Edit tour

Windows Analysis Report
ffprobe.exe

Overview

General Information

Sample name:	ffprobe.exe
Analysis ID:	1476288
MD5:	cc47fcc83e6f1ea6d9fac3461b7cc95f
SHA1:	40f3b4935e613d3c12df5b9b9194deea127d4f3e
SHA256:	db9ad05b53a2f0d37aa2f0e41b4d0c34e6e38e21255ec7bc88a49af5eea93cf0
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

ffprobe.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\ffprobe.exe" MD5: CC47FCC83E6F1EA6D9FAC3461B7CC95F)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ffprobe.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffprobe.exe	String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffprobe.exe	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604D8A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604D8A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net64bits
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schismtracker.org/
Source: ffprobe.exe	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604A20000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffprobe.exe	String found in binary or memory: http://www.gnu.org/licenses/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffprobe.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffprobe.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604ED1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604ED1000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://x265.org
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://xaimus.com/)
Source: ffprobe.exe	String found in binary or memory: https://aomedia.org/emsg/ID3
Source: ffprobe.exe	String found in binary or memory: https://aomedia.org/emsg/ID3Unexpected
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://coda.s3m.us/)
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nothings/stb/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/richgel999/miniz
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/viiri/st2play
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://joaobapt.com/)
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://kode54.net/)
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://revenant1.net/)
Source: ffprobe.exe	String found in binary or memory: https://streams.videolan.org/upload/
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://twitter.com/daniel_collin
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.3eality.com/

Source: ffprobe.exe, 00000000.00000000.1280146174.00007FF606AA0000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

memstr_4ac1f450-f

Source: ffprobe.exe

Static PE information: Number of sections : 13 > 10

Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF60449B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF60449B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name> vs ffprobe.exe
Source: ffprobe.exe	Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name> vs ffprobe.exe

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: ffprobe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ffprobe.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ffprobe.exe	String found in binary or memory: -help
Source: ffprobe.exe	String found in binary or memory: Lshow licensehshow helptopic?help-helpshow versionbuildconfshow build configurationformatsshow available formatsmuxersshow available muxersdemuxersshow available demuxersdevicesshow available devicescodecsshow available codecsdecodersshow available decodersencodersshow available encodersbsfsshow available bit stream filtersprotocolsshow available protocolsfiltersshow available filterspix_fmtsshow available pixel formatslayoutsshow standard channel layoutssample_fmtsshow available audio sample formatsdispositionsshow available stream dispositionscolorsshow available color namesloglevelset logging levelvreportgenerate a reportmax_allocset maximum size of a single allocated blockbytescpuflagsforce specific cpu flagscpucountforce specific cpu countcounthide_bannerdo not show program bannersourceslist sources of the input devicedevicesinkslist sinks of the output devicefforce formatshow unit of the displayed valuesuse SI prefixes for the displayed valuesbyte_binary_prefixuse binary prefixes for byte unitssexagesimaluse sexagesimal format HOURS:MM:SS.MICROSECONDS for time unitsprettyprettify the format of displayed values, make it more human readableoutput_formatset the output printing format (available formats are: default, compact, csv, flat, ini, json, xml)print_formatalias for -output_format (deprecated)ofalias for -output_formatselect_streamsselect the specified streamsstream_specifiersectionsprint sections structure and section information, and exitshow_datashow packets datashow_data_hashshow packets data hashshow_errorshow probing errorshow_formatshow format/container infoshow_framesshow frames infoshow_entriesshow a set of specified entriesentry_listshow_logshow logshow_packetsshow packets infoshow_programsshow programs infoshow_stream_groupsshow stream groups infoshow_streamsshow streams infoshow_chaptersshow chapters infocount_framescount the number of frames per streamcount_packetscount the number of packets per streamshow_program_versionshow ffprobe versionshow_library_versionsshow library versionsshow_versionsshow program and library versionsshow_pixel_formatsshow pixel format descriptionsshow optional fieldsshow_private_datashow private datasame as show_private_databitexactforce bitexact outputread_intervalsset read intervalsiread specified fileinput_fileowrite to specified outputoutput_fileprint_filenameoverride the printed input filenameprint_filefind_stream_inforead and decode the streams to fill missing information with heuristics
Source: ffprobe.exe	String found in binary or memory: overlap-add
Source: ffprobe.exe	String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-saves
Source: ffprobe.exe	String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffprobe.exe	String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.
Source: ffprobe.exe	String found in binary or memory: #EXT-X-START:
Source: ffprobe.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffprobe.exe	String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffprobe.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffprobe.exe	String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.h
Source: ffprobe.exe	String found in binary or memory: start/stop audio
Source: ffprobe.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Users\user\Desktop\ffprobe.exe "C:\Users\user\Desktop\ffprobe.exe"
Source: C:\Users\user\Desktop\ffprobe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: ffprobe.exe

