyWindow,BeginPaint,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,BitBlt,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,EndPaint,GetWindowRect,DestroyCursor,DeleteObject,DeleteObject,DeleteObject,KillTimer,PostQuitMessage,GetModuleHandleA,CreateCursor,PostMessageA,GetCursor,SetCursor,KillTimer,KillTimer,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,Sleep,PostMessageA,GetTickCount,wsprintfA,GetTickCount,wsprintfA,GetWindowTextA,FindWindowExA,FindWindowExA,FindWindowExA,KillTimer,GetClientRect,GetVersion,GetVersion,CreateWindowExA,GetStockObject,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowLongA,ShowWindow,UpdateWindow,UpdateWindow,InvalidateRect,InvalidateRect,UpdateWindow,InvalidateRect,UpdateWindow,SendMessageA,SetFocus,DeleteFileA,SetWindowTextA,GetModuleHandleA,GetModuleFileNameA,CopyFileA,CreateFileA,GetFileSize,SetFilePointer,ReadFile,wsprintfA,SetFilePointer,WriteFile,CloseHandle,wsprintfA,GetModuleHandleA,MessageBoxIndirectA,SetTimer,MessageBoxA,DefWindowProcA,

3_2_00401489

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Masquerading	21 Input Capture	111 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://github.com/frankwick/t/raw/main/tinytask.exe	0%	Avira URL Cloud	safe
https://github.com/frankwick/t/raw/main/tinytask.exe	1%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\download\tinytask.exe	8%	ReversingLabs
C:\Users\user\Desktop\download\tinytask.exe	17%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exex	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeZ	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeV	0%	Avira URL Cloud	safe
https://www.tinytask.net	0%	Avira URL Cloud	safe
https://render.githubusercontent.com	0%	Avira URL Cloud	safe
https://render.githubusercontent.com	0%	Virustotal		Browse
https://www.tinytask.net	1%	Virustotal		Browse
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe	8%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	192.30.255.113	true	false		high
raw.githubusercontent.com	185.199.110.133	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/frankwick/t/raw/main/tinytask.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeZ	wget.exe, 00000002.00000003.1609715184.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exex	wget.exe, 00000002.00000002.1621814188.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621296179.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://render.githubusercontent.com	wget.exe, 00000002.00000003.1609715184.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621148867.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1621856211.0000000001015000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621271341.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621284943.0000000001014000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1609715184.0000000001017000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/frankwick/t/raw/main/tinytask.exeVEW	wget.exe, 00000002.00000002.1621867674.0000000001110000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/frankwick/t/main/tinytask.exeV	wget.exe, 00000002.00000002.1621867674.0000000001115000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/frankwick/t/raw/main/tinytask.exey	wget.exe, 00000002.00000002.1621856211.0000000001015000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621271341.0000000001011000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1621284943.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/frankwick/t/raw/main/tinytask.exeROC	wget.exe, 00000002.00000002.1621867674.0000000001110000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tinytask.net	tinytask.exe.2.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.30.255.113	github.com	United States		36459	GITHUBUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1322068
Start date and time:	2023-10-09 11:27:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://github.com/frankwick/t/raw/main/tinytask.exe
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.win@5/2@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 13

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target wget.exe, PID 7324 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1002
Entropy (8bit):	5.1752700239413105
Encrypted:	false
SSDEEP:	24:k8to1xePnSMGhMovkOMGh9MGjMGYvMGjMGG6xePgD/IBbyij2KbyiEv:jSisOs+x6x562bHqKbHG
MD5:	EE186579C7090E381A53BD3D95CC9568
SHA1:	6D6A7A8EE9C90A74BB0E6629DF0A58D11B8013DA
SHA-256:	E5BBACEA3108CE9AF13483D6BD682B4FBEED4587A6FA73A7045066DC43492D6B
SHA-512:	0AF712F72195EDEA679452C567B93F83D3C0ECD9767F4ED8E50D8E40CAFBFD3FB9AB672536883E3FDB49D61B63619F2FAD97AF0A9D2F1AB6315FE39CDDC006C6
Malicious:	false
Reputation:	low
Preview:	--2023-10-09 11:28:01-- https://github.com/frankwick/t/raw/main/tinytask.exe..Resolving github.com (github.com)... 192.30.255.113..Connecting to github.com (github.com)\|192.30.255.113\|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe [following]..--2023-10-09 11:28:02-- https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe..Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, .....Connecting to raw.githubusercontent.com (raw.githubusercontent.com)\|185.199.110.133\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 36352 (36K) [application/octet-stream]..Saving to: 'C:/Users/user/Desktop/download/tinytask.exe'.... 0K .......... .......... .......... ..... 100% 474K=0.07s....2023-10-09 11:28:03 (474 KB/s) - 'C:/Users/user/Desktop/download/tinytask.exe' saved [36352/36352]..

C:\Users\user\Desktop\download\tinytask.exe

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.577308655111805
Encrypted:	false
SSDEEP:	768:sAzGzd0LnFjuwY6QlVwvHI1pSgNEl/MYoeAW:5zGzd0wXlVwv0SgNQXoeAW
MD5:	8FD3551654F0F5281DDBD7E32CB73054
SHA1:	9B1C9722847CD57CD11E4DE80CD9E8197C3C34CD
SHA-256:	75E06AC5B7C1ADB01AB994633466685E3DCEF31D635EBA1734FE16C7893FFE12
SHA-512:	A716F535E363FC1225B1665E1C24693E768D13699EA37BDF57EFFE4FEA24B4B30A2181174F66C35E749B9C845B07F82EECBF282EE5972DE0426F847293D46B4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 17%, Browse
Reputation:	low
Preview:	MZ......................@...................................X...........!..L.!?...$.....PE..L......].................8...Z.......F.......P....@..........................................................................R..x....p...=...........................................................................P...............................text....7.......8.................. ..`.rdata.......P.......:..............@..@.data........`.......F..............@....rsrc....=...p...>...P..............@..@................U...t...SVWj.3.Y3..}..].j..Y.}..]..]..}. ........j?3.Y....... .....j?f..Y3........u..f..].]..]..]...h3..Y.....;.~...P.......u.P.3...8`@.......u....j@...P.p5..Y..j@.S.+..;..j@.Y..a@........m@.........l@.h....VS...P@.P...P@....t.V..2..Y.H....t!...l@....l@...t.;.\|....u.. .3.I..h.a@.V.:3.....P@.YYVj.h.a@.W..@`@..E.P.E.P..'..YYj...pQ@..+.j...E..+.....+.M...pQ@..+.V.u..E..+.h.`@.....+.W.M...V.E..u.h.`@.W..H..E.Q.M.Q.RP.E.QP..tQ@..E.Pj...xQ@.P...P@...u..E.E.E.E.Vj.h.`@

Total Packets: 23
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2023 11:28:02.295542002 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.295582056 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:02.295667887 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.303250074 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.303284883 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:02.714164019 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:02.714274883 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.716301918 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.716330051 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:02.716748953 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:02.717591047 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:02.758501053 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.226404905 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.226675034 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.226778984 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:03.226810932 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.226835012 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.226953030 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:03.233022928 CEST	49738	443	192.168.2.4	192.30.255.113
Oct 9, 2023 11:28:03.233037949 CEST	443	49738	192.30.255.113	192.168.2.4
Oct 9, 2023 11:28:03.406431913 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.406482935 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:03.406569958 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.408310890 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.408332109 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:03.753249884 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:03.753499031 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.754534960 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.754565954 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:03.754992962 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:03.755947113 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:03.802447081 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295145988 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295322895 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295411110 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295499086 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295504093 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.295578003 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.295625925 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.300225019 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.300309896 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.300409079 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.300472975 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.300534010 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.305712938 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.311043024 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.311121941 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.311146975 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.316502094 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.316575050 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.316590071 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.321927071 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.322010040 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.322022915 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.327889919 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.327976942 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.328010082 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.333026886 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.333111048 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.333139896 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.338622093 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.338701010 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.338725090 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.349380970 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.349457026 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.349489927 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.354805946 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.354878902 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.354902029 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.360157013 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.360234022 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.360265970 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.363055944 CEST	443	49739	185.199.110.133	192.168.2.4
Oct 9, 2023 11:28:04.363133907 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.376337051 CEST	49739	443	192.168.2.4	185.199.110.133
Oct 9, 2023 11:28:04.376378059 CEST	443	49739	185.199.110.133	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2023 11:28:02.124610901 CEST	63348	53	192.168.2.4	1.1.1.1
Oct 9, 2023 11:28:02.287672997 CEST	53	63348	1.1.1.1	192.168.2.4
Oct 9, 2023 11:28:03.240005970 CEST	51773	53	192.168.2.4	1.1.1.1
Oct 9, 2023 11:28:03.403170109 CEST	53	51773	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 9, 2023 11:28:02.124610901 CEST	192.168.2.4	1.1.1.1	0x90d6	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Oct 9, 2023 11:28:03.240005970 CEST	192.168.2.4	1.1.1.1	0x6ab8	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 9, 2023 11:28:02.287672997 CEST	1.1.1.1	192.168.2.4	0x90d6	No error (0)	github.com	192.30.255.113	A (IP address)	IN (0x0001)	false
Oct 9, 2023 11:28:03.403170109 CEST	1.1.1.1	192.168.2.4	0x6ab8	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Oct 9, 2023 11:28:03.403170109 CEST	1.1.1.1	192.168.2.4	0x6ab8	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Oct 9, 2023 11:28:03.403170109 CEST	1.1.1.1	192.168.2.4	0x6ab8	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Oct 9, 2023 11:28:03.403170109 CEST	1.1.1.1	192.168.2.4	0x6ab8	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49738	192.30.255.113	443	C:\Windows\SysWOW64\wget.exe

