Edit tour

Windows Analysis Report
HandBrake-1.6.1-x86_64-Win_GUI.exe

Overview

General Information

Sample Name:	HandBrake-1.6.1-x86_64-Win_GUI.exe
Analysis ID:	800974
MD5:	aa2240842cb69ca6ce2b7233cbe9e56e
SHA1:	e95b9318b0b9ab8ed5ef0dd9eece88ca55d16680
SHA256:	7b3ab4a232913174b365eb918d7978852a7a36fd38d20d4bb42aa184f113a130
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Compliance

Score:	49
Range:	0 - 100

Signatures

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Detected potential crypto function

Stores files to the Windows start menu directory

PE file contains more sections than normal

Found dropped PE file which has not been started or loaded

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

HandBrake-1.6.1-x86_64-Win_GUI.exe (PID: 4748 cmdline: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe MD5: AA2240842CB69CA6CE2B7233CBE9E56E)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Window detected: < &Back&Next >CancelNullsoft Install System v3.08 Nullsoft Install System v3.08License AgreementPlease review the license terms before installing HandBrake 1.6.1.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 51 Franklin Street Fifth Floor Boston MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Lesser General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodifi

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\HandBrake.Worker.exe	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\HandBrake.exe	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\hb.dll	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\portable.ini.template	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\doc	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\doc\COPYING	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\uninst.exe	Jump to behavior

PE / OLE file has a valid certificate

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: D:\a\ookii-dialogs-wpf\ookii-dialogs-wpf\src\Ookii.Dialogs.Wpf\obj\Release\net6.0-windows\Ookii.Dialogs.Wpf.pdbSHA2563 source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.CodeDom/Release/net6.0/System.CodeDom.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.Interop\obj\Debug\HandBrake.Interop.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrakeWPF\obj\Debug\HandBrake.pdbSHA256 source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrakeWPF\obj\Debug\HandBrake.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net5.0-windows10.0.17763.0/Microsoft.Toolkit.Uwp.Notifications.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000056CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Management/Release/net6.0-windows/System.Management.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.App.Core\obj\Debug\HandBrake.App.Core.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Management/Release/net6.0-windows/System.Management.pdbSHA256$ source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ookii-dialogs-wpf\ookii-dialogs-wpf\src\Ookii.Dialogs.Wpf\obj\Release\net6.0-windows\Ookii.Dialogs.Wpf.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.Worker\obj\Debug\HandBrake.Worker.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr
Source:	Binary string: E:\A\_work\305\s\src\Microsoft.Xaml.Behaviors\obj\Release\netcoreapp3.0\Microsoft.Xaml.Behaviors.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005729000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_0040290B FindFirstFileW,

Networking

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr	String found in binary or memory: http://127.0.0.1:
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/shared
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0Memory
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x265.org
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000056CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkit
Source: HandBrake.Worker.exe.0.dr	String found in binary or memory: https://github.com/HandBrake/HandBrake
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/HandBrake/HandBrake/issues
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/HandBrake/HandBrake/issuese/HandBrake;V1.6.1.0;component/views/aboutview.xamlm/Ha
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/HandBrake/HandBrakeB
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MahApps/MahApps.Metro.git
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ookii-dialogs/ookii-dialogs-wpf.git
Source: HandBrake.exe.0.dr	String found in binary or memory: https://handbrake.fr
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/appcast.x86_64.xml
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/appcast.x86_64.xmlMhttps://handbrake.fr/appcast.arm64.xmlahttps://handbrake.fr/
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/appcast_unstable.arm64.xml
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/appcast_unstable.x86_64.xmlLhttps://handbrake.fr/appcast.arm64.xml
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/docs/en/latest/advanced/audio-subtitle-defaults.html
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/docs/en/latest/advanced/custom-presets.html
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handbrake.fr/docsahttps://github.com/HandBrake/HandBrake-snapshots

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Uses 32bit PE files

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005729000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Management.dll@ vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.00000000027F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.Worker.dllB vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.Worker.dllB vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.dll4 vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOokii.Dialogs.Wpf.dllD vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.CodeDom.dll@ vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.App.Core.dllF vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.Interop.dllD vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.Worker.dllB vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandBrake.Interop.dllD vs HandBrake-1.6.1-x86_64-Win_GUI.exe
Source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000056CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Toolkit.Uwp.Notifications.dllT vs HandBrake-1.6.1-x86_64-Win_GUI.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Detected potential crypto function