Static PE information: More than 235 > 100 exports found

Source: ffprobe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ffprobe.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ffprobe.exe

Static file information: File size 86542848 > 1048576

Source: ffprobe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4317600
Source: ffprobe.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12da00
Source: ffprobe.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xbb6400
Source: ffprobe.exe	Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x151200

Source: ffprobe.exe

Static PE information: More than 200 imports for msvcrt.dll

Source: ffprobe.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffprobe.exe	Static PE information: section name: .rodata
Source: ffprobe.exe	Static PE information: section name: .xdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: ffprobe.exe, 00000000.00000000.1273368787.00007FF604703000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Video
Source: ffprobe.exe, 00000000.00000002.1284789715.00000262AA8DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: ffprobe.exe	Binary or memory string: VMware Screen Codec / VMware Video

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ffprobe.exe	3%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://joaobapt.com/)	0%	Avira URL Cloud	safe
http://x265.org	0%	Avira URL Cloud	safe
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	0%	Avira URL Cloud	safe
http://schismtracker.org/	0%	Avira URL Cloud	safe
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	0%	Avira URL Cloud	safe
https://twitter.com/daniel_collin	0%	Avira URL Cloud	safe
https://kode54.net/)	0%	Avira URL Cloud	safe
http://lame.sf.net64bits	0%	Avira URL Cloud	safe
https://github.com/iamgreaser/it2everything/	0%	Avira URL Cloud	safe
https://github.com/nothings/stb/	0%	Avira URL Cloud	safe
http://dashif.org/guidelines/last-segment-number	0%	Avira URL Cloud	safe
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	0%	Avira URL Cloud	safe
https://bel.fi/alankila/modguide/interpolate.txt	0%	Avira URL Cloud	safe
https://www.3eality.com/	0%	Avira URL Cloud	safe
http://lame.sf.net	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	0%	Avira URL Cloud	safe
https://revenant1.net/)	0%	Avira URL Cloud	safe
https://github.com/viiri/st2play	0%	Avira URL Cloud	safe
https://streams.videolan.org/upload/	0%	Avira URL Cloud	safe
https://github.com/ryuhei-mori/tinyfft	0%	Avira URL Cloud	safe
https://coda.s3m.us/)	0%	Avira URL Cloud	safe
http://xaimus.com/)	0%	Avira URL Cloud	safe
http://www.videolan.org/x264.html	0%	Avira URL Cloud	safe
http://dashif.org/guidelines/trickmode	0%	Avira URL Cloud	safe
http://www.brynosaurus.com/cachedir/	0%	Avira URL Cloud	safe
https://github.com/lieff/minimp3/	0%	Avira URL Cloud	safe
http://modplug-xmms.sourceforge.net/	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0	0%	Avira URL Cloud	safe
https://github.com/lclevy/unmo3	0%	Avira URL Cloud	safe
http://www.gnu.org/licenses/	0%	Avira URL Cloud	safe
https://aomedia.org/emsg/ID3	0%	Avira URL Cloud	safe
https://github.com/richgel999/miniz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x265.org	ffprobe.exe, 00000000.00000000.1273368787.00007FF604ED1000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://kode54.net/)	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/daniel_collin	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nothings/stb/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/iamgreaser/it2everything/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://joaobapt.com/)	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schismtracker.org/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://lame.sf.net64bits	ffprobe.exe, 00000000.00000000.1273368787.00007FF604D8A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://bel.fi/alankila/modguide/interpolate.txt	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.3eality.com/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/last-segment-number	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	ffprobe.exe	false	Avira URL Cloud: safe	unknown
https://revenant1.net/)	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	ffprobe.exe, 00000000.00000000.1273368787.00007FF604D8A000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/viiri/st2play	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://streams.videolan.org/upload/	ffprobe.exe	false	Avira URL Cloud: safe	unknown
https://coda.s3m.us/)	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ryuhei-mori/tinyfft	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.videolan.org/x264.html	ffprobe.exe, 00000000.00000000.1273368787.00007FF604ED1000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://xaimus.com/)	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/trickmode	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://www.brynosaurus.com/cachedir/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604A20000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/lieff/minimp3/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://modplug-xmms.sourceforge.net/	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://relaxng.org/ns/structure/1.0	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://aomedia.org/emsg/ID3	ffprobe.exe	false	Avira URL Cloud: safe	unknown
https://github.com/lclevy/unmo3	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/richgel999/miniz	ffprobe.exe, 00000000.00000000.1273368787.00007FF604B41000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gnu.org/licenses/	ffprobe.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1476288
Start date and time:	2024-07-18 22:58:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ffprobe.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ffprobe.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.761660032526983
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ffprobe.exe
File size:	86'542'848 bytes
MD5:	cc47fcc83e6f1ea6d9fac3461b7cc95f
SHA1:	40f3b4935e613d3c12df5b9b9194deea127d4f3e
SHA256:	db9ad05b53a2f0d37aa2f0e41b4d0c34e6e38e21255ec7bc88a49af5eea93cf0
SHA512:	d6ef85785dcd1f88a4ee4eaeb292c6f999be982cd31c476da0334ad33ba6d5836d960c31c0f2fa032bbfe3506e25eafca9dfd2904af8c7ddc633b05f4ee8de96
SSDEEP:	1572864:VNRzA6QEwposwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFhJ:VNRUw
TLSH:	65189E9EE2D3509CD12BD4F043AAF773BA34787C11206B7A26D99A306E22F80575EF54
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...V..f...............*.v1...(................@......................................)...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6698E656 [Thu Jul 18 09:54:30 2024 UTC]
TLS Callbacks:	0x41abcf60, 0x1, 0x411393c0, 0x1, 0x41139390, 0x1, 0x414b9c30, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bf0224a39bf8d7e40169130a36e44140