Timestamp	Direction	Data
2023-10-09 09:28:02 UTC	OUT	GET /frankwick/t/raw/main/tinytask.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: github.com Connection: Keep-Alive
2023-10-09 09:28:03 UTC	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Mon, 09 Oct 2023 09:28:03 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/frankwick/t/main/tinytask.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2023-10-09 09:28:03 UTC	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 63 Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49739	185.199.110.133	443	C:\Windows\SysWOW64\wget.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-09 09:28:03 UTC	3	OUT	GET /frankwick/t/main/tinytask.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: raw.githubusercontent.com Connection: Keep-Alive
2023-10-09 09:28:04 UTC	3	IN	HTTP/1.1 200 OK Connection: close Content-Length: 36352 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "f5125bc3b9a70d854c16fe67bc787cf7fb5771f21f50293d3e1e6821ea25a683" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 2542:04E4:3DAC6A:4E5B38:6523C7A3 Accept-Ranges: bytes Date: Mon, 09 Oct 2023 09:28:04 GMT Via: 1.1 varnish X-Served-By: cache-sna10745-LGB X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1696843684.973439,VS0,VE227 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 20620485bfcaa6975d500183586497c37d3eeffc Expires: Mon, 09 Oct 2023 09:33:04 GMT Source-Age: 0
2023-10-09 09:28:04 UTC	4	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 3f 0d 0d 0a 24 00 00 00 00 00 50 45 00 00 4c 01 04 00 02 00 c0 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 38 00 00 00 5a 00 00 00 00 00 00 80 46 00 00 00 10 00 00 00 50 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 00 00 00 02 00 00 d0 e4 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 52 00 00 78 00 00 00 00 70 00 00 e0 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@X!L!?$PEL]8ZFP@Rxp=
2023-10-09 09:28:04 UTC	5	IN	Data Raw: 00 00 59 8b f8 eb 02 33 ff 8d 85 8c fe ff ff 85 c0 74 2f 8a 8c 35 8c fe ff ff 8d 84 35 8c fe ff ff 84 c9 74 1d 80 f9 22 75 15 8b cf 2b ce 51 8d 48 01 51 50 e8 fe 2f 00 00 83 c4 0c 4f eb d4 46 eb d1 8d 85 8c fe ff ff 53 50 e8 dd 1b 00 00 e9 94 00 00 00 80 3d 1d 6d 40 00 00 0f 84 87 00 00 00 8d 85 8c fd ff ff 68 ff 00 00 00 50 53 ff 15 a8 50 40 00 50 ff 15 ac 50 40 00 ff 35 10 6a 40 00 8d 85 8c fd ff ff 50 e8 9f 1b 00 00 85 c0 75 07 33 c0 e9 88 00 00 00 b8 4c 60 40 00 8b c8 85 c9 74 07 50 e8 0c 32 00 00 59 0f b6 c0 a3 04 6a 40 00 b8 44 60 40 00 8b c8 85 c9 75 08 89 1d 0c 60 40 00 eb 0c 50 e8 ea 31 00 00 59 a3 0c 60 40 00 53 68 03 80 00 00 68 11 01 00 00 ff 35 e0 69 40 00 ff 15 94 51 40 00 8b 35 98 51 40 00 53 53 8d 45 9c 53 50 ff d6 3b c3 74 22 83 f8 ff 74 Data Ascii: Y3t/55t"u+QHQP/OFSP=m@hPSP@PP@5j@Pu3L`@tP2Yj@D`@u`@P1Y`@Shh5i@Q@5Q@SSESP;t"t
2023-10-09 09:28:04 UTC	7	IN	Data Raw: 40 00 0f 84 39 16 00 00 56 ff 75 08 ff 15 30 51 40 00 56 ff 75 08 e8 e7 1b 00 00 e9 21 16 00 00 3d ed 03 00 00 0f 85 35 02 00 00 38 1d 1b 6d 40 00 8b 3d 1c 51 40 00 be 00 80 00 00 75 24 6a 52 ff d7 66 85 c6 74 1b 6a 11 ff d7 66 85 c6 74 12 6a 10 ff d7 66 85 c6 74 09 6a 12 ff d7 66 85 c6 75 36 80 3d 1b 6d 40 00 01 75 09 6a 2c ff d7 66 85 c6 75 24 80 3d 1b 6d 40 00 08 75 09 6a 77 ff d7 66 85 c6 75 12 80 3d 1b 6d 40 00 0c 75 14 6a 7b ff d7 66 85 c6 74 0b 53 68 02 80 00 00 e9 87 00 00 00 38 1d 1c 6d 40 00 75 24 6a 50 ff d7 66 85 c6 74 1b 6a 11 ff d7 66 85 c6 74 12 6a 10 ff d7 66 85 c6 74 09 6a 12 ff d7 66 85 c6 75 36 80 3d 1c 6d 40 00 01 75 09 6a 2c ff d7 66 85 c6 75 24 80 3d 1c 6d 40 00 08 75 09 6a 77 ff d7 66 85 c6 75 12 80 3d 1c 6d 40 00 0c 75 3c 6a 7b ff Data Ascii: @9Vu0Q@Vu!=58m@=Q@u$jRftjftjftjfu6=m@uj,fu$=m@ujwfu=m@uj{ftSh8m@u$jPftjftjftjfu6=m@uj,fu$=m@ujwfu=m@u<j{
2023-10-09 09:28:04 UTC	8	IN	Data Raw: 40 00 53 53 8d 04 80 c1 e0 02 50 ff 35 f0 69 40 00 53 57 e8 62 20 00 00 6a 5c 57 88 1d 18 6b 40 00 e8 00 27 00 00 83 c4 20 3b c3 74 03 8d 78 01 be 18 6b 40 00 57 56 e8 93 25 00 00 59 59 56 ff 35 e0 69 40 00 ff 15 f4 50 40 00 e9 8f 10 00 00 8d 85 a8 fe ff ff 68 ff 00 00 00 50 53 ff 15 a8 50 40 00 50 ff 15 ac 50 40 00 53 8d 85 a8 fe ff ff 57 50 ff 15 84 50 40 00 85 c0 75 10 68 30 00 01 00 57 68 a8 65 40 00 e9 8a 02 00 00 53 68 80 00 00 00 6a 04 53 6a 03 68 00 00 00 c0 57 ff 15 88 50 40 00 53 50 89 45 fc ff 15 8c 50 40 00 3b c3 89 45 ec 0f 84 3f 01 00 00 05 00 10 00 00 6a 01 50 e8 5f 23 00 00 59 8b f0 59 53 53 53 ff 75 fc ff 15 90 50 40 00 8d 45 ec 53 50 ff 75 ec 56 ff 75 fc ff 15 94 50 40 00 89 5d f0 39 5d f0 6a 05 0f 95 c0 48 83 e0 1c 83 c0 24 0f be c0 50 Data Ascii: @SSP5i@SWb j\Wk@' ;txk@WV%YYV5i@P@hPSP@PP@SWPP@uh0Whe@ShjSjhWP@SPEP@;E?jP_#YYSSSuP@ESPuVuP@]9]jH$P
2023-10-09 09:28:04 UTC	9	IN	Data Raw: 00 ff 75 08 ff 15 30 51 40 00 ff 15 58 50 40 00 2b 05 f8 69 40 00 38 1d 18 6b 40 00 89 1d 08 6a 40 00 a3 fc 69 40 00 b8 18 6b 40 00 75 05 b8 1c 61 40 00 50 ff 75 08 ff 15 f4 50 40 00 a1 f0 69 40 00 3b c3 0f 84 33 0b 00 00 8b 15 f4 69 40 00 8b ca f7 d9 8d 72 ff 1b c9 23 ce 89 4d f0 7e 25 8d 34 89 8b 3c b0 8d 34 b0 3b fb 74 18 81 ff 01 02 00 00 75 08 8b 76 10 3b 75 08 74 08 49 3b cb 89 4d f0 7f db 3b cb 74 08 8b d1 89 15 f4 69 40 00 8b ca 83 c2 03 3b ca 89 4d ec 73 2c eb 05 a1 f0 69 40 00 8d 0c 89 6a 14 53 8d 04 88 50 e8 8f 1e 00 00 8b 4d ec a1 f4 69 40 00 83 c4 0c 41 83 c0 03 89 4d ec 3b c8 72 d6 6a 01 53 ff 75 08 ff 15 fc 50 40 00 e9 a3 0a 00 00 a1 08 6a 40 00 3d 02 80 00 00 0f 84 93 0a 00 00 39 1d f0 69 40 00 75 10 a1 00 6a 40 00 0d 40 00 01 00 50 e9 a9 Data Ascii: u0Q@XP@+i@8k@j@i@k@ua@PuP@i@;3i@r#M~%4<4;tuv;utI;M;ti@;Ms,i@jSPMi@AM;rjSuP@j@=9i@uj@@P
2023-10-09 09:28:04 UTC	11	IN	Data Raw: 40 00 f6 d8 1b c0 68 13 80 00 00 24 f8 83 c0 08 50 ff 75 f8 ff d6 a0 1c 6d 40 00 68 b4 63 40 00 fe c8 68 14 80 00 00 f6 d8 1b c0 24 f8 83 c0 08 50 ff 75 f8 ff d6 a0 1c 6d 40 00 68 b0 63 40 00 2c 08 68 15 80 00 00 f6 d8 1b c0 24 f8 83 c0 08 50 ff 75 f8 ff d6 a0 1c 6d 40 00 68 ac 63 40 00 2c 0c 68 16 80 00 00 f6 d8 1b c0 24 f8 83 c0 08 50 ff 75 f8 ff d6 53 53 57 ff 75 f8 ff d6 68 40 63 40 00 68 0e 80 00 00 6a 02 ff 75 f8 ff d6 53 53 57 ff 75 fc ff d6 a1 00 6a 40 00 68 30 63 40 00 f7 d8 1b c0 68 17 80 00 00 83 e0 08 50 ff 75 fc ff d6 a1 14 6a 40 00 68 20 63 40 00 f7 d8 1b c0 68 18 80 00 00 24 f8 83 c0 08 50 ff 75 fc ff d6 a0 1e 6d 40 00 68 08 63 40 00 f6 d8 1b c0 68 1a 80 00 00 83 e0 08 50 ff 75 fc ff d6 68 f0 62 40 00 68 1b 80 00 00 a0 1e 6d 40 00 f6 d8 1b Data Ascii: @h$Pum@hc@h$Pum@hc@,h$Pum@hc@,h$PuSSWuh@c@hjuSSWuj@h0c@hPuj@h c@h$Pum@hc@hPuhb@hm@
2023-10-09 09:28:04 UTC	12	IN	Data Raw: 50 40 00 56 ff 15 90 51 40 00 e9 aa 00 00 00 6a 01 53 53 68 1c 62 40 00 53 53 ff 15 bc 50 40 00 83 f8 20 0f 87 90 00 00 00 68 30 00 01 00 68 1c 61 40 00 68 f4 61 40 00 e9 fc fc ff ff 8d 85 a8 fe ff ff 68 28 61 40 00 50 e8 5b 15 00 00 59 be eb 03 00 00 59 53 6a 0a 56 ff 75 08 ff 15 d0 50 40 00 6a 09 33 c0 59 8d 7d ac f3 ab 53 c7 45 a8 28 00 00 00 ff 15 a8 50 40 00 89 45 b0 8d 85 a8 fe ff ff 8b 7d 08 89 45 b4 a1 00 6a 40 00 89 7d ac 0d 80 00 01 00 c7 45 b8 80 66 40 00 89 45 bc 8d 45 a8 50 c7 45 c0 a1 0f 00 00 ff 15 f0 50 40 00 56 57 ff 15 30 51 40 00 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 15 6c 51 40 00 5f 5e 5b c9 c2 10 00 cc 1c 40 00 1d 1d 40 00 48 21 40 00 62 24 40 00 1d 1d 40 00 e4 26 40 00 94 2a 40 00 a3 2a 40 00 ae 2a 40 00 bd 2a 40 00 cc 2a 40 00 db Data Ascii: P@VQ@jSShb@SSP@ h0ha@ha@h(a@P[YYSjVuP@j3Y}SE(P@E}Ej@}Ef@EEPEP@VW0Q@uuuulQ@_^[@@H!@b$@@&@@@@@*@
2023-10-09 09:28:04 UTC	13	IN	Data Raw: 3c a0 74 4a f6 db 0f b6 f0 1b db 6a 00 81 c3 01 01 00 00 56 89 5d e0 ff 15 e0 50 40 00 8b d8 8b 45 f8 8b fb c1 e7 08 0b fe eb 2c f6 db 1b db 81 c3 02 02 00 00 eb 0a f6 db 1b db 81 c3 05 02 00 00 8b 45 f8 8b 7d f4 89 5d e0 8b d8 eb 09 8b 45 f8 8b 5d e8 8b 7d e4 83 7d e0 00 75 34 8b 4d f4 85 c9 0f 84 99 00 00 00 85 c0 0f 84 91 00 00 00 8d 14 08 3a 15 20 6d 40 00 0f 84 82 00 00 00 8b d8 02 c1 c7 45 e0 00 02 00 00 8b f9 a2 20 6d 40 00 ff 15 54 51 40 00 8b 0d f4 69 40 00 8b 15 f0 69 40 00 8d 0c 89 89 44 8a 10 a1 f4 69 40 00 8b 0d f0 69 40 00 8b 55 e0 8d 04 80 89 14 81 a1 f4 69 40 00 8b 0d f0 69 40 00 8d 04 80 89 7c 81 04 a1 f4 69 40 00 8b 0d f0 69 40 00 8d 04 80 89 5c 81 08 ff 15 58 50 40 00 8b 0d f4 69 40 00 8b 15 f0 69 40 00 8d 0c 89 89 44 8a 0c ff 05 f4 69 Data Ascii: <tJjV]P@E,E}]E]}}u4M: m@E m@TQ@i@i@Di@i@Ui@i@\|i@i@\XP@i@i@Di
2023-10-09 09:28:04 UTC	15	IN	Data Raw: 75 ec ff 75 f8 ff d6 ff 75 fc 8b 35 04 50 40 00 ff d6 ff 75 f8 ff d6 8b 45 e8 5e 5f 5b c9 c3 55 8b ec 81 ec 1c 01 00 00 53 57 33 db 33 c0 8d 7d e8 89 5d e4 ab ab ab ab ab 6a 3f 33 c0 59 8d bd e5 fe ff ff 88 9d e4 fe ff ff 39 5d 08 f3 ab 66 ab aa 0f 84 9d 01 00 00 39 5d 0c 0f 84 94 01 00 00 56 68 18 6c 40 00 8d 85 e4 fe ff ff 68 ff 00 00 00 50 68 20 6e 40 00 bf 1c 61 40 00 68 48 62 40 00 57 ff 15 a0 50 40 00 38 9d e4 fe ff ff 8b 35 70 51 40 00 0f 84 93 00 00 00 68 50 20 00 00 53 53 8d 85 e4 fe ff ff 53 50 53 c6 05 1e 6d 40 00 01 ff 15 60 51 40 00 3b c3 89 45 fc 74 29 8d 4d e4 51 6a 18 50 ff 15 18 50 40 00 83 7d ec 0a 7c 16 8b 45 e8 6a 07 99 59 f7 f9 83 f8 0a 7c 08 53 ff d6 39 45 e8 7e 41 a1 00 6a 40 00 0d 30 20 01 00 50 8d 85 e4 fe ff ff 50 68 34 67 40 00 Data Ascii: uuu5P@uE^_[USW33}]j?3Y9]f9]Vhl@hPh n@a@hHb@WP@85pQ@hP SSSPSm@`Q@;Et)MQjPP@}\|EjY\|S9E~Aj@0 PPh4g@
2023-10-09 09:28:04 UTC	16	IN	Data Raw: 00 00 59 33 f6 ff 75 08 ff 15 9c 50 40 00 8b 45 18 3b c3 74 05 8b 4d fc 89 08 8b c6 eb 0b ff 75 08 ff 15 9c 50 40 00 33 c0 5f 5e 5b c9 c3 55 8b ec 81 ec 10 02 00 00 80 a5 f4 fe ff ff 00 53 56 57 6a 40 33 c0 59 8d bd f5 fe ff ff f3 ab 80 a5 f0 fd ff ff 00 6a 40 66 ab aa 59 33 c0 8d bd f1 fd ff ff 33 f6 f3 ab 66 ab aa 8b 45 08 89 75 fc 3b c6 89 75 f8 0f 84 e6 01 00 00 80 38 00 0f 84 dd 01 00 00 8d 8d f4 fe ff ff 51 50 e8 b5 02 00 00 8d 85 f4 fe ff ff 59 85 c0 59 74 20 80 bd f4 fe ff ff 00 74 17 8d 85 f4 fe ff ff 50 e8 b3 04 00 00 0f be 84 05 f3 fe ff ff 59 eb 02 33 c0 83 f8 5c 75 65 33 ff 80 bd f4 fe ff ff 00 0f 84 c7 01 00 00 81 ff 04 01 00 00 0f 8d bb 01 00 00 80 bc 3d f4 fe ff ff 5c 8d 9c 3d f4 fe ff ff 75 20 83 ff 01 7e 1b 80 bc 3d f3 fe ff ff 3a 74 11 Data Ascii: Y3uP@E;tMuP@3_^[USVWj@3Yj@fY33fEu;u8QPYYt tPY3\ue3=\=u ~=:t
2023-10-09 09:28:04 UTC	17	IN	Data Raw: 5f 5e c3 8b 4c 24 04 85 c9 74 13 80 39 00 74 0e 8d 41 01 8a 10 40 84 d2 75 f9 2b c1 48 c3 33 c0 c3 8b 44 24 04 85 c0 74 1d 8b 4c 24 08 85 c9 74 15 8a 11 56 88 10 8d 70 01 41 84 d2 74 07 8a 11 88 16 46 eb f4 5e c3 57 8b 7c 24 08 85 ff 74 3c 8b 54 24 0c 85 d2 74 34 8b 4c 24 10 85 c9 56 8b f7 74 24 8a 02 88 07 47 42 84 c0 74 03 49 75 f3 85 c9 74 13 49 74 10 8b d1 c1 e9 02 33 c0 f3 ab 8b ca 83 e1 03 f3 aa 8b c6 5e 5f c3 8b c7 5f c3 8b 44 24 04 85 c0 74 21 8b 54 24 08 85 d2 74 19 80 38 00 8b c8 74 06 41 80 39 00 75 fa 53 8a 1a 88 19 41 42 84 db 75 f6 5b c3 56 8b 74 24 08 85 f6 75 0a 8b 44 24 0c f7 d8 1b c0 5e c3 8b 54 24 0c 85 d2 74 21 57 8a 0a 0f b6 06 0f b6 f9 2b c7 75 08 84 c9 74 04 46 42 eb ec 85 c0 5f 7d 05 83 c8 ff 5e c3 7e 03 6a 01 58 5e c3 56 8b 74 24 Data Ascii: _^L$t9tA@u+H3D$tL$tVpAtF^W\|$t<T$t4L$Vt$GBtIutIt3^__D$t!T$t8tA9uSABu[Vt$uD$^T$t!W+utFB_}^~jX^Vt$
2023-10-09 09:28:04 UTC	19	IN	Data Raw: 00 00 dc 59 00 00 ec 59 00 00 f8 59 00 00 06 5a 00 00 16 5a 00 00 22 5a 00 00 2e 5a 00 00 40 5a 00 00 56 5a 00 00 6c 5a 00 00 7c 5a 00 00 f4 57 00 00 e4 57 00 00 d2 57 00 00 be 57 00 00 b4 57 00 00 ac 57 00 00 a0 57 00 00 8c 57 00 00 7e 57 00 00 6c 57 00 00 5e 57 00 00 4e 57 00 00 3e 57 00 00 30 57 00 00 1c 57 00 00 08 57 00 00 5c 58 00 00 00 00 00 00 76 5b 00 00 8a 5b 00 00 00 00 00 00 f9 ff ff ff f0 ff ff ff f0 ff ff ff f0 ff ff ff f0 ff ff ff f0 3f ff ff f0 07 ff ff f0 01 ff ff f0 00 ff ff 10 00 7f ff 00 00 7f ff 00 00 7f ff 80 00 7f ff c0 00 7f ff c0 00 7f ff e0 00 7f ff e0 00 ff ff f0 00 ff ff f0 00 ff ff f8 01 ff ff f8 01 ff ff f8 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: YYYZZ"Z.Z@ZVZlZ\|ZWWWWWWWW~WlW^WNW>W0WWW\Xv[[?