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Code function: 0_2_00406BFE

PE file contains more sections than normal

Source: hb.dll.0.dr

Static PE information: Number of sections : 12 > 10

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File read: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Jump to behavior

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: HandBrake.lnk.0.dr	LNK file: ..\..\..\Program Files\HandBrake\HandBrake.exe
Source: HandBrake.lnk0.0.dr	LNK file: ..\..\..\..\..\..\Program Files\HandBrake\HandBrake.exe
Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files\HandBrake\uninst.exe

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Mutant created: \Sessions\1\BaseNamedObjects\m

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File created: C:\Program Files\HandBrake

Jump to behavior

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File created: C:\Users\Public\Desktop\HandBrake.lnk

Jump to behavior

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File created: C:\Users\user\AppData\Local\Temp\nsvB029.tmp

Jump to behavior

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File written: C:\Users\user\AppData\Local\Temp\nskB087.tmp\ioSpecial.ini

Jump to behavior

Source: classification engine

Classification label: clean3.winEXE@1/13@0/0

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Code function: 0_2_004021AA CoCreateInstance,

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Automated click: Next >
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Automated click: Next >
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Automated click: Install

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Submission file is bigger than most known malware samples

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static file information: File size 23066024 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\HandBrake.Worker.exe	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\HandBrake.exe	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\hb.dll	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\portable.ini.template	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\doc	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\doc\COPYING	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Directory created: C:\Program Files\HandBrake\uninst.exe	Jump to behavior

PE / OLE file has a valid certificate

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: HandBrake-1.6.1-x86_64-Win_GUI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: D:\a\ookii-dialogs-wpf\ookii-dialogs-wpf\src\Ookii.Dialogs.Wpf\obj\Release\net6.0-windows\Ookii.Dialogs.Wpf.pdbSHA2563 source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.CodeDom/Release/net6.0/System.CodeDom.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.Interop\obj\Debug\HandBrake.Interop.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrakeWPF\obj\Debug\HandBrake.pdbSHA256 source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrakeWPF\obj\Debug\HandBrake.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net5.0-windows10.0.17763.0/Microsoft.Toolkit.Uwp.Notifications.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000056CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Management/Release/net6.0-windows/System.Management.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.App.Core\obj\Debug\HandBrake.App.Core.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Management/Release/net6.0-windows/System.Management.pdbSHA256$ source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ookii-dialogs-wpf\ookii-dialogs-wpf\src\Ookii.Dialogs.Wpf\obj\Release\net6.0-windows\Ookii.Dialogs.Wpf.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BuildAgent\work\ca4d35d288c24081\win\CS\HandBrake.Worker\obj\Debug\HandBrake.Worker.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr
Source:	Binary string: E:\A\_work\305\s\src\Microsoft.Xaml.Behaviors\obj\Release\netcoreapp3.0\Microsoft.Xaml.Behaviors.pdb source: HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005729000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

PE file contains an invalid checksum

Source: HandBrake.Worker.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xbc94d
Source: uninst.exe.0.dr	Static PE information: real checksum: 0x1607686 should be: 0x28905
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: InstallOptions.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x7de9

PE file contains sections with non-standard names

Source: HandBrake.Worker.exe.0.dr	Static PE information: section name: _RDATA
Source: HandBrake.exe.0.dr	Static PE information: section name: _RDATA
Source: hb.dll.0.dr	Static PE information: section name: .rodata
Source: hb.dll.0.dr	Static PE information: section name: .xdata

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Users\user\AppData\Local\Temp\nskB087.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Program Files\HandBrake\HandBrake.Worker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Program Files\HandBrake\HandBrake.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Program Files\HandBrake\hb.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Program Files\HandBrake\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\Users\user\AppData\Local\Temp\nskB087.tmp\System.dll	Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk	Jump to behavior
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\Uninstall.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Dropped PE file which has not been started: C:\Program Files\HandBrake\HandBrake.Worker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Dropped PE file which has not been started: C:\Program Files\HandBrake\hb.dll	Jump to dropped file
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Dropped PE file which has not been started: C:\Program Files\HandBrake\uninst.exe	Jump to dropped file

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Code function: 0_2_0040290B FindFirstFileW,

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	File Volume queried: C:\Program Files FullSizeInformation