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [04F1E005h]
mov dword ptr [eax], 00000000h
call 00007EFC9450706Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007EFC985715D4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007EFC945072C9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push edi
push esi
push ebx
dec eax
sub esp, 30h
dec eax
mov esi, dword ptr [04F1E022h]
dec eax
mov dword ptr [esp+58h], edx
dec eax
lea edi, dword ptr [esp+58h]
dec eax
mov ebx, ecx
mov ecx, 00000001h
dec esp
mov dword ptr [esp+60h], eax
dec esp
mov dword ptr [esp+68h], ecx
dec eax
mov dword ptr [esp+20h], edi
dec eax
mov eax, dword ptr [esi]
dec eax
mov dword ptr [esp+28h], eax
xor eax, eax
call dword ptr [04442211h]
dec eax
mov edx, ebx
dec ecx
mov eax, edi
dec eax
mov ecx, eax
call 00007EFC95FC56D8h
dec eax
mov edx, dword ptr [esp+28h]
dec eax
sub edx, dword ptr [esi]
jne 00007EFC945072FAh
dec eax
add esp, 30h
pop ebx
pop esi
pop edi
ret
call 00007EFC95FC4F91h
nop
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6a4e000	0x1a20	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a50000	0x6fb8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6a59000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5002000	0xeaef4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a5a000	0x43c68	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x493a780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6a519d8	0x1848	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43175c0	0x4317600	f28457f3f6c795a45dd3dd4436ae5b4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4319000	0x12d960	0x12da00	6987294c19b6433a396b9b6bc9ea45d0	False	0.14991064028180687	firmware 4018 v4544 (revision 16777216) 0 (region 402653184), 16777216 bytes or less, UNKNOWN1 0x18000000, UNKNOWN2 0x1000000, UNKNOWN3 0xa0970040, at 0 0 bytes , at 0xd09e0040 16777216 bytes , at 0x2000000	4.838685485203868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rodata	0x4447000	0x39cc	0x3a00	a64f76b5697ad7b396a3eb484e6a487a	False	0.26589439655172414	data	5.855705171693117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x444b000	0xbb6380	0xbb6400	7e819f699847138f85f0c00ec522442d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5002000	0xeaef4	0xeb000	7c6b27f898a235aa4ee253ed310c46c3	False	0.5447109790558511	data	7.07359279614864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x50ed000	0x151194	0x151200	46bd93d31553068ab180b7b81e5406cf	False	0.18203023614200964	data	5.220048784749478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x523f000	0x180eef0	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x6a4e000	0x1a20	0x1c00	c28923cc7bcc9d92d471d83adb7499a6	False	0.43275669642857145	data	5.693351465756173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x6a50000	0x6fb8	0x7000	35ed8af0a312d3faa03c28cbdc6cd658	False	0.27769252232142855	data	4.940238210753338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x6a57000	0x70	0x200	7f2b3f56c1ea527dd754b3a036d0c349	False	0.091796875	data	0.5034383167085339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6a58000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6a59000	0x730	0x800	2d4152e07612cb54f811739fd87d2a95	False	0.14794921875	data	2.114214149621193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a5a000	0x43c68	0x43e00	2809ac23327cc1b700c35e35328f0b8f	False	0.20889445211786373	data	5.488703015821316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6a59058	0x1ef	XML 1.0 document, ASCII text	English	United States	0.498989898989899