2023-10-09 09:28:04 UTC	20	IN	Data Raw: 63 65 73 73 48 65 61 70 00 00 a2 01 48 65 61 70 52 65 41 6c 6c 6f 63 00 9f 01 48 65 61 70 46 72 65 65 00 00 a3 01 48 65 61 70 53 69 7a 65 00 00 7d 00 45 78 69 74 50 72 6f 63 65 73 73 00 50 01 47 65 74 53 74 61 72 74 75 70 49 6e 66 6f 41 00 ca 00 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 95 00 44 69 73 70 61 74 63 68 4d 65 73 73 61 67 65 41 00 00 82 02 54 72 61 6e 73 6c 61 74 65 4d 65 73 73 61 67 65 00 00 2a 01 47 65 74 4d 65 73 73 61 67 65 41 00 de 01 50 6f 73 74 4d 65 73 73 61 67 65 41 00 00 91 02 55 70 64 61 74 65 57 69 6e 64 6f 77 00 00 6a 02 53 68 6f 77 57 69 6e 64 6f 77 00 00 59 00 43 72 65 61 74 65 57 69 6e 64 6f 77 45 78 41 00 be 01 4d 65 73 73 61 67 65 42 6f 78 41 00 f3 01 52 65 67 69 73 74 65 72 43 Data Ascii: cessHeapHeapReAllocHeapFreeHeapSize}ExitProcessPGetStartupInfoAGetCommandLineAKERNEL32.dllDispatchMessageATranslateMessage*GetMessageAPostMessageAUpdateWindowjShowWindowYCreateWindowExAMessageBoxARegisterC
2023-10-09 09:28:04 UTC	21	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 01 00 00 00 1e 00 00 00 1c 00 00 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 36 33 35 32 00 23 00 05 00 00 00 40 40 40 40 40 00 00 00 24 24 24 24 24 00 00 00 53 74 61 72 74 75 70 20 46 61 69 6c 75 72 65 3a 20 43 72 65 61 74 65 57 69 6e 64 6f 77 00 00 00 53 74 61 72 74 75 70 20 46 61 69 6c 75 72 65 3a 20 52 65 67 69 73 74 65 72 43 6c 61 73 73 00 00 54 69 6e 79 54 61 73 6b 43 6c 61 73 73 00 00 00 70 6c 61 79 5f 6b 65 79 00 00 00 00 72 65 63 6f 72 64 5f 6b 65 79 00 00 68 69 64 65 5f 63 61 70 74 69 6f 6e 73 00 00 00 74 6f 70 6d 6f 73 74 00 73 70 65 65 64 5f 63 75 73 74 6f 6d 00 00 00 00 73 70 65 65 64 00 00 00 77 69 6e 64 6f 77 5f 79 00 00 00 00 77 Data Ascii: 136352#@@@@@$$$$$Startup Failure: CreateWindowStartup Failure: RegisterClassTinyTaskClassplay_keyrecord_keyhide_captionstopmostspeed_customspeedwindow_yw
2023-10-09 09:28:04 UTC	23	IN	Data Raw: 53 70 65 65 64 3a 09 20 25 64 25 73 78 0a 20 20 52 65 70 65 61 74 20 4c 6f 6f 70 73 3a 09 20 25 64 00 00 00 4b 42 00 00 20 4d 42 00 2f 32 00 00 20 20 43 6f 6d 70 69 6c 65 20 45 72 72 6f 72 0a 0a 00 00 00 25 30 35 64 00 00 00 00 55 6e 61 62 6c 65 20 74 6f 20 77 72 69 74 65 20 66 69 6c 65 00 00 00 00 2e 65 78 65 00 00 00 00 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 2a 2e 65 78 65 29 00 2a 2e 65 78 65 00 41 6c 6c 20 46 69 6c 65 73 20 28 2a 2e 2a 29 00 2a 2e 2a 00 00 00 00 00 2e 72 65 63 00 00 00 00 52 65 63 6f 72 64 69 6e 67 20 46 69 6c 65 73 20 28 2a 2e 72 65 63 29 00 2a 2e 72 65 63 00 41 6c 6c 20 46 69 6c 65 73 20 28 2a 2e 2a 29 00 2a 2e 2a 00 00 00 53 54 41 54 49 43 00 00 74 69 6e 79 74 61 73 6b 2e 6e 65 74 00 00 00 00 45 44 49 54 00 00 00 00 53 65 74 Data Ascii: Speed: %d%sx Repeat Loops: %dKB MB/2 Compile Error%05dUnable to write file.exeProgram Files (.exe).exeAll Files (.)..recRecording Files (.rec).recAll Files (.).STATICtinytask.netEDITSet
2023-10-09 09:28:04 UTC	24	IN	Data Raw: 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 04 00 00 c8 01 00 00 c8 8e 00 00 72 19 00 00 00 00 00 00 00 00 00 00 e0 71 00 00 a8 0e 00 00 00 00 00 00 00 00 00 00 88 80 00 00 a8 08 00 00 00 00 00 00 00 00 00 00 30 89 00 00 68 05 00 00 00 00 00 00 00 00 00 00 98 8e 00 00 30 00 00 00 00 00 00 00 00 00 00 00 40 a8 00 00 70 Data Ascii: hxrq0h0@p
2023-10-09 09:28:04 UTC	25	IN	Data Raw: 1c 1a 1d 1c 1c 1d 1c 1d 1c 1d 1c 1c 1c 1c 1b 1e 1c 27 ae 00 00 00 00 00 00 00 00 00 00 2c 03 04 06 05 05 06 05 05 06 05 06 09 09 06 09 09 0b 09 0b 0a 0b 0b 0b 0b 0b 0b 0b 0b 0b 0e 0e 0e 0e 0e 0d 0c 07 1b 00 00 00 00 00 00 00 00 69 04 17 65 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6a 6b 6b 6a 6b 6a 6a 21 15 07 26 00 00 00 00 00 00 d2 01 1f 6b 66 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6a 6a 6a 15 08 bd 00 00 00 00 00 a2 12 6b a8 6b 6b 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6b a6 6d 23 08 33 00 00 00 00 00 19 16 6d b7 a8 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d 6d Data Ascii: ',iekkkkkkkkjkjkjkjkjkjkjkjkjkjkkjkjj!&kfkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkjjjkkkmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmkm#3mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
2023-10-09 09:28:04 UTC	27	IN	Data Raw: ec ec ea ec ea c2 bc a9 39 53 72 78 7b 7f 7f 7f 7e 78 74 59 49 50 ba c7 d8 ec ea ec ea ec ea ec ec e5 0e 1d 00 00 00 00 00 13 a2 ed ec eb eb eb ea eb eb ea ea c5 c0 90 37 52 5b 7e 84 84 84 84 84 80 74 57 45 50 ad c8 de ea ea ea ea ea ea eb ec e6 0b 1e 00 00 00 00 00 12 a5 ed eb e8 ea eb ea e8 eb ea e8 c7 ca 8f 37 49 75 88 89 89 89 89 89 88 81 56 39 51 b4 c8 e4 ea e8 ea ea ea e8 e7 ec e8 0e 1d 00 00 00 00 00 13 a5 ee e8 e5 e8 e8 e8 e8 e8 e8 e8 d8 de a3 3c 38 85 8b 8d 8d 8d 8d 8d 8c 8a 52 36 67 c7 c9 e7 e8 e8 e8 e8 e8 e8 e4 ed ea 0e 1d 00 00 00 00 00 12 a5 f0 e7 e4 e6 e6 e7 e6 e7 e6 e6 e1 c9 c5 63 35 60 97 99 9a 9a 9a 9a 98 93 43 3a 8e de cb e6 e6 e6 e7 e6 e7 e7 e0 ee ea 0e 1e 00 00 00 00 00 13 a5 f2 e5 e4 e6 e6 e6 e6 e6 e6 e6 e5 cb df ab 4f 47 94 9e 9e 9e Data Ascii: 9Srx{~xtYIP7R[~tWEP7IuV9Q<8R6gc5`C:OG
2023-10-09 09:28:04 UTC	28	IN	Data Raw: 65 59 59 00 60 5c 5c 00 64 5e 5e 00 6a 58 58 00 68 5d 5d 00 6f 5d 5d 00 60 61 61 00 64 61 61 00 61 64 64 00 64 64 64 00 68 62 62 00 66 69 69 00 78 61 61 00 79 67 67 00 77 68 68 00 77 6c 6c 00 7b 69 69 00 7b 6c 6c 00 7e 74 74 00 77 78 78 00 7d 7d 7d 00 b1 1a 03 00 b6 20 06 00 bd 25 07 00 bf 2c 01 00 a9 28 17 00 9c 36 29 00 9b 3b 2a 00 a9 3d 30 00 cb 2b 03 00 c6 28 0f 00 c8 34 02 00 c5 32 0f 00 c4 3b 26 00 bc 53 2f 00 a3 40 35 00 ac 42 32 00 a5 4e 33 00 aa 4e 33 00 dd 58 05 00 d4 56 0d 00 d4 49 1a 00 d3 5a 10 00 cf 62 04 00 d1 66 04 00 d6 6e 05 00 d9 6b 05 00 dd 74 06 00 d7 78 05 00 d8 7d 08 00 de 66 16 00 e0 75 19 00 d4 5e 25 00 cf 52 3e 00 db 5c 32 00 e0 67 28 00 86 53 46 00 9e 53 44 00 b7 5c 49 00 97 61 4d 00 88 65 58 00 a3 65 5d 00 ba 6e 58 00 9c 6e 63 Data Ascii: eYY`\\d^^jXXh]]o]]`aadaaadddddhbbfiixaayggwhhwll{ii{ll~ttwxx}}} %,(6);*=0+(42;&S/@5B2N3N3XVIZbfnktx}fu^%R>\2g(SFSD\IaMeXe]nXnc
2023-10-09 09:28:04 UTC	29	IN	Data Raw: f6 f6 f6 f6 f8 ea a7 16 00 00 00 0a d0 f3 f5 f5 f5 f5 f5 f5 f5 f4 eb b5 8d 21 8b a5 e1 f4 f5 f5 f5 f5 f5 f5 f6 eb a7 16 00 00 00 0a d6 f3 f4 f4 f4 f4 f4 f4 f4 ce 21 8b bd cb c5 9c 20 a7 f2 f4 f4 f4 f4 f4 f5 eb b3 14 00 00 00 08 db f2 f3 f3 f3 f3 f3 f3 cf 8b b6 d4 79 7b 7a 7c c7 8f a6 f2 f3 f3 f3 f3 f4 eb b4 14 00 00 00 08 dc f1 f1 f1 f1 f1 f1 ea 92 bc 42 61 80 83 82 70 36 c2 91 d3 f1 f1 f1 f1 f3 ed b5 14 00 00 00 08 df f0 f0 f0 f0 f0 f0 cb a4 5a 34 67 6b 6d 6b 66 5d 2e b9 a7 f0 f0 f0 f0 f1 ed b7 14 00 00 00 08 e1 ee ee ee ee ee ee be b2 2b 3c 62 65 69 69 63 5e 2a a9 a5 eb ee ee ee ef ed be 14 00 00 00 08 e4 ed ed ed ed ed ed c5 b0 24 3a 5f 63 65 63 5f 5b 2c 4e ba e4 ed ed ed ed ed bf 14 00 00 00 08 e6 ec eb eb eb eb eb ce 9d 23 38 6a 6f 6f 6f 6e 3e 25 4d Data Ascii: !! y{z\|Bap6Z4gkmkf].+<beiic^*$:_cec_[,N#8jooon>%M
2023-10-09 09:28:04 UTC	31	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2023-10-09 09:28:04 UTC	32	IN	Data Raw: 8b 00 a0 b7 8f 00 af a0 94 00 bb a7 96 00 a4 bb 96 00 8b 8c a2 00 8f 90 a4 00 98 98 a6 00 86 88 b5 00 92 92 bc 00 a6 85 a2 00 b5 8e a0 00 b5 93 a4 00 b8 94 a4 00 ba 9b aa 00 9f a2 a0 00 a6 a6 a7 00 b9 ae a3 00 bd b0 a1 00 bd b4 aa 00 ab ac b6 00 be a3 b0 00 b6 b6 b6 00 c6 9e 81 00 fb 9f 87 00 c7 a0 83 00 ca a4 85 00 c8 a4 88 00 ce aa 8c 00 d1 aa 8c 00 cb ac 96 00 ce b1 9b 00 d5 b7 9d 00 eb ab 81 00 f8 a3 8b 00 eb b2 86 00 f0 b6 8a 00 c0 9b ab 00 c4 a0 af 00 cb b9 a7 00 d2 ba a6 00 c7 ab b7 00 d0 ad ba 00 c9 b6 bc 00 9c c0 8e 00 a4 c7 99 00 ad c4 a2 00 b5 c6 ab 00 ac d0 a3 00 b4 d7 ae 00 bf cd b7 00 b9 dc b5 00 bc e0 b9 00 e8 c4 9e 00 f0 c3 9d 00 fe eb 9e 00 d4 c0 af 00 c3 cc b9 00 d4 c2 b2 00 c5 d1 bd 00 e2 cd bb 00 fb c3 bb 00 ff d3 b2 00 ff e4 b0 00 88 Data Ascii:
2023-10-09 09:28:04 UTC	33	IN	Data Raw: 00 05 24 e9 fb e9 fb fb 10 fb 04 11 00 13 83 ed fb fb 11 fb fb ed fb fb f5 11 fb e0 8a fb 83 e3 fb 11 11 fb 01 01 03 fb 01 02 02 fb 00 07 78 02 7b fb fb 01 fb fb 02 fb 01 02 10 fb 04 00 00 0a 02 e2 fb fb 00 ed fb fb 01 fb 02 fb 01 02 02 fb 01 00 02 fb 00 06 02 03 d7 f5 e3 fb 0e fb 05 5f 00 06 67 f2 fb fb 61 fb 02 fb 01 65 02 fb 00 05 63 f2 fb f2 fb fb 07 fb 02 00 00 00 05 fb 00 03 01 e3 fb 23 02 fb 00 18 dc 02 fb fb 00 03 dc 7b 7b fb fb 03 9c df 7a 7b fb fb 00 78 dc 96 00 fb 0a fb 00 1a 03 78 96 dc fb e3 fb fb 02 95 df 78 01 fb 78 96 fb 95 7a fb 03 9c df 7a 7b fb 10 fb 01 0a 03 fb 00 11 eb a2 9d fb fb a1 dd e7 a5 a6 fb fb a1 a5 ae 25 fb dc 10 fb 01 11 02 fb 00 14 ed 85 84 fb fb 11 fb fb 28 b5 e3 8a 28 fb b4 c1 fb b5 b5 fb 11 fb 00 12 03 9c df 7a 7b fb dc Data Ascii: $x{_gaec#{{z{xxxxzz{%((z{
2023-10-09 09:28:04 UTC	35	IN	Data Raw: 6e d1 6e 65 fb fb 0a fb 00 03 c6 f4 fe 02 17 fe 00 03 f4 c6 fb e2 04 fb 02 00 00 00 05 fb 0b 23 02 e1 00 06 0a aa 0a e1 e1 23 09 23 0b fb 01 71 02 ec 01 23 12 ff 01 23 02 ec 01 71 0b fb 01 a0 1a fc 01 a0 0c fb 01 11 03 ba 00 04 28 83 f8 fb 09 fb 00 09 11 b9 28 b7 ba b2 29 f8 fb 02 17 fb 02 a5 16 fb 01 93 02 d9 00 04 7f 74 d9 ec 02 ec 00 04 e4 7f e3 fb 04 fb 00 0c ce 5f 6e d1 6e 5f 6e d1 6e 5f f1 fb 0a fb 01 c6 1a fe 01 c6 05 fb 02 00 00 00 05 fb 01 23 0c ff 00 04 0a aa 0a ff 0a ff 01 23 0b fb 01 71 02 ec 01 23 12 ff 01 23 02 ec 01 71 0b fb 01 a2 0a fc 01 dc 04 02 01 dc 0a fc 01 a2 0c fb 01 11 03 ba 00 04 b9 27 b4 fb 09 fb 00 09 11 27 83 28 ba ba 28 c1 fb fb 16 fb 01 a5 02 22 01 a5 15 fb 00 04 e3 7f e4 ec 06 ec 00 04 e4 7f e3 fb 02 fb 00 0c d3 5f 6e d1 6e Data Ascii: nne###q##q(()t_nn_nn_##q##q''(("_nn
2023-10-09 09:28:04 UTC	36	IN	Data Raw: 01 a2 05 fc 00 11 9a 86 05 14 15 17 19 1d 1d 19 17 15 14 05 86 9c fc fb 04 fc 01 a2 0a fb 00 06 27 b7 ba 27 ed fb 11 fb 00 06 ed 27 ba b7 13 fb 15 fb 01 0a 02 aa 01 0a 1d fb 00 04 e3 7f d9 ec 04 ec 00 0c e6 91 7f b0 e6 ea e6 d9 80 94 fa fb 0b fb 01 cf 05 fe 00 11 95 8c 44 57 5c 6a 6f 70 70 6f 6a 5b 58 42 8b 95 fe fb 04 fe 01 cf 05 fb 02 00 00 00 05 fb 01 23 0c ff 00 04 fd 38 fd ff 0a ff 01 23 0b fb 01 71 18 ec 01 71 0b fb 01 a2 05 fc 00 07 9a a5 05 06 18 20 3d fc 03 3d 00 07 20 18 06 05 89 9c fc 27 04 fc 01 a2 0a fb 00 06 29 b6 ba 2a b8 fb 11 fb 01 b8 03 11 01 29 16 fb 01 0a 02 aa 01 0a 1e fb 00 04 b1 72 d9 ec 02 ec 00 04 e4 74 af ec 05 ec 00 04 ea 91 b1 fb 0b fb 01 cf 05 fe 00 06 9a 8d 45 56 68 76 05 76 00 06 68 56 44 8d 9a fe 04 fe 01 cf 05 fb 02 00 00 Data Ascii: '''DW\joppoj[XB#8#qq == ')*)rtEVhvvhVD
2023-10-09 09:28:04 UTC	37	IN	Data Raw: 00 04 98 dd 98 23 05 23 0f fc 02 23 0b fb 01 71 04 ec 02 da 01 0c 07 fc 02 23 02 fc 00 05 0c e6 80 af fb ea 0d fb 00 03 dd a6 fc fb 17 fc 00 03 a6 dd fb 8c 0a fb 01 b4 07 11 02 fb 01 11 07 ba 00 08 b6 28 29 ed fb b4 11 fb 17 fb 01 0a 02 aa 01 0a 15 fb 00 03 99 26 be ff 03 be 00 03 26 dc fb 71 04 fb 00 09 de 7f e6 ec ec e6 7f d6 fb a5 11 fb 00 03 f1 d0 fe 3d 17 fe 00 03 d0 f1 fb 9c 04 fb 02 00 00 00 05 fb 1c 23 0b fb 01 71 04 ec 02 da 01 0c 0b fc 00 04 0c 80 af fb 0f fb 00 03 a4 c2 fc 04 15 fc 00 03 c2 a4 fb 04 15 fb 00 0c 11 b7 b9 b9 b7 b6 84 27 28 c1 f8 fb 02 fb 01 b4 18 fb 01 0a 02 aa 01 0a 15 fb 00 09 7c 7d be be 89 23 7e f9 fb fb 05 fb 00 09 af 80 e4 ec ec e6 7f d6 fb fb 11 fb 00 03 c9 d5 fe fb 15 fe 00 03 d5 c9 fb c0 05 fb 02 00 00 00 05 fb 1c 23 0b Data Ascii: ###q#()&&q=#q'(\|}#~#
2023-10-09 09:28:04 UTC	39	IN	Data Raw: 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 3c 61 73 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 0d 0a 09 6e 61 6d 65 3d 22 54 69 6e 79 54 61 73 6b 2e 65 78 65 22 0d 0a 09 76 65 72 73 69 6f 6e 3d 22 35 2e 31 2e 30 2e 30 22 0d 0a 09 70 72 6f 63 65 73 73 6f 72 41 72 63 68 69 74 65 63 74 75 72 65 3d 22 78 38 36 22 0d 0a 09 74 79 70 65 3d 22 77 69 6e 33 32 22 2f 3e 0d 0a 3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 57 69 6e 64 6f 77 73 20 53 68 65 6c 6c 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e 0d 0a 3c 64 65 70 65 6e 64 65 6e 63 79 3e 0d 0a 09 3c 64 65 70 65 6e 64 65 6e 74 41 73 73 65 6d 62 6c 79 3e 0d 0a 09 09 3c 61 73 Data Ascii: mlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentityname="TinyTask.exe"version="5.1.0.0"processorArchitecture="x86"type="win32"/><description>Windows Shell</description><dependency><dependentAssembly><as