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Masquerading	OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HandBrake-1.6.1-x86_64-Win_GUI.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\HandBrake\HandBrake.Worker.exe	0%	ReversingLabs
C:\Program Files\HandBrake\HandBrake.exe	0%	ReversingLabs
C:\Program Files\HandBrake\hb.dll	3%	ReversingLabs
C:\Program Files\HandBrake\uninst.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskB087.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskB087.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.5972020.10.unpack	100%	Avira	HEUR/AGEN.1253898	Download File
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.572d020.8.unpack	100%	Avira	HEUR/AGEN.1253898	Download File
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.582c020.2.unpack	100%	Avira	HEUR/AGEN.1253898	Download File
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.5785020.5.unpack	100%	Avira	HEUR/AGEN.1253898	Download File
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.57b7020.4.unpack	100%	Avira	HEUR/AGEN.1253898	Download File
0.3.HandBrake-1.6.1-x86_64-Win_GUI.exe.5947020.7.unpack	100%	Avira	HEUR/AGEN.1253898	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://relaxng.org/ns/structure/1.0	0%	URL Reputation	safe
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://metro.mahapps.com/winfx/xaml/controls	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0Memory	0%	Avira URL Cloud	safe
http://metro.mahapps.com/winfx/xaml/shared	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://handbrake.fr/appcast_unstable.arm64.xml	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x265.org	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-core-applaunch?You	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	false		high
https://handbrake.fr/appcast.x86_64.xmlMhttps://handbrake.fr/appcast.arm64.xmlahttps://handbrake.fr/	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/CommunityToolkit/WindowsCommunityToolkit	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000056CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet/app-launch-failed	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	false		high
https://handbrake.fr/appcast_unstable.x86_64.xmlLhttps://handbrake.fr/appcast.arm64.xml	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	HandBrake-1.6.1-x86_64-Win_GUI.exe	false		high
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet/app-launch-failed&gui=trueShowing	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	false		high
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	false		high
http://metro.mahapps.com/winfx/xaml/controls	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://handbrake.fr/docs/en/latest/advanced/custom-presets.html	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-core-applaunch?	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.0000000002774000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr, HandBrake.exe.0.dr	false		high
https://github.com/HandBrake/HandBrakeB	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000058F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/dotnet/runtime	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005828000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://handbrake.fr/appcast.x86_64.xml	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://handbrake.fr/docs/en/latest/advanced/audio-subtitle-defaults.html	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/HandBrake/HandBrake/issuese/HandBrake;V1.6.1.0;component/views/aboutview.xamlm/Ha	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.337730879.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp, HandBrake.Worker.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://metro.mahapps.com/winfx/xaml/shared	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/MahApps/MahApps.Metro.git	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.00000000053E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://relaxng.org/ns/structure/1.0Memory	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://relaxng.org/ns/structure/1.0	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.372380388.0000000002777000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://handbrake.fr/docsahttps://github.com/HandBrake/HandBrake-snapshots	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.000000000521F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/HandBrake/HandBrake	HandBrake.Worker.exe.0.dr	false		high
https://github.com/ookii-dialogs/ookii-dialogs-wpf.git	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://handbrake.fr	HandBrake.exe.0.dr	false		high
https://github.com/HandBrake/HandBrake/issues	HandBrake-1.6.1-x86_64-Win_GUI.exe, 00000000.00000003.352125616.0000000005944000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800974
Start date and time:	2023-02-07 22:55:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HandBrake-1.6.1-x86_64-Win_GUI.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/13@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 97.2%) Quality average: 85.4% Quality standard deviation: 23.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: HandBrake-1.6.1-x86_64-Win_GUI.exe

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	720675
Entropy (8bit):	6.964072404458636
Encrypted:	false
SSDEEP:	12288:JLXxQY5MkvpEBTXGrPiyI+Wvu8KDzxv0juKKXjVTLIwvgY5MkvpEio0l3/:FSiyBTXByI+K7uXgiyio0p
MD5:	D6962D915695E41228871017830AB03A
SHA1:	817504863B83EE348253F3934342A20A8A6A6EDF
SHA-256:	D41D2C559E628EF57EFF765217AFB6FC37943EADC053472850EAD79E281ADA14
SHA-512:	9580FC9DC209C643CE6967B61B58FA6C4C9790AB819B1BC7AFAEC65B1729922AA3DB8371F70F0E3AAC7DC30465C91B4DA7F41D9E522D5707A68B913E11B7B5A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."?.}f^..f^..f^..4+./j^..4+./l^..4+./+^..o&a.v^...,./o^..f^...^...+./l^...+./g^..Richf^..........................PE..d...x.Uc.........."......~..........P7.........@.............................p............`.................................................<................P..(............`..........T.......................(.......8............................................text....\|.......~.................. ..`.rdata.............................@..@.data........0......................@....pdata..(....P....... ..............@..@_RDATA.......p.......6..............@..@.rsrc................8..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................