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptReleaseContext, CryptSetHashParam, CryptSetProvParam, CryptSignHashA, DeregisterEventSource, GetUserNameA, InitializeSecurityDescriptor, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetSecurityDescriptorDacl, SystemFunction036
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
CRYPT32.dll	CertCloseStore, CertDeleteCertificateFromStore, CertEnumCRLsInStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore, CertOpenSystemStoreW, PFXImportCertStore
GDI32.dll	BitBlt, ChoosePixelFormat, CombineRgn, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateFontIndirectW, CreateFontW, CreatePen, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, DescribePixelFormat, EnumFontFamiliesW, ExtTextOutW, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetDeviceGammaRamp, GetICMProfileW, GetObjectA, GetPixelFormat, GetStockObject, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextFaceW, GetTextMetricsW, Rectangle, SelectObject, SetBkMode, SetDeviceGammaRamp, SetPixelFormat, SetTextColor, SwapBuffers
IMM32.dll	ImmAssociateContext, ImmGetCandidateListW, ImmGetCompositionStringW, ImmGetContext, ImmGetIMEFileNameA, ImmNotifyIME, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionStringW, ImmSetCompositionWindow
IPHLPAPI.DLL	GetAdaptersAddresses, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AreFileApisANSI, CancelIo, CancelIoEx, CloseHandle, CompareStringA, ConvertFiberToThread, ConvertThreadToFiberEx, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileW, CreateMutexA, CreateSemaphoreA, CreateSemaphoreW, CreateThread, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EnumResourceNamesW, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileExW, FindFirstFileW, FindNextFileW, FormatMessageA, FormatMessageW, FreeLibrary, GetACP, GetCommandLineW, GetComputerNameA, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFinalPathNameByHandleA, GetFullPathNameA, GetFullPathNameW, GetHandleInformation, GetLastError, GetLocaleInfoA, GetLongPathNameA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNumaHighestNodeNumber, GetNumaNodeProcessorMaskEx, GetOverlappedResult, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessTimes, GetStdHandle, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathA, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTimeZoneInformation, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalLock, GlobalMemoryStatusEx, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, MapViewOfFile, MoveFileExA, MoveFileExW, MulDiv, MultiByteToWideChar, OpenFileMappingA, OpenProcess, OutputDebugStringA, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleMode, SetConsoleTextAttribute, SetDllDirectoryA, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFilePointer, SetFilePointerEx, SetHandleInformation, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadErrorMode, SetThreadExecutionState, SetThreadGroupAffinity, SetThreadPriority, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, VirtualUnlock, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler, lstrcmpiW
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argv, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _access, _access, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _assert, _beginthreadex, _cexit, _chmod, _close, _close, _commode, _dup2, _dup, _endthreadex, _environ, _errno, _exit, _filelengthi64, _fileno, _fileno, _fdopen, _findclose, _findfirst64, _findnext64, _fmode, _fstat64, _ftime64, _fullpath, _get_osfhandle, _getcwd, _getmaxstdio, _getpid, _gmtime64, _hypot, _i64toa, _initterm, _isctype, _isatty, _itoa, _localtime64, _lock, _locking, _lseeki64, _ltoa, _mbsrchr, _mkdir, _mkdir, _mktime64, _onexit, _open, _open_osfhandle, _nextafter, _open, _read, _rmdir, _rmdir, _setjmp, _setmaxstdio, _setmode, _setmode, _sopen, _stat64, _strdup, _stricmp, _strlwr, _strnicmp, _strrev, _strtoi64, _strtoui64, _strtoui64, _strdup, _strupr, _time64, _timezone, _ui64toa, _ultoa, _unlink, _unlink, _unlock, _vscprintf, _vsnprintf, _vsnwprintf, _waccess, _wassert, _wcsdup, _wcsicmp, _wcsnicmp, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wgetenv, _wmkdir, _wopen, _wrename, _wrmdir, _write, _wsopen, _wstat64, _