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• wget.exe
• tinytask.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• wget.exe
• tinytask.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	11:28:01
Start date:	09/10/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe" > cmdline.out 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:28:01
Start date:	09/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:28:01
Start date:	09/10/2023
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/frankwick/t/raw/main/tinytask.exe"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:28:04
Start date:	09/10/2023
Path:	C:\Users\user\Desktop\download\tinytask.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\download\tinytask.exe
Imagebase:	0x400000
File size:	36'352 bytes
MD5 hash:	8FD3551654F0F5281DDBD7E32CB73054
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs Detection: 17%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55.2%
Total number of Nodes:	469
Total number of Limit Nodes:	15

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401489 Relevance: 202.3, APIs: 84, Strings: 31, Instructions: 1033windowtimeCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00401525
BeginPaint.USER32(?,?), ref: 0040153A
CreateCompatibleDC.GDI32(?), ref: 00401546
SelectObject.GDI32(?), ref: 00401567
BitBlt.GDI32(?,00000002,?,00000026,-004069E8,00000002,00000002,00000000,008800C6), ref: 004015C4
SelectObject.GDI32(00000002,?), ref: 004015CC
SelectObject.GDI32(00000002), ref: 004015D7
BitBlt.GDI32(?,00000002,?,00000026,-004069E8,00000002,00000002,00000000,00EE0086), ref: 00401634
SelectObject.GDI32(00000002,?), ref: 0040163C
DeleteDC.GDI32(00000006), ref: 0040164E
EndPaint.USER32(?,?,?,00000026,-004069E8,00000002,00000002,00000000,00EE0086,?,00000026,-004069E8,00000002,00000002,00000000,008800C6), ref: 0040165E
GetWindowRect.USER32(?,?), ref: 0040167C
DestroyCursor.USER32(00020479), ref: 00401766
DeleteObject.GDI32(31050E64), ref: 00401782
DeleteObject.GDI32(13050E58), ref: 00401794
KillTimer.USER32(?,000003ED), ref: 004017A4
GetModuleHandleA.KERNEL32(00000000,00000005,00000000,00000020,00000020,004051B8,00405238), ref: 004017CA
CreateCursor.USER32(00000000), ref: 004017D1
PostMessageA.USER32(?,00000111,?,00000000), ref: 004017FD
GetCursor.USER32 ref: 00401873
SetCursor.USER32(00020479), ref: 00401888
SetTimer.USER32(?,000003ED,00000032,00000000), ref: 0040269D
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

play_key, xrefs: 004016F3
TinyTask, xrefs: 00401685, 004016A5, 004016B8, 004016CB, 004016E3, 004016F8, 00401711, 00401724, 0040173C, 0040210E, 00402133, 004026D6, 004026DB
Nothing RecordedPress the blue button to start a new recording, xrefs: 00402138
tinytask.net, xrefs: 00401BF6
speed_custom, xrefs: 004016C6
Compile successful "%s" (%d %s)Program attributes:---------------------------------- Execution Speed: %d%sx Repeat Loops: %d, xrefs: 004020CB
Unable to write file, xrefs: 00401EA9
O, xrefs: 004017E9
REC %02d:%02d, xrefs: 00401A38
EDIT, xrefs: 00401BC2
toolbar_padding, xrefs: 00401737
Set Playback Loops, xrefs: 00401B42, 00401B4D
n@, xrefs: 00401A8E
%02d:%02d (%d/%d%s), xrefs: 00401AB5
hide_captions, xrefs: 0040171F
.exe, xrefs: 00401DD4
%05d, xrefs: 00401F95
window_y, xrefs: 004016A0
record_key, xrefs: 004016DE
Compile Error, xrefs: 00402053
window_x, xrefs: 00401690
C:\Users\user\Desktop\download\tinytask.ini, xrefs: 0040168A, 00401696, 004016A6, 004016B9, 004016CC, 004016E4, 004016F9, 00401712, 00401725, 0040173D
Program Files (*.exe), xrefs: 00401D97, 00401DA5
Set Custom Speed, xrefs: 00401B5A
About TinyTask, xrefs: 00401B3B
speed, xrefs: 004016B3
.rec, xrefs: 00401D6A, 00401DDE, 00401DE3, 00401E06, 00401E0B
Recording Files (*.rec), xrefs: 00401CE0, 00401D9E
MB, xrefs: 0040209C, 004020C2
topmost, xrefs: 0040170C
STATIC, xrefs: 00401BFB

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Object$CursorSelect$DeleteWindow$CreateDestroyPaintTimer$BeginCompatibleHandleKillMessageModulePostProcRect
String ID: Compile Error$ Compile successful "%s" (%d %s)Program attributes:---------------------------------- Execution Speed: %d%sx Repeat Loops: %d$ MB$ n@$%02d:%02d (%d/%d%s)$%05d$.exe$.rec$About TinyTask$C:\Users\user\Desktop\download\tinytask.ini$EDIT$Nothing RecordedPress the blue button to start a new recording$O$Program Files (*.exe)$REC %02d:%02d$Recording Files (*.rec)$STATIC$Set Custom Speed$Set Playback Loops$TinyTask$Unable to write file$hide_captions$play_key$record_key$speed$speed_custom$tinytask.net$toolbar_padding$topmost$window_x$window_y
API String ID: 3974302151-1615398099
Opcode ID: 3328e2d432b1d7fda1f29fb1e81baa9d243d82a702f79ae110f6decac78090d2
Instruction ID: f722533ecfca98a017aa9ff3a069563f491adbaca09d2f8958cd1ec79fb6b22f
Opcode Fuzzy Hash: 3328e2d432b1d7fda1f29fb1e81baa9d243d82a702f79ae110f6decac78090d2
Instruction Fuzzy Hash: 8B7292B1900209BBDF209F64DD49EAF7B79EB44344F11413AF606B62E1DB788E509F68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 80.9, APIs: 28, Strings: 18, Instructions: 408
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,C:\Users\user\Desktop\download\tinytask.ini,000000FF,?,00000000), ref: 004010DB
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004010E2
GetPrivateProfileIntA.KERNEL32(TinyTask,toolbar_padding,00000005,C:\Users\user\Desktop\download\tinytask.ini), ref: 0040113B
GetSystemMetrics.USER32(00000000), ref: 00401153
GetSystemMetrics.USER32(00000001), ref: 0040116F
GetPrivateProfileIntA.KERNEL32(TinyTask,window_x,?,C:\Users\user\Desktop\download\tinytask.ini), ref: 00401193
GetPrivateProfileIntA.KERNEL32(TinyTask,window_y,?,C:\Users\user\Desktop\download\tinytask.ini), ref: 004011A2
SetRect.USER32(?,00404702,00000000,00404703,00000001), ref: 004011B8
GetDC.USER32(00000000), ref: 004011C4
RectVisible.GDI32(00000000), ref: 004011CB
GetPrivateProfileIntA.KERNEL32(TinyTask,speed,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 004011EA
GetPrivateProfileIntA.KERNEL32(TinyTask,speed_custom,00000008,C:\Users\user\Desktop\download\tinytask.ini), ref: 004011FA
GetPrivateProfileIntA.KERNEL32(TinyTask,topmost,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 0040120A
GetPrivateProfileIntA.KERNEL32(TinyTask,hide_captions,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 00401223
GetPrivateProfileIntA.KERNEL32(TinyTask,record_key,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 00401236
GetPrivateProfileIntA.KERNEL32(TinyTask,play_key,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 00401246
LoadIconA.USER32(00000000,00000FA1), ref: 0040127C
RegisterClassExA.USER32(?), ref: 0040129E
MessageBoxA.USER32(00000000,Startup Failure: CreateWindow,TinyTask,00012030), ref: 004012B5
CreateWindowExA.USER32(00000000,TinyTaskClass,TinyTask,00000000,00404702,?,000000E0,?,00000000,00000000,000000E0,00000000), ref: 004012FE
ShowWindow.USER32(00000000,-00000005,?,?,?,?,00000000), ref: 0040132C
UpdateWindow.USER32 ref: 00401338
GetModuleHandleA.KERNEL32(00000000,?,000000FF,?,?,?,?,00000000), ref: 004013D0
GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,00000000), ref: 004013D7

Part of subcall function 00402F8E: wsprintfA.USER32 ref: 00402FD3
Part of subcall function 00402F8E: MessageBoxA.USER32(00000000,Memory allocation error!,TinyTask,00000000), ref: 00402FF4

PostMessageA.USER32(00000111,00008003,00000000,?), ref: 00401444
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00401457
TranslateMessage.USER32(?), ref: 00401466
DispatchMessageA.USER32(?), ref: 00401470

Strings

play_key, xrefs: 0040123B
TinyTask, xrefs: 004010BA, 0040113A, 0040118F, 004011A1, 004011E9, 004011F4, 00401204, 0040121D, 00401230, 00401240, 004012AE, 004012F3, 00401312
hide_captions, xrefs: 00401218
speed_custom, xrefs: 004011EF
TinyTaskClass, xrefs: 00401288, 004012F7
window_y, xrefs: 0040119C
record_key, xrefs: 0040122B
window_x, xrefs: 00401184
C:\Users\user\Desktop\download\tinytask.ini, xrefs: 004010CF, 004010D9, 004010EE, 00401124, 00401132, 00401178, 00401195, 004011E1, 004011EC, 004011FC, 00401210, 00401228, 00401238
toolbar_padding, xrefs: 00401135
speed, xrefs: 004011E4
Startup Failure: RegisterClass, xrefs: 004012AF
Startup Failure: CreateWindow, xrefs: 00401313
@@@@@, xrefs: 00401414, 00401427
36352, xrefs: 0040108B, 004010A1
topmost, xrefs: 004011FF
$$$$$, xrefs: 004013FA, 00401405
.ini, xrefs: 0040111F

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: PrivateProfile$Message$Module$Window$FileHandleMetricsNameRectSystem$CallbackClassCreateDispatchDispatcherIconLoadPostRegisterShowTranslateUpdateUserVisiblewsprintf
String ID: $$$$$$.ini$36352$@@@@@$C:\Users\user\Desktop\download\tinytask.ini$Startup Failure: CreateWindow$Startup Failure: RegisterClass$TinyTask$TinyTaskClass$hide_captions$play_key$record_key$speed$speed_custom$toolbar_padding$topmost$window_x$window_y
API String ID: 1572435291-2735791562
Opcode ID: 50be05e214897b5b73ae53f9ff58a90aeaef851f329f47b29bb95abc320a3051
Instruction ID: d9edc85bb2d409bc0d29e18e2679463e6c24fd010db42a333d5d0c6795cbaa8e
Opcode Fuzzy Hash: 50be05e214897b5b73ae53f9ff58a90aeaef851f329f47b29bb95abc320a3051
Instruction Fuzzy Hash: 14D18071A00209AFEB10DFB4DD49BAF7BB8EB44304F10453AF606FA1E1D77999548B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402148 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 293
keyboardtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mouse_event.USER32(00000004), ref: 0040214E
GetAsyncKeyState.USER32(00000000), ref: 00402172
GetKeyState.USER32(00000000), ref: 0040218D
GetAsyncKeyState.USER32(00000000), ref: 00402196
MapVirtualKeyA.USER32(00000000), ref: 004021D1
keybd_event.USER32(00000000,00000000,?,00000001), ref: 004021D9
SetKeyboardState.USER32(?), ref: 0040221A
GetAsyncKeyState.USER32(00000000), ref: 00402223
GetKeyState.USER32(00000091), ref: 00402237
VkKeyScanA.USER32(00000091), ref: 0040224D
VkKeyScanA.USER32(00000091), ref: 00402254
MapVirtualKeyA.USER32(00000010), ref: 00402269
keybd_event.USER32(00000010,00000000), ref: 0040226E
MapVirtualKeyA.USER32(?), ref: 004022A4
keybd_event.USER32(?,00000000,?,00000001), ref: 004022AA
MapVirtualKeyA.USER32(?), ref: 004022D6
keybd_event.USER32(?,00000000,?,00000001), ref: 004022DC
VkKeyScanA.USER32(00000091), ref: 004022E0
MapVirtualKeyA.USER32(00000010), ref: 004022F4
keybd_event.USER32(00000010,00000000,?,00000002), ref: 004022F9
Sleep.KERNEL32(00000001), ref: 004022FF
GetCursorPos.USER32(?), ref: 00402337
GetKeyState.USER32(00000001), ref: 0040234E
GetTickCount.KERNEL32 ref: 00402363
SetTimer.USER32(?,000003E9,0000000A), ref: 00402379
KillTimer.USER32(?,000003E9), ref: 0040238C
GetTickCount.KERNEL32 ref: 00402392
SetWindowTextA.USER32(?,00406B18), ref: 004023BF
InvalidateRect.USER32(?,?,00000001), ref: 00402457
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

TinyTask, xrefs: 004023B6

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: State$Virtualkeybd_event$AsyncScan$CountTickTimerWindow$CursorInvalidateKeyboardKillProcRectSleepTextmouse_event
String ID: TinyTask
API String ID: 1390587733-3209981168
Opcode ID: 8820bf5f8dcef25e83e4578008bcf2b881564eada030580c280cd71e28e169f8
Instruction ID: 031df1eed1d18bf0559545632a0af1d58a23b815c6d10fae845eb6c15e90b205
Opcode Fuzzy Hash: 8820bf5f8dcef25e83e4578008bcf2b881564eada030580c280cd71e28e169f8
Instruction Fuzzy Hash: AC913D71900108AFDF255B98DE8CABF3B29E745344F11417BF502BA2E1C7B84D829B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040392F Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 159
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringA.KERNEL32(TinyTask,toolbar_image,00406E20,?,000000FF,C:\Users\user\Desktop\download\tinytask.ini), ref: 00403993
LoadImageA.USER32(00000000,?,00000000,00000000,00000000,00002050), ref: 004039C2
GetObjectA.GDI32(00000000,00000018,?), ref: 004039D6
GetSystemMetrics.USER32(00000000), ref: 004039F1
MessageBoxA.USER32(00000000,Invalid toolbar BMP (too small or big)Reverting to stock toolbar,?,00000000), ref: 00403A10
WritePrivateProfileStringA.KERNEL32(TinyTask,toolbar_image,00000000,C:\Users\user\Desktop\download\tinytask.ini), ref: 00403A22
DeleteObject.GDI32(?), ref: 00403A30
GetModuleHandleA.KERNEL32(00000000,00000FA2,00000000,00000000,00000000,00000000), ref: 00403A4E
LoadImageA.USER32(00000000), ref: 00403A55
DeleteObject.GDI32(31050E64), ref: 00403A68
DeleteObject.GDI32(13050E58), ref: 00403A80
GetObjectA.GDI32(00000018,?), ref: 00403AA5
KiUserCallbackDispatcher.NTDLL(00000007), ref: 00403AC2
GetSystemMetrics.USER32(00000004), ref: 00403AD1
GetSystemMetrics.USER32(00000007), ref: 00403AEC

Strings

toolbar_image, xrefs: 0040398D, 00403A1C
TinyTask, xrefs: 00403939, 00403988, 00403992, 00403A21
Invalid toolbar BMP (too small or big)Reverting to stock toolbar, xrefs: 00403A0A
C:\Users\user\Desktop\download\tinytask.ini, xrefs: 00403971, 00403972, 00403A16

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Object$DeleteMetricsSystem$ImageLoadPrivateProfileString$CallbackDispatcherHandleMessageModuleUserWrite
String ID: C:\Users\user\Desktop\download\tinytask.ini$Invalid toolbar BMP (too small or big)Reverting to stock toolbar$TinyTask$toolbar_image
API String ID: 2380985136-3306592053
Opcode ID: 0eaf2a901312c42ad07fa65ed292ab6aac60d7d04abb012af14190a0e9e0cee0
Instruction ID: 6cafae0cf05febae9f13d51d9b0e4cd575cb5ae2a350ff58d1696014d4f6fbac
Opcode Fuzzy Hash: 0eaf2a901312c42ad07fa65ed292ab6aac60d7d04abb012af14190a0e9e0cee0
Instruction Fuzzy Hash: 3F5196B1A40208AFDB10DF64DE85AAF7BBDEB44301F11407AF602F6291D6749E50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402D18 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringA.KERNEL32(TinyTask,toolbar_image,C:\Users\user\Desktop\download\tinytask.ini,?,000000FF,C:\Users\user\Desktop\download\tinytask.ini), ref: 00402D42
WritePrivateProfileStringA.KERNEL32(TinyTask,toolbar_image,?,C:\Users\user\Desktop\download\tinytask.ini), ref: 00402DE9
GetWindowLongA.USER32(?,000000F0), ref: 00402E0B
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00402E2D
SetWindowPos.USER32(?,?,?,?,?,?,00000436), ref: 00402E3F
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,00000436), ref: 00402E49
UpdateWindow.USER32(?), ref: 00402E50
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

toolbar_image, xrefs: 00402D3C, 00402DC8, 00402DDF
TinyTask, xrefs: 00402D37, 00402D41, 00402DCD, 00402DE4
*.bmp, xrefs: 00402DA7
\*.bmp, xrefs: 00402D94
C:\Users\user\Desktop\download\tinytask.ini, xrefs: 00402D24, 00402D2F, 00402D36, 00402DCE, 00402DD9