wunlink, abort, acos, asin, atan, atof, atoi, bsearch, calloc, clock, cosh, div, exit, fclose, feof, ferror, fflush, fgetc, fgetpos, fgets, fopen, fopen_s, fprintf, fputc, fputs, fread, free, fseek, fsetpos, ftell, fwrite, getc, getchar, getenv, getwc, isalnum, isalpha, iscntrl, isgraph, islower, isprint, ispunct, isspace, isupper, iswctype, isxdigit, localeconv, log10, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, perror, printf, putc, putwc, qsort, raise, rand, realloc, rename, rewind, setlocale, setvbuf, signal, sinh, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcpy_s, strcspn, strerror, strftime, strlen, strncat, strncmp, strncpy, strncpy_s, strpbrk, strrchr, strspn, strstr, strtok, strtok_s, strtol, strtoul, strxfrm, tan, tanh, tolower, toupper, towlower, towupper, ungetc, ungetwc, vfprintf, wcscat, wcscmp, wcscoll, wcscpy, wcscpy_s, wcsftime, wcslen, wcsncmp, wcsncpy, wcsrchr, wcsstr, wcstombs, wcstombs_s, wcstoul, wcsxfrm
ncrypt.dll	NCryptDecrypt, NCryptDeleteKey, NCryptFreeObject, NCryptGetProperty, NCryptOpenKey, NCryptOpenStorageProvider, NCryptSignHash
ole32.dll	CLSIDFromString, CoCreateInstance, CoGetMalloc, CoInitialize, CoInitializeEx, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CreateBindCtx, OleLoadFromStream, OleSaveToStream, PropVariantClear, StringFromGUID2
OLEAUT32.dll	OleCreatePropertyFrame, SysFreeString
SETUPAPI.dll	CM_Get_Device_IDA, CM_Get_Parent, CM_Locate_DevNodeA, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiGetClassDevsA, SetupDiGetDeviceInterfaceDetailA, SetupDiGetDeviceRegistryPropertyA
SHELL32.dll	CommandLineToArgvW, DragAcceptFiles, DragFinish, DragQueryFileW, SHGetFolderPathW, SHGetSpecialFolderPathA, ShellExecuteW
SHLWAPI.dll	SHCreateStreamOnFileA
USER32.dll	AdjustWindowRectEx, AttachThreadInput, BeginPaint, CallNextHookEx, CallWindowProcW, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CopyIcon, CopyImage, CreateIconFromResource, CreateIconIndirect, CreateWindowExA, CreateWindowExW, DefWindowProcA, DefWindowProcW, DestroyCursor, DestroyIcon, DestroyWindow, DialogBoxIndirectParamW, DispatchMessageA, DispatchMessageW, DrawIcon, DrawTextW, EmptyClipboard, EndDialog, EndPaint, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsW, FillRect, FindWindowW, FlashWindowEx, FrameRect, GetAsyncKeyState, GetClassInfoExW, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardSequenceNumber, GetCursorInfo, GetCursorPos, GetDC, GetDesktopWindow, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetMenu, GetMessageExtraInfo, GetMessageTime, GetMessageW, GetMonitorInfoW, GetParent, GetProcessWindowStation, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetUpdateRect, GetUserObjectInformationW, GetWindowLongPtrA, GetWindowLongPtrW, GetWindowLongW, GetWindowRect, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, IntersectRect, InvalidateRect, IsClipboardFormatAvailable, IsIconic, KillTimer, LoadCursorA, LoadCursorW, LoadIconW, MapVirtualKeyW, MessageBoxA, MessageBoxW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MsgWaitForMultipleObjects, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostThreadMessageW, PtInRect, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterDeviceNotificationW, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetTimer, SetWindowLongPtrA, SetWindowLongPtrW, SetWindowLongW, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowWindow, SystemParametersInfoA, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, ValidateRect
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
AVICAP32.dll	capCreateCaptureWindowA, capGetDriverDescriptionA
WINMM.dll	timeBeginPeriod, timeEndPeriod, waveInAddBuffer, waveInClose, waveInGetDevCapsW, waveInGetNumDevs, waveInOpen, waveInPrepareHeader, waveInReset, waveInStart, waveInUnprepareHeader, waveOutClose, waveOutGetDevCapsW, waveOutGetErrorTextW, waveOutGetNumDevs, waveOutOpen, waveOutPrepareHeader, waveOutReset, waveOutUnprepareHeader, waveOutWrite
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecvFrom, WSAResetEvent, WSASendTo, WSASetLastError, WSASocketA, WSAStartup, WSAStringToAddressA, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, inet_ntop, inet_pton, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Exports