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Window$LongPrivateProfileString$InvalidateProcRectUpdateWrite
String ID: *.bmp$C:\Users\user\Desktop\download\tinytask.ini$TinyTask$\*.bmp$toolbar_image
API String ID: 2213434243-436503657
Opcode ID: abe048f652dd5fe8341e8e39fb0ee4763a0a815dd417b95274aa3134a3a5f971
Instruction ID: 3329009130effa698441a7dd3716a60a1eb201f56e1adaa016a922858c527409
Opcode Fuzzy Hash: abe048f652dd5fe8341e8e39fb0ee4763a0a815dd417b95274aa3134a3a5f971
Instruction Fuzzy Hash: 9831BA32840519AADB10AB90DD4DFEF3768EF45301F10007BFA02B91D1DBB98A848FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004026E5 Relevance: 105.3, APIs: 41, Strings: 19, Instructions: 332
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePopupMenu.USER32 ref: 004026F0
AppendMenuA.USER32(00000000,-00000009,00008006,0040649C), ref: 0040271C
AppendMenuA.USER32(00000000,-00000008,00008007,Play Speed: &1x), ref: 00402738
AppendMenuA.USER32(00000000,00000000,00008008,Play Speed: &2x), ref: 00402756
AppendMenuA.USER32(00000000,00000000,0000800A,Play Speed: 100x), ref: 00402774
wsprintfA.USER32 ref: 00402788
AppendMenuA.USER32(?,00000000,00008009,?), ref: 004027C0
AppendMenuA.USER32(?,?,00008019,&Set Custom Speed...), ref: 004027D0
AppendMenuA.USER32(?,00000800), ref: 004027DD
AppendMenuA.USER32(?,00000000,0000800B,&Continuous Playback), ref: 004027F9
wsprintfA.USER32 ref: 00402815
AppendMenuA.USER32(?,?,0000800C,?), ref: 0040282E
AppendMenuA.USER32(?,00000800), ref: 00402836
CreatePopupMenu.USER32 ref: 00402838
AppendMenuA.USER32(?,00000010,00000000,Recording &Hotkey), ref: 0040284C
AppendMenuA.USER32(?,-00000008,0000800F,Control + Shift + Alt + R), ref: 0040286A
AppendMenuA.USER32(?,-00000009,00008010,Print Screen), ref: 0040288A
AppendMenuA.USER32(?,-00000010,00008011,004063B0), ref: 004028AA
AppendMenuA.USER32(?,-00000014,00008012,F12), ref: 004028CA
CreatePopupMenu.USER32 ref: 004028CC
AppendMenuA.USER32(?,00000010,00000000,Playback Hot&key), ref: 004028E0
AppendMenuA.USER32(?,-00000008,00008013,Control + Shift + Alt + P), ref: 004028FE
AppendMenuA.USER32(?,-00000009,00008014,Print Screen), ref: 0040291E
AppendMenuA.USER32(?,-00000010,00008015,004063B0), ref: 0040293E
AppendMenuA.USER32(?,-00000014,00008016,F12), ref: 0040295E
AppendMenuA.USER32(?,00000800), ref: 00402966
AppendMenuA.USER32(?,00000002,0000800E,00406340), ref: 00402977
AppendMenuA.USER32(?,00000800), ref: 0040297F
AppendMenuA.USER32(?,00000000,00008017,Always on &Top), ref: 0040299B
AppendMenuA.USER32(?,-00000008,00008018,Show Captions), ref: 004029B9
AppendMenuA.USER32(?,00000000,0000801A,Use Custom Tool&bar...), ref: 004029D5
AppendMenuA.USER32(?,-00000008,0000801B,Use &Default Toolbar), ref: 004029F3
AppendMenuA.USER32(?,00000800), ref: 004029FB
AppendMenuA.USER32(?,?,0000800D,TinyTask &Website), ref: 00402A0B
AppendMenuA.USER32(?,?,0000800E,&About TinyTask 1.77), ref: 00402A1B
GetCursorPos.USER32(?), ref: 00402A21
GetWindowRect.USER32(?,?), ref: 00402A2E
PtInRect.USER32(?,?,?), ref: 00402A3E
TrackPopupMenu.USER32(?,?,?,?,?,?), ref: 00402A80
DestroyMenu.USER32(?,?,?,?,?,?,?,?,0000800E,&About TinyTask 1.77,?,0000800D,TinyTask &Website), ref: 00402A89
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

&About TinyTask 1.77, xrefs: 00402A0D
F12, xrefs: 004028B1, 00402945
&Play Custom Speed: %dx, xrefs: 00402782
Show Captions, xrefs: 004029A2
Control + Shift + Alt + R, xrefs: 00402853
Always on &Top, xrefs: 00402986
&Continuous Playback, xrefs: 004027E4
Use Custom Tool&bar..., xrefs: 004029C0
&Set Custom Speed..., xrefs: 004027C2
Use &Default Toolbar, xrefs: 004029D7
Play Speed: &1x, xrefs: 00402723
Recording &Hotkey, xrefs: 0040283E
TinyTask &Website, xrefs: 004029FD
Playback Hot&key, xrefs: 004028D2
&Set Playback Loops... (%d), xrefs: 0040280F
Play Speed: &2x, xrefs: 0040274A
Print Screen, xrefs: 00402871, 00402905
Play Speed: 100x, xrefs: 00402768
Control + Shift + Alt + P, xrefs: 004028E7

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Menu$Append$Popup$Create$RectWindowwsprintf$CursorDestroyProcTrack
String ID: &About TinyTask 1.77$&Continuous Playback$&Play Custom Speed: %dx$&Set Custom Speed...$&Set Playback Loops... (%d)$Always on &Top$Control + Shift + Alt + P$Control + Shift + Alt + R$F12$Play Speed: &1x$Play Speed: &2x$Play Speed: 100x$Playback Hot&key$Print Screen$Recording &Hotkey$Show Captions$TinyTask &Website$Use &Default Toolbar$Use Custom Tool&bar...
API String ID: 2447434608-185408970
Opcode ID: 00e0cd7c2f8d0a2240b16037cad9c0e4e1d4a63e466c398367af8b119feccc65
Instruction ID: 233a727705327858f4e8fa9ae9d20dfb6b3e24b65606c47886e521afb20f630d
Opcode Fuzzy Hash: 00e0cd7c2f8d0a2240b16037cad9c0e4e1d4a63e466c398367af8b119feccc65
Instruction Fuzzy Hash: 3CA1B472A90108BEEF015B64CD46EAE3F78EB55711F114072F901F51E0CBB94E25AFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402462 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 239
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mouse_event.USER32(00000004), ref: 004024AC
GetAsyncKeyState.USER32(00000000), ref: 004024D0
GetKeyState.USER32(00000000), ref: 004024EB
MapVirtualKeyA.USER32(00000000), ref: 0040252F
keybd_event.USER32(00000000,00000000,?,00000001), ref: 00402537
SetKeyboardState.USER32(?), ref: 00402578
GetAsyncKeyState.USER32(00000000), ref: 00402581
GetKeyState.USER32(00000091), ref: 00402595
VkKeyScanA.USER32(00000091), ref: 004025AB
VkKeyScanA.USER32(00000091), ref: 004025B2
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

TinyTask, xrefs: 004026D6, 004026DB

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: State$AsyncScan$KeyboardProcVirtualWindowkeybd_eventmouse_event
String ID: TinyTask
API String ID: 801333285-3209981168
Opcode ID: f1f4182ec40601e63d52bb47d4b08b04969c3d51b8bc583a8958c1f1ff03cc10
Instruction ID: bb46857cf83aba4c565f9cc198f0e7855127890a34379818f33f59448c70a07a
Opcode Fuzzy Hash: f1f4182ec40601e63d52bb47d4b08b04969c3d51b8bc583a8958c1f1ff03cc10
Instruction Fuzzy Hash: 527108B16401087EEB211B589E9CBBF3B69F786344F554437F142BA2E0C6F94C829E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403842 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 100
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0040386D
CreateCompatibleDC.GDI32(00000000), ref: 00403875
SelectObject.GDI32(00000000,00403A92), ref: 00403884
GetObjectA.GDI32(00403A92,00000018,?), ref: 00403892
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004038AB
SelectObject.GDI32(00000000,00000000), ref: 004038B8
GetPixel.GDI32(00000000,00000000,00000000), ref: 004038C7
SetBkColor.GDI32(00000000,?), ref: 004038CF
BitBlt.GDI32(00000000,00000000,00000000,?,00403A92,00000000,00000000,00000000,00CC0020), ref: 004038EE
BitBlt.GDI32(00403A92,00000000,00000000,?,00403A92,00000000,00000000,00000000,00660046), ref: 00403905
SelectObject.GDI32(00000000,?), ref: 0040390D
SelectObject.GDI32(00403A92,?), ref: 00403915
DeleteDC.GDI32(00000000), ref: 00403920
DeleteDC.GDI32(00403A92), ref: 00403925

Strings

TinyTask, xrefs: 00403849

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$BitmapColorPixel
String ID: TinyTask
API String ID: 3609928720-3209981168
Opcode ID: f6d5c19c81ab99803db9995f6808d320c536e3f9aeec94918fbeefb216f6cd80
Instruction ID: 1b1e5c078316e08315fd16e6f57f33d2520814cf5a905d192c79994689ac12e0
Opcode Fuzzy Hash: f6d5c19c81ab99803db9995f6808d320c536e3f9aeec94918fbeefb216f6cd80
Instruction Fuzzy Hash: 8431C1B6910118BEEB119FA4DD84DAFBFB9EB48354B108066FA04B2260C7715E50AFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B94 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32 ref: 00402BAA
wsprintfA.USER32 ref: 00402BD2
MessageBoxA.USER32(?, Set the number of playback loops:,Set Playback Loops,00010021), ref: 00402BED
wsprintfA.USER32 ref: 00402C30
MessageBoxA.USER32(?, Playback speed multiplier (1-100):,Set Custom Speed,00010021), ref: 00402C4B
KillTimer.USER32(?,000003EC), ref: 00402EFF
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

Set Custom Speed, xrefs: 00402C3E
Set Playback Loops, xrefs: 00402BE0
Set the number of playback loops:, xrefs: 00402BE5
Playback speed multiplier (1-100):, xrefs: 00402C43

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: MessageTimerwsprintf$KillProcWindow
String ID: Playback speed multiplier (1-100):$ Set the number of playback loops:$Set Custom Speed$Set Playback Loops
API String ID: 3989924489-1524273833
Opcode ID: e7ffaa49d74b84dc2369fc79c70f2ae1da0aa485e2a3b75b1d1baa620c31fdd4
Instruction ID: 98f9ab5bfff6e17949900cb984dcc1791b2a47caea78b96665d2514b30861601
Opcode Fuzzy Hash: e7ffaa49d74b84dc2369fc79c70f2ae1da0aa485e2a3b75b1d1baa620c31fdd4
Instruction Fuzzy Hash: 7D310A31680500ABEF12AF04EE49A5E3B61FB85304B15803BF906FA1E1D3F949A19F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402E89 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,000003EB,0000000A), ref: 00402EA8
GetModuleHandleA.KERNEL32 ref: 00402EC0
MessageBoxIndirectA.USER32(00000028), ref: 00402EF7
KillTimer.USER32(?,000003EC), ref: 00402EFF
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

About TinyTask, xrefs: 00402EE2
(, xrefs: 00402EB9

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Timer$HandleIndirectKillMessageModuleProcWindow
String ID: ($About TinyTask
API String ID: 3870110939-1252103192
Opcode ID: e83f3aa0858c5e14254542d91e5834d56f995870de52a3935aa7cfd91853c17b
Instruction ID: c4cc1150962328f141a0f7d524584cdf901ae76d1360cf4fe4c19e88c3ba64ab
Opcode Fuzzy Hash: e83f3aa0858c5e14254542d91e5834d56f995870de52a3935aa7cfd91853c17b
Instruction Fuzzy Hash: E2111772900248EFDB119FD4ED48ACEBFB4FF48311F10802AF50ABA291DB7499559F94

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(?,?,https://www.tinytask.net,?,?,00000001), ref: 00402E66
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

Unable to connect to "www.tinytask.net", xrefs: 00402E7F
TinyTask, xrefs: 00402E7A
https://www.tinytask.net, xrefs: 00402E5F

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ExecuteProcShellWindow
String ID: TinyTask$Unable to connect to "www.tinytask.net"$https://www.tinytask.net
API String ID: 2703536495-3181287508
Opcode ID: 3d602f3fbfa1e5880e405f0eeb587e2e12831d0e917ecc208f88e54ea70cc833
Instruction ID: e57aebe4d560980069bf53ad68e793c256def7a74ebca440632c5ae19307b00a
Opcode Fuzzy Hash: 3d602f3fbfa1e5880e405f0eeb587e2e12831d0e917ecc208f88e54ea70cc833
Instruction Fuzzy Hash: B8E04F32280109BBDB025F809D89E9F3A29E758794B114432F602780E382FA8C60AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD3 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowRect.USER32(?,?), ref: 00402CDB
SetWindowPos.USER32(?,?,?,?,?,?,00000436), ref: 00402E3F
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,00000436), ref: 00402E49
UpdateWindow.USER32(?), ref: 00402E50
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Window$Rect$InvalidateProcUpdate
String ID:
API String ID: 1941023138-0
Opcode ID: 4443bda74050e4ae344e654af5d647cde18fc5b7e8a1387029c7b0ce7eace35f
Instruction ID: ebc20ac15df2b3a033a049e14aee733a7be54cc25288c47d4679b2143e786a71
Opcode Fuzzy Hash: 4443bda74050e4ae344e654af5d647cde18fc5b7e8a1387029c7b0ce7eace35f
Instruction Fuzzy Hash: D601E572900519EFDB01DFA8EE88EDE7BB8FB0D355B008025F202B90A0C37489519F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402B44 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(Nothing RecordedPress the blue button to start a new recording,TinyTask,00010040), ref: 00402B88
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

TinyTask, xrefs: 00402B7B
Hotkey Conflict, xrefs: 00402B80

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: MessageProcWindow
String ID: Hotkey Conflict$TinyTask
API String ID: 55716251-592453694
Opcode ID: 5f45addc77de9b1d8dde8881f0f2cbc6f417d1746466e49ee9f71366abb45294
Instruction ID: 599ff71e88f3259926025764a5c9631bbfbbda2681fd87f6eac9559d92110fad
Opcode Fuzzy Hash: 5f45addc77de9b1d8dde8881f0f2cbc6f417d1746466e49ee9f71366abb45294
Instruction Fuzzy Hash: 2FF03A32204144ABCB028F54DD45A893F30EF45344B158077B642BD0E2E2BA8465AF49

Uniqueness

Uniqueness Score: -1.00%

Function 00402AFA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(Nothing RecordedPress the blue button to start a new recording,TinyTask,00010040), ref: 00402B88
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Strings

TinyTask, xrefs: 00402B7B
Hotkey Conflict, xrefs: 00402B80

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: MessageProcWindow
String ID: Hotkey Conflict$TinyTask
API String ID: 55716251-592453694
Opcode ID: 5e14ce3f539c26937f294e9b539925d11bb4764aa3815faedec1e29479b2037f
Instruction ID: 405f95ffa23c4f12f33a13628f3863b3da9e1d49951f4cd871cec430e4bbf7e2
Opcode Fuzzy Hash: 5e14ce3f539c26937f294e9b539925d11bb4764aa3815faedec1e29479b2037f
Instruction Fuzzy Hash: 2AF0FE32244205BBCB025F50DD4579A3F60FB55358F258437F542BC1E1D3F98565AF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404680 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00404687
GetStartupInfoA.KERNEL32(?), ref: 004046C5
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 004046F6
ExitProcess.KERNEL32 ref: 0040470A

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: a7ed023600afec79d4f681889d2eeb0e48ad05c58f346c18591c58b2a9374090
Instruction ID: b1a91a6e2b74f3548383683b1100c06c5c8b3f701606ca986021071b17346c6a
Opcode Fuzzy Hash: a7ed023600afec79d4f681889d2eeb0e48ad05c58f346c18591c58b2a9374090
Instruction Fuzzy Hash: B3010CA18447445AEB315B60490ABAF3B948F43314F240837EBC1B62C6E67D48C38ADD

Uniqueness

Uniqueness Score: -1.00%

Function 00402C9C Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,-00000002,?,?,0000000A,0000000A,00000003), ref: 00402CC8
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Window$Proc
String ID:
API String ID: 583982625-0
Opcode ID: bf50f914c3e7ffc7f72fd60cb14414feea4da27e6706329e48f34e591025e4dc
Instruction ID: 260cddc338231076bd6f7550de8ef022c34cc5639db7ca6125be32ef3a330ba9
Opcode Fuzzy Hash: bf50f914c3e7ffc7f72fd60cb14414feea4da27e6706329e48f34e591025e4dc
Instruction Fuzzy Hash: EAF03972240509BBEB015F60ED45FAA3B25E705355F058021FA02E80E0C3758D61AB18

Uniqueness

Uniqueness Score: -1.00%

Function 00402B6E Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(Nothing RecordedPress the blue button to start a new recording,TinyTask,00010040), ref: 00402B88
DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: MessageProcWindow
String ID:
API String ID: 55716251-0
Opcode ID: a42d041ec2682aa28cf26d035ca2d3a9aa8c19b91d2e26691f4e7c91f5bbff14
Instruction ID: 4e047d06cda0e92a50df56047ec463d335d9b87dbc63accd3b7a24bd0d4fc026
Opcode Fuzzy Hash: a42d041ec2682aa28cf26d035ca2d3a9aa8c19b91d2e26691f4e7c91f5bbff14
Instruction Fuzzy Hash: 0BE04F33104045EFCF028F94ED4899D3F61FB46360715846AF652A90B2C7B6C522EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00402ACD Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 70b16e7ca6862fe2dc6e6a46f6e39ca03ff5cd1690ebb784e637bf76d84b71ea
Instruction ID: e97300cb53c6eb48d1b9a5d246905f662cdbcf5ef80795e73b08e6251088e78e
Opcode Fuzzy Hash: 70b16e7ca6862fe2dc6e6a46f6e39ca03ff5cd1690ebb784e637bf76d84b71ea
Instruction Fuzzy Hash: 07E086332081C5AFCB030FA4AD294993F20EF4A354B0A8873E682A50A2C27A8531EB15

Uniqueness

Uniqueness Score: -1.00%

Function 00402B24 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: c8fe5e5a417713b1918d64d43014f5a3ba21fedd02b36326661cc03a9e0cd5f3
Instruction ID: 65ac05b22f25992b11684c2fb74066950c4aff75a3b85d7e71cd45dd1ea13c32
Opcode Fuzzy Hash: c8fe5e5a417713b1918d64d43014f5a3ba21fedd02b36326661cc03a9e0cd5f3
Instruction Fuzzy Hash: 58D05E32200004EADF024F84ED44A8E7F21EB89354F208433F602A80A0D3B68631AF55

Uniqueness

Uniqueness Score: -1.00%

Function 00402A95 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: db0e4a61445f15e2861bafb611833fdb84c48873c7a7478ed89a330e4fb05f5c
Instruction ID: dbffba37966f872ab556a82dd5bb47bd046feb1fa9b94650fbb76d6d0e3c5481
Opcode Fuzzy Hash: db0e4a61445f15e2861bafb611833fdb84c48873c7a7478ed89a330e4fb05f5c
Instruction Fuzzy Hash: 0FD09E33104145EFCB025F94ED0559D3F61FB4A365B058472F642A50A1D37A8821AF65

Uniqueness

Uniqueness Score: -1.00%

Function 00402AAF Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 6f356dd7719f01ef5de09063c3e6e9bc8acf3e5a03031ae99a79323d5556a068
Instruction ID: bbcc8d1024c7b2ad99e94aa0aed6deed2e7d6b03234c1db6f6ad748cd76164e8
Opcode Fuzzy Hash: 6f356dd7719f01ef5de09063c3e6e9bc8acf3e5a03031ae99a79323d5556a068
Instruction Fuzzy Hash: D9D09E33104185AFCB025F94ED4559D3F61EF4A355B058462F642A50A1D3768431AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402ABD Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 060b37bd04cde0ce69d3709c2b5eabfd3b999a65c960a375cf823c41a5babb3e
Instruction ID: 1c940054b3db183b45bed1325efca524ee869a9c084e3552099c3281fe396897
Opcode Fuzzy Hash: 060b37bd04cde0ce69d3709c2b5eabfd3b999a65c960a375cf823c41a5babb3e
Instruction Fuzzy Hash: 62D09236200109EBCF029F94EE4488A3B61FB493A5B018432FA46A5060D3728831AF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402AEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 9c049fca779ecfa29e4486dc828377b5fe2e857290d7ce2e0307e7ebe878b782
Instruction ID: d40f789e0b04d5827db2e0a9a9f70a1ef8da32f3033334284138e3e7127ca9ff
Opcode Fuzzy Hash: 9c049fca779ecfa29e4486dc828377b5fe2e857290d7ce2e0307e7ebe878b782
Instruction Fuzzy Hash: 14C0E937204009ABCF025F94ED4499E7B21EB59355B158833FA56A40A193B68531AF55

Uniqueness

Uniqueness Score: -1.00%

Function 00402AA4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: d0a8537e2fdd292149ebae67b7172adad485f5276b1f593e093a06924addc3d2
Instruction ID: ade3f5859509854e221db11ecb9d65a665a9e99d13c315de4784c91dea249606
Opcode Fuzzy Hash: d0a8537e2fdd292149ebae67b7172adad485f5276b1f593e093a06924addc3d2
Instruction Fuzzy Hash: 28C0C933200009EBCF025F84ED0488E3B21FB49355B008432F602A40A093768831AF55

Uniqueness

Uniqueness Score: -1.00%

Function 00402B39 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00402F11

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: b1eea099679d21919ab5308ca50c3f5b4a83b4faaaa72bec43b9357ddef92ffc
Instruction ID: fff3afe805b17c878276525cb6678e382136fbb4a72424296e83aa6735b8d0f2
Opcode Fuzzy Hash: b1eea099679d21919ab5308ca50c3f5b4a83b4faaaa72bec43b9357ddef92ffc
Instruction Fuzzy Hash: E0C0C933200009ABCF024F84ED0488E3B21EB48355B108432FA02A40A093B68431AF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004034C6 Relevance: 28.8, APIs: 19, Instructions: 277keyboardsleeptimeCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000013), ref: 004034DA
GetKeyState.USER32(00000091), ref: 004034E6
mouse_event.USER32(-00000011,00000000,00000000,00000000,00000000), ref: 00403598
mouse_event.USER32(-00000005,00000000,00000000,00000000,00000000), ref: 004035DB
GetSystemMetrics.USER32(00000001), ref: 004035F4
GetSystemMetrics.USER32(00000000), ref: 00403616
mouse_event.USER32(00008001,?,?,00000000), ref: 0040363C
SetCursorPos.USER32(?,?,?,00000000,?,?,004018DF,?,000003EA), ref: 00403656
GetSystemMetrics.USER32(00000001), ref: 0040374A
GetSystemMetrics.USER32(00000000), ref: 0040376C
mouse_event.USER32(00008001,?,?,?,004018DF), ref: 00403792
SetCursorPos.USER32(?,?,?,?,004018DF,?,000003EA), ref: 004037AC
Sleep.KERNEL32(00000001,?,?,004018DF,?,000003EA), ref: 004037B4
SetTimer.USER32(00000000,00000000,?,00000000), ref: 004037E7
PostMessageA.USER32(00000000,00000111,00000000,00000000), ref: 00403833

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: MetricsSystemmouse_event$CursorState$MessagePostSleepTimer
String ID:
API String ID: 203055827-0
Opcode ID: d3f8d64b5e7190012166dfd82cf50fc04a1379ee699abd62a7b768a1f457340b
Instruction ID: 21240027269b291347ce267e244152a0a87117dcadd7f2a7bfe16b9bf36c52a4
Opcode Fuzzy Hash: d3f8d64b5e7190012166dfd82cf50fc04a1379ee699abd62a7b768a1f457340b
Instruction Fuzzy Hash: 94A106B0200106AFE724DF18DD94E763B9DF785304F12817BE102AB6E2D67A9D619F98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B09 Relevance: 12.1, APIs: 8, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004041B8: ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000103,00000000,00403CBD,004010B3,?), ref: 004041E0

GetFileAttributesA.KERNEL32(?,C0000000,74DF3130,00000080), ref: 00403B67
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00403BB1
CloseHandle.KERNEL32(00000000), ref: 00403BC1
FindFirstFileA.KERNEL32(?,?), ref: 00403BDD
FindClose.KERNEL32(00000000), ref: 00403C00
FindNextFileA.KERNEL32(00000000,?), ref: 00403C4B
FindClose.KERNEL32(00000000), ref: 00403C56
FindClose.KERNEL32(00000000), ref: 00403C63

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Find$CloseFile$AttributesCreateEnvironmentExpandFirstHandleNextStrings
String ID:
API String ID: 4171416902-0
Opcode ID: 846ae757fb93dd96231631fb0bd60a5ac06f77789042b534643d51bdc34c2352
Instruction ID: e1ac57afb29f337bbfc01b4c37a33415eab2da7915a8ac3ffd06022a65d69b60
Opcode Fuzzy Hash: 846ae757fb93dd96231631fb0bd60a5ac06f77789042b534643d51bdc34c2352
Instruction Fuzzy Hash: CA4125B39002196AEB209A749CC8BEF3B7CDB54726F1000BBF344F20C1DA789F814A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040424C Relevance: 2.5, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,004046D0,0040473D,00000020,00000004,004046D0), ref: 00404258
HeapAlloc.KERNEL32(00000000), ref: 0040425F

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: f99d22f5a8df0d0e8d007fcd5727663fa01546c3604a1ab640b57c0ff2247634
Instruction ID: a4965471384d461b3c446fe3d87201e807eabb61d08fa2ce669204f1d343d336
Opcode Fuzzy Hash: f99d22f5a8df0d0e8d007fcd5727663fa01546c3604a1ab640b57c0ff2247634
Instruction Fuzzy Hash: 33C04C71544601ABDA009BA4DF4DA1F7BA8FB94701F048414B145E5060C63098008F65