Name	Ordinal	Address
FT_Activate_Size	1	0x1412f5440
FT_Add_Default_Modules	2	0x1412fdfa0
FT_Add_Module	3	0x1412fa070
FT_Angle_Diff	4	0x1412f97d0
FT_Atan2	5	0x1412f92c0
FT_Attach_File	6	0x1412f9b40
FT_Attach_Stream	7	0x1412f9a50
FT_Bitmap_Blend	8	0x14135bf20
FT_Bitmap_Convert	9	0x14135b2c0
FT_Bitmap_Copy	10	0x14135b0d0
FT_Bitmap_Done	11	0x14135c770
FT_Bitmap_Embolden	12	0x14135b830
FT_Bitmap_Init	13	0x14135b090
FT_Bitmap_New	14	0x14135b0b0
FT_CeilFix	15	0x1412f2290
FT_Cos	16	0x1412f9140
FT_DivFix	17	0x1412f23d0
FT_Done_Face	18	0x1412f3bb0
FT_Done_FreeType	19	0x1412fe230
FT_Done_Glyph	20	0x14135d570
FT_Done_Library	21	0x1412f5b20
FT_Done_MM_Var	22	0x14135d8e0
FT_Done_Size	23	0x1412f3c70
FT_Error_String	24	0x1412f2ed0
FT_Face_GetCharVariantIndex	25	0x1412f53d0
FT_Face_GetCharVariantIsDefault	26	0x1412f5380
FT_Face_GetCharsOfVariant	27	0x1412f5290
FT_Face_GetVariantSelectors	28	0x1412f5330
FT_Face_GetVariantsOfChar	29	0x1412f52e0
FT_Face_Properties	30	0x1412f4bf0
FT_FloorFix	31	0x1412f22a0
FT_Get_Advance	32	0x1412fb2a0
FT_Get_Advances	33	0x1412fb040
FT_Get_BDF_Charset_ID	34	0x141434d10
FT_Get_BDF_Property	35	0x141434dd0
FT_Get_CMap_Format	36	0x1412f5120
FT_Get_CMap_Language_ID	37	0x1412f50a0
FT_Get_Char_Index	38	0x1412f4a90
FT_Get_Charmap_Index	39	0x1412f4a50
FT_Get_Color_Glyph_ClipBox	40	0x1412f5e10
FT_Get_Color_Glyph_Layer	41	0x1412f5d80
FT_Get_Color_Glyph_Paint	42	0x1412f5dd0
FT_Get_Colorline_Stops	43	0x1412f5ee0
FT_Get_Default_Named_Instance	44	0x14135e230
FT_Get_First_Char	45	0x1412f4b60
FT_Get_Font_Format	46	0x1412f2ee0
FT_Get_Glyph	47	0x14135d050
FT_Get_Glyph_Name	48	0x1412f4d70
FT_Get_Kerning	49	0x1412f4770
FT_Get_MM_Blend_Coordinates	50	0x14135df20
FT_Get_MM_Var	51	0x14135d800
FT_Get_MM_WeightVector	52	0x14135da90
FT_Get_Module	53	0x1412f5650
FT_Get_Multi_Master	54	0x14135d720
FT_Get_Name_Index	55	0x1412f4cc0
FT_Get_Next_Char	56	0x1412f4ac0
FT_Get_PS_Font_Info	57	0x141434e50
FT_Get_PS_Font_Private	58	0x141434f10
FT_Get_PS_Font_Value	59	0x141434f80
FT_Get_Paint	60	0x1412f5e90
FT_Get_Paint_Layers	61	0x1412f5e50
FT_Get_Postscript_Name	62	0x1412f4e80
FT_Get_Renderer	63	0x1412f54e0
FT_Get_Sfnt_LangTag	64	0x1412f7c70
FT_Get_Sfnt_Name	65	0x1412f7b50
FT_Get_Sfnt_Name_Count	66	0x1412f7940
FT_Get_Sfnt_Table	67	0x1412f4f20
FT_Get_SubGlyph_Info	68	0x1412f5cf0
FT_Get_Track_Kerning	69	0x1412f4930
FT_Get_Transform	70	0x1412f3b60
FT_Get_TrueType_Engine_Type	71	0x1412f5ca0
FT_Get_Var_Axis_Flags	72	0x14135e0e0
FT_Get_Var_Blend_Coordinates	73	0x14135e000
FT_Get_Var_Design_Coordinates	74	0x14135dcd0
FT_Get_X11_Font_Format	75	0x1412f2f10
FT_GlyphSlot_Own_Bitmap	76	0x14135c6c0
FT_Glyph_Copy	77	0x14135ce50
FT_Glyph_Get_CBox	78	0x14135d1c0
FT_Glyph_Stroke	79	0x141360bf0
FT_Glyph_StrokeBorder	80	0x141360d40
FT_Glyph_To_Bitmap	81	0x14135d270
FT_Glyph_Transform	82	0x14135d160
FT_Has_PS_Glyph_Names	83	0x141434ec0
FT_Init_FreeType	84	0x1412fe1a0
FT_Library_SetLcdFilter	85	0x1412f35c0
FT_Library_SetLcdFilterWeights	86	0x1412f35b0