Uniqueness

Uniqueness Score: -1.00%

Function 00403108 Relevance: 30.1, APIs: 20, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 00403165
DefWindowProcA.USER32(?,?,?,?), ref: 00403175
GetWindowLongA.USER32(?,000000F4), ref: 00403190
PostMessageA.USER32(00000111,?), ref: 004031A5
BeginPaint.USER32(?,?), ref: 004031BB
GetClientRect.USER32(?,?), ref: 004031C6
SetBkMode.GDI32(?,00000001), ref: 004031D1
SetTextColor.GDI32(?,00D78D07), ref: 004031DF
GetStockObject.GDI32(00000011), ref: 004031ED
SelectObject.GDI32(?,00000000), ref: 004031F9
GetStockObject.GDI32(00000011), ref: 00403206
GetObjectA.GDI32(00000000), ref: 00403209
CreateFontIndirectA.GDI32(?), ref: 00403224
SelectObject.GDI32(?,00000000), ref: 00403230
GetWindowTextA.USER32(?,?,0000003F), ref: 0040323C
IsWindow.USER32(?), ref: 00403247
GetWindowLongA.USER32(?,000000F0), ref: 00403254
DrawTextA.USER32(?,?,00000000,?,00000000), ref: 0040328E
EndPaint.USER32(?,?), ref: 00403299
DeleteObject.GDI32(00000000), ref: 004032A5

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Object$Window$Text$LongPaintSelectStock$BeginClientColorCreateCursorDeleteDrawFontIndirectMessageModePostProcRect
String ID:
API String ID: 1323531340-0
Opcode ID: 80f6b17f92aeb9e0d79c0b838b47aa74e400cc66309a368cd808f196d33da438
Instruction ID: f6a75a345252a565a7efb7e4d5d8ae1a11078984608b2f9e6db09855e2cd8f16
Opcode Fuzzy Hash: 80f6b17f92aeb9e0d79c0b838b47aa74e400cc66309a368cd808f196d33da438
Instruction Fuzzy Hash: 2C414C72900519ABEF109FA4DD48FAF7B7CFB08311F004576F605FA1A1CAB09A549FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403EA0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 197fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00406A18,.exe), ref: 00403F79
CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000080,00000000,00406A18,.exe), ref: 00403FBA
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040402B
CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00404064
GetFileSize.KERNEL32(00000000,00000000), ref: 004040AF
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 004040BF
CloseHandle.KERNEL32(00000000), ref: 004040CD
WriteFile.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 004040E7
CloseHandle.KERNEL32(00000000), ref: 00404106

Part of subcall function 004041B8: ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000103,00000000,00403CBD,004010B3,?), ref: 004041E0

Strings

.exe, xrefs: 00403EB1
\, xrefs: 00404009
:, xrefs: 00404018

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: File$Create$CloseDirectoryHandle$EnvironmentExpandPointerSizeStringsWrite
String ID: .exe$:$\
API String ID: 3910135208-1936334728
Opcode ID: 07c6cc2da5fd7bc73eee36edc06d27bd476b09bc8f69930adcfd62b545753e8c
Instruction ID: 8da40a83878325327a48a3c8ed4d5288776f62350ec6bc98e64e3549844fff20
Opcode Fuzzy Hash: 07c6cc2da5fd7bc73eee36edc06d27bd476b09bc8f69930adcfd62b545753e8c
Instruction Fuzzy Hash: B271A5B0900258AAEF20CF64CC48BDE7BA8AB55350F1085B6EB44B61C0D3B89EC58F95

Uniqueness

Uniqueness Score: -1.00%

Function 00402F8E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 133windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C71: GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 00403CE7

wsprintfA.USER32 ref: 00402FD3

Part of subcall function 00403D51: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,004013EF,00000000,00000000), ref: 00403DB9
Part of subcall function 00403D51: SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 00403DF9
Part of subcall function 00403D51: CloseHandle.KERNEL32(?), ref: 00403E93

MessageBoxA.USER32(00000000,Memory allocation error!,TinyTask,00000000), ref: 00402FF4
MessageBoxA.USER32(00000000,This file does not appear to be a valid recording.Load anyway?,004013EF,00000000), ref: 00403088
SetWindowTextA.USER32(00406B18), ref: 004030F8

Strings

Memory allocation error!, xrefs: 0040303E
TinyTask, xrefs: 00402F99, 00402FED, 00403039
This file does not appear to be a valid recording.Load anyway?, xrefs: 00403082
TinyTaskClass, xrefs: 00402F98
Unable to read file "%s", xrefs: 00402FCD

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: File$Message$AttributesCloseCreateHandlePointerTextWindowwsprintf
String ID: Memory allocation error!$This file does not appear to be a valid recording.Load anyway?$TinyTask$TinyTaskClass$Unable to read file "%s"
API String ID: 344658048-2912620699
Opcode ID: 5fcaffc6a2ab7b823241455dc34ed20f4e8bcb65c2bbef984b7f86e285a76b6a
Instruction ID: c9cd6a8f688574f1fc342cda05c0a042cae3b483400ee2c9893451d3259a965f
Opcode Fuzzy Hash: 5fcaffc6a2ab7b823241455dc34ed20f4e8bcb65c2bbef984b7f86e285a76b6a
Instruction Fuzzy Hash: 324103F2A01100BFD7109F64ED86EAB3BADF791340B11043FF502F61D2DA799A509A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004032FD Relevance: 9.1, APIs: 6, Instructions: 147keyboardtimeCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000001), ref: 00403369
GetCursorPos.USER32(?), ref: 00403399
MapVirtualKeyA.USER32(00000001,00000000), ref: 004033C5
GetForegroundWindow.USER32 ref: 0040343F
GetTickCount.KERNEL32 ref: 00403490
SetTimer.USER32(?,?,0000000A,00000000), ref: 004034B9

Part of subcall function 004042AF: GetProcessHeap.KERNEL32(00000000,004030B8,004030B8,?,?,?,?,TinyTask,TinyTaskClass,00000000), ref: 004042BC
Part of subcall function 004042AF: HeapSize.KERNEL32(00000000,?,?,?,?,TinyTask,TinyTaskClass,00000000), ref: 004042C3

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Heap$AsyncCountCursorForegroundProcessSizeStateTickTimerVirtualWindow
String ID:
API String ID: 175720748-0
Opcode ID: e83bb533e0d08fd17107e67ad3e5ed6471b9c8e4360c5cc6a7ac0e2136a3821c
Instruction ID: 3917149623daab9b3b11a6181ed47ccfb7e0b51bffcb73df27bb2f5f6ecbd573
Opcode Fuzzy Hash: e83bb533e0d08fd17107e67ad3e5ed6471b9c8e4360c5cc6a7ac0e2136a3821c
Instruction Fuzzy Hash: 905104B5A042099FDB04CF98D994AAE7BB9FB49300F06017ED902B7392C7799916CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403D51 Relevance: 9.1, APIs: 6, Instructions: 129fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004041B8: ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000103,00000000,00403CBD,004010B3,?), ref: 004041E0

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,004013EF,00000000,00000000), ref: 00403DB9
SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 00403DF9
GetFileSize.KERNEL32(00000000,?), ref: 00403E19

Part of subcall function 00404294: GetProcessHeap.KERNEL32(00000000,00000000,00403E74), ref: 004042A1
Part of subcall function 00404294: HeapFree.KERNEL32(00000000), ref: 004042A8

ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00403E53
CloseHandle.KERNEL32(?), ref: 00403E7A
CloseHandle.KERNEL32(?), ref: 00403E93

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: File$CloseHandleHeap$CreateEnvironmentExpandFreePointerProcessReadSizeStrings
String ID:
API String ID: 1816096457-0
Opcode ID: b3fd22435e9b329dc351627aeae7242ca4276a9562244ad96ff470530f814aa4
Instruction ID: b5f316e1afa3e22c7f331fb2ff24944f916168b3e433f6b7ad5bbaf1a6fc231f
Opcode Fuzzy Hash: b3fd22435e9b329dc351627aeae7242ca4276a9562244ad96ff470530f814aa4
Instruction Fuzzy Hash: DB418E72900109AFDB219FA4D8859AF7BADEB44355F10427FFA15B72C0D7349E80CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403C71 Relevance: 9.1, APIs: 6, Instructions: 87fileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000103,?,00000000,00000000), ref: 00403CCE
GetModuleFileNameA.KERNEL32(00000000), ref: 00403CD5
GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 00403CE7
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00403D12

Part of subcall function 004041B8: ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000103,00000000,00403CBD,004010B3,?), ref: 004041E0

GetFileSize.KERNEL32(00000000,00000000), ref: 00403D28
CloseHandle.KERNEL32(00000000), ref: 00403D31

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: File$HandleModule$AttributesCloseCreateEnvironmentExpandNameSizeStrings
String ID:
API String ID: 2999226569-0
Opcode ID: 75a960e8d0d3512e1e86c0eb56eb0a42eb14ca122255a11b3d137bc1e1748b50
Instruction ID: b3cbe73655d71a56831554f143beb0ef12ce0f354b1f59c7bfe5d60ee1a6bebe
Opcode Fuzzy Hash: 75a960e8d0d3512e1e86c0eb56eb0a42eb14ca122255a11b3d137bc1e1748b50
Instruction Fuzzy Hash: D5217F72904208AFEB109FB4DC44ADF7BADEB49721F204176E641F72C0DA749F448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404111 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00404141
GetForegroundWindow.USER32(?,00000111), ref: 00404150
GetOpenFileNameA.COMDLG32(0000004C), ref: 0040418F
GetSaveFileNameA.COMDLG32(0000004C), ref: 00404196

Strings

L, xrefs: 00404135

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: FileNameWindow$ForegroundOpenSave
String ID: L
API String ID: 1547633837-2909332022
Opcode ID: 203642403992c7d13a1b2299c4655860ac4c6e1cce9b2d6c3c2558c3381d5d98
Instruction ID: 40dd501beb27032aec853ef34f8e98dddd641efa0bbcaaadc1f3ee6cc5052ac7
Opcode Fuzzy Hash: 203642403992c7d13a1b2299c4655860ac4c6e1cce9b2d6c3c2558c3381d5d98
Instruction Fuzzy Hash: 1C1166B1D142189BDB509FA4D8097DE7BF4EF98310F14403AEA11F63C1D77894458B95

Uniqueness

Uniqueness Score: -1.00%

Function 004032B3 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004032BE
GetWindowTextA.USER32(?,00406018,0000001F), ref: 004032D4
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004032E9
DefWindowProcA.USER32(?,?,?,?), ref: 004032F1

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Window$Proc$CallLongText
String ID:
API String ID: 408388722-0
Opcode ID: e70d1203840c1e1d028c4dcc924a8ca89febfb83c76f6fd1708ded4e57a71940
Instruction ID: 364614a2716f17ddbf5b69f50aeda33f382634b64e25361f72de28a693adc4e4
Opcode Fuzzy Hash: e70d1203840c1e1d028c4dcc924a8ca89febfb83c76f6fd1708ded4e57a71940
Instruction Fuzzy Hash: 77E0A032100518FBCB115F509D0DE9F3B2DEB8A762B004035F60179191C7744910AFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004041F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00404242

Strings

TinyTask, xrefs: 004041FC
C:\Users\user\Desktop\download\tinytask.ini, xrefs: 004041FD

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: C:\Users\user\Desktop\download\tinytask.ini$TinyTask
API String ID: 390214022-3021016186
Opcode ID: 2ac02feb6d68e60994b3cece93c09fb20cfaa564e9d84518809362d8d2158a58
Instruction ID: bc95696e4e7e7b96e5794030eb7730004083230367b0ef7d8b0c896e9a36f2f2
Opcode Fuzzy Hash: 2ac02feb6d68e60994b3cece93c09fb20cfaa564e9d84518809362d8d2158a58
Instruction Fuzzy Hash: C0F0AF76904259BADF219E55EC01DEF3F79EB89380F04417AFA0076180D375991486E6

Uniqueness

Uniqueness Score: -1.00%

Function 00404266 Relevance: 5.0, APIs: 4, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000003E9,000003E9,00403359,-00004E20,?,000003E9,00000000,?,?,004018B2,?,000003E9), ref: 00404277
HeapReAlloc.KERNEL32(00000000,?,?,004018B2,?,000003E9), ref: 0040427E
GetProcessHeap.KERNEL32(00000000,000003E9,00403359,-00004E20,?,000003E9,00000000,?,?,004018B2,?,000003E9), ref: 00404286
HeapAlloc.KERNEL32(00000000,?,?,004018B2,?,000003E9), ref: 0040428D

Memory Dump Source

Source File: 00000003.00000002.2847129277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2847116913.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847143638.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847157554.0000000000406000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2847171739.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_tinytask.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 25923d58f9ba744ef32945f6f7028fa29fe1bb2476332cf68c41ec0cf0e94e74
Instruction ID: 7a16b1018b14c468b32ef241bb36a15b07f1f7d4bad3af964a1caa484586cb57
Opcode Fuzzy Hash: 25923d58f9ba744ef32945f6f7028fa29fe1bb2476332cf68c41ec0cf0e94e74
Instruction Fuzzy Hash: 62D067B1904701ABCF006BB0DE0C91F7AA9FB88342B488868B146E1020DA348040DF65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/frankwick/t/raw/main/tinytask.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\tinytask.exe

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 7272, Parent PID: 2640

General

File Activities

File Opened

Windows Analysis Report
https://github.com/frankwick/t/raw/main/tinytask.exe