FT_Library_SetLcdGeometry	87	0x1412f35d0
FT_Library_Version	88	0x1412f5ae0
FT_List_Add	89	0x1412fdde0
FT_List_Finalize	90	0x1412fdf30
FT_List_Find	91	0x1412fddb0
FT_List_Insert	92	0x1412fde20
FT_List_Iterate	93	0x1412fdee0
FT_List_Remove	94	0x1412fde50
FT_List_Up	95	0x1412fde90
FT_Load_Char	96	0x1412fb400
FT_Load_Glyph	97	0x1412fa840
FT_Load_Sfnt_Table	98	0x1412f4f80
FT_Matrix_Invert	99	0x1412f2580
FT_Matrix_Multiply	100	0x1412f2440
FT_MulDiv	101	0x1412f22b0
FT_MulFix	102	0x1412f23b0
FT_New_Face	103	0x1412fbf80
FT_New_Glyph	104	0x14135cf60
FT_New_Library	105	0x1412f5a40
FT_New_Memory_Face	106	0x1412fce30
FT_New_Size	107	0x1412f9eb0
FT_Open_Face	108	0x1412fceb0
FT_Outline_Check	109	0x1412f63b0
FT_Outline_Copy	110	0x1412f6430
FT_Outline_Decompose	111	0x1412f5f20
FT_Outline_Done	112	0x1412f64e0
FT_Outline_Embolden	113	0x1412f7500
FT_Outline_EmboldenXY	114	0x1412f6ff0
FT_Outline_GetInsideBorder	115	0x14135ff20
FT_Outline_GetOutsideBorder	116	0x14135ff40
FT_Outline_Get_Bitmap	117	0x1412f6c30
FT_Outline_Get_CBox	118	0x1412f65a0
FT_Outline_Get_Orientation	119	0x1412f6e10
FT_Outline_New	120	0x1412fd950
FT_Outline_Render	121	0x1412f6ab0
FT_Outline_Reverse	122	0x1412f6a00
FT_Outline_Transform	123	0x1412f6d40
FT_Outline_Translate	124	0x1412f69b0
FT_Palette_Data_Get	125	0x1412f2db0
FT_Palette_Select	126	0x1412f2e30
FT_Palette_Set_Foreground_Color	127	0x1412f2ea0
FT_Property_Get	128	0x1412f59e0
FT_Property_Set	129	0x1412f59c0
FT_Reference_Face	130	0x1412f3b90
FT_Reference_Library	131	0x1412f5a20
FT_Remove_Module	132	0x1412f5780
FT_Render_Glyph	133	0x1412fa800
FT_Request_Size	134	0x1412f44f0
FT_RoundFix	135	0x1412f2270
FT_Select_Charmap	136	0x1412f49c0
FT_Select_Size	137	0x1412f4480
FT_Set_Char_Size	138	0x1412f4620
FT_Set_Charmap	139	0x1412f51a0
FT_Set_Debug_Hook	140	0x1412f5c70
FT_Set_Default_Log_Handler	141	0x141361320
FT_Set_Default_Properties	142	0x1412fdfe0
FT_Set_Log_Handler	143	0x141361310
FT_Set_MM_Blend_Coordinates	144	0x14135ddb0
FT_Set_MM_Design_Coordinates	145	0x14135d910
FT_Set_MM_WeightVector	146	0x14135d9d0
FT_Set_Named_Instance	147	0x14135e100
FT_Set_Pixel_Sizes	148	0x1412f46d0
FT_Set_Renderer	149	0x1412f5520
FT_Set_Transform	150	0x1412f3ad0
FT_Set_Var_Blend_Coordinates	151	0x14135df10
FT_Set_Var_Design_Coordinates	152	0x14135db70
FT_Sfnt_Table_Info	153	0x1412f5010
FT_Sin	154	0x1412f9190
FT_Stream_OpenLZW	155	0x14134de20
FT_Stroker_BeginSubPath	156	0x141360370
FT_Stroker_ConicTo	157	0x141360310
FT_Stroker_CubicTo	158	0x141360340
FT_Stroker_Done	159	0x1413600c0
FT_Stroker_EndSubPath	160	0x1413603d0
FT_Stroker_Export	161	0x141360790
FT_Stroker_ExportBorder	162	0x141360760
FT_Stroker_GetBorderCounts	163	0x141360620
FT_Stroker_GetCounts	164	0x1413606b0
FT_Stroker_LineTo	165	0x1413601a0
FT_Stroker_New	166	0x14135ff60
FT_Stroker_ParseOutline	167	0x1413607e0
FT_Stroker_Rewind	168	0x141360090
FT_Stroker_Set	169	0x141360040
FT_Tan	170	0x1412f91e0
FT_Trace_Set_Default_Level	171	0x141361300
FT_Trace_Set_Level	172	0x1413612f0
FT_Vector_From_Polar	173	0x1412f97a0
FT_Vector_Length	174	0x1412f9510
FT_Vector_Polarize	175	0x1412f9690
FT_Vector_Rotate	176	0x1412f9380
FT_Vector_Transform	177	0x1412f6ca0
FT_Vector_Unit	178	0x1412f9340
TT_New_Context	179	0x14130c950
TT_RunIns	180	0x141309890
gme_ay_type	181	0x144b49e40
gme_clear_playlist	182	0x1416c5860
gme_delete	183	0x1416c5500
gme_enable_accuracy	184	0x1416c5830
gme_equalizer	185	0x1416c5900
gme_free_info	186	0x1416c56f0
gme_gbs_type	187	0x144b49fd8
gme_gym_type	188	0x144b4a150
gme_hes_type	189	0x144b4a380
gme_identify_extension	190	0x1416c4f90
gme_identify_file	191	0x1416c5940
gme_identify_header	192	0x1416c4e90
gme_ignore_silence	193	0x1416c57f0
gme_kss_type	194	0x144b4a4f8
gme_load_custom	195	0x1416c54d0
gme_load_data	196	0x1416c5b70
gme_load_file	197	0x1416c54c0
gme_multi_channel	198	0x1416c5880
gme_mute_voice	199	0x1416c5810
gme_mute_voices	200	0x1416c5820
gme_new_emu	201	0x1416c5210
gme_new_emu_multi_channel	202	0x1416c5360
gme_nsf_type	203	0x144b4a988
gme_nsfe_type	204	0x144b4aaa0
gme_open_data	205	0x1416c5bc0
gme_open_file	206	0x1416c5a10
gme_play	207	0x1416c5770
gme_sap_type	208	0x144b4ac30
gme_seek	209	0x1416c57c0
gme_seek_samples	210	0x1416c57d0
gme_set_autoload_playback_limit	211	0x1416c5080
gme_set_equalizer	212	0x1416c58a0
gme_set_fade	213	0x1416c5780
gme_set_stereo_depth	214	0x1416c5710
gme_set_tempo	215	0x1416c5800
gme_set_user_cleanup	216	0x1416c5750
gme_set_user_data	217	0x1416c5740
gme_spc_type	218	0x144b4ae00
gme_start_track	219	0x1416c5760
gme_tell	220	0x1416c57a0
gme_tell_samples	221	0x1416c57b0
gme_track_count	222	0x1416c5540
gme_track_ended	223	0x1416c5790
gme_track_info	224	0x1416c5550
gme_type	225	0x1416c5520
gme_type_extension	226	0x1416c5060
gme_type_list	227	0x1416c4d80
gme_type_multitrack	228	0x1416c5870
gme_type_system	229	0x1416c5930
gme_user_data	230	0x1416c5730
gme_vgm_type	231	0x144b4b0d0
gme_vgz_type	232	0x144b4b080
gme_voice_count	233	0x1416c57e0
gme_voice_name	234	0x1416c5920
gme_warning	235	0x1416c5530
gme_wrong_file_type	236	0x144b49c90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• ffprobe.exe
• conhost.exe

Click to jump to process

Behavior

• ffprobe.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: ffprobe.exePID: 6952, Parent PID: 4056

Function Logs

General

Target ID:	0
Start time:	16:59:26
Start date:	18/07/2024
Path:	C:\Users\user\Desktop\ffprobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ffprobe.exe"
Imagebase:	0x7ff600050000
File size:	86'542'848 bytes
MD5 hash:	CC47FCC83E6F1EA6D9FAC3461B7CC95F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6620, Parent PID: 6952

Function Logs

General

Target ID:	10
Start time:	16:59:28
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ffprobe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ffprobe.exePID: 6952, Parent PID: 4056

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Windows Analysis Report
ffprobe.exe