C:\Program Files\HandBrake\HandBrake.exe

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35518831
Entropy (8bit):	6.445434823453785
Encrypted:	false
SSDEEP:	196608:Urjj8WVKZCxwJ39xFFHQB7oNzLDMsFa6vA4hqCE0N8DUNcehipdlI26KESpDD:oUhCkhLDM4hqqN8DUNcewdlI26KESp/
MD5:	92B1F2E7F12C0A5DDB367157CBC53B7B
SHA1:	1E81C47FC8D3F7B38E2AEA95B78F23158B18888B
SHA-256:	BF9A1FA3E2240548B55D0FFAFA7607192242EAE4338B86EBC7779D74C7785E66
SHA-512:	6CE56265B873BA419DFF243CEB203466279B14C13CE473C6CFC94894F5AAF546E9952192B3691B202E5B7AA560829783FC7989B86CCAB26C5BFCE6DA7694E837
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."?.}f^..f^..f^..4+./j^..4+./l^..4+./+^..o&a.v^...,./o^..f^...^...+./l^...+./g^..Richf^..........................PE..d...x.Uc.........."......~..........P7.........@..........................................`.................................................<................P..(............p..........T.......................(.......8............................................text....\|.......~.................. ..`.rdata.............................@..@.data........0......................@....pdata..(....P....... ..............@..@_RDATA.......p.......6..............@..@.rsrc................8..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

C:\Program Files\HandBrake\doc\COPYING

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18091
Entropy (8bit):	4.666505406573476
Encrypted:	false
SSDEEP:	384:ghUwi5rpL676yV12rPd34ZomzM2FR+dWF7jU2:gmFWixMFzMdm7jU2
MD5:	39BBA7D2CF0BA1036F2A6E2BE52FE3F0
SHA1:	1D8C93712CBC9117A9E55A7FF86CEBD066C8BFD8
SHA-256:	F9C375A1BE4A41F7B70301DD83C91CB89E41567478859B77EEF375A52D782505
SHA-512:	C36527C31BC2BC5A919DF62DE75C8EEB73234A8A9854CF6C2F5730D6994BAEC616B99EB54027B3D9D3F597C146F2CB1F42C7C23E1224F739B234CBAF780F73FB
Malicious:	false
Reputation:	low
Preview:	GNU GENERAL PUBLIC LICENSE. Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.,. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Lesser General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, no

C:\Program Files\HandBrake\hb.dll

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	69259776
Entropy (8bit):	6.813882923928218
Encrypted:	false
SSDEEP:	393216:WbYS70D9v3BV2PcRUUDnl2jwtS7els/uCSPGcT/RyNaTIPbBJrB8U2uRpOd9L+M5:WuI7w+eitmRQ24bfXpOdQM
MD5:	49CE7245800D675ABAC436A49512F763
SHA1:	B039A13AFCF964B344656398436D7D4D4E058D57
SHA-256:	2C5E330D4B6BD07971F8637860840C748E1D873FCF5432CE0A7615355D7EA5C1
SHA-512:	8B21F5CAB520DE705B752BBAF18AF6B02C1D6B067F2183256612C86E5EF117CF0236777884C5A58915C1C8FE6DD7578D7F048EBABE1C132C29B4CA08F02BF70E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#..C... ..z..P.........0o....................................L !....... ......................................`..5<......4...........p..H...............,............................:..(....................................................text.....C.......C.................`.``.rodata.0.....C.......C.............`.P`.data........C.......C.............@.`..rdata.......E.....\E.............@..@.pdata..H....p.......H..............@.0@.xdata..4...........................@.0@.bss.....x............................p..edata..5<..`...>.................@.0@.idata...4.......6..................@.0..CRT....`............&..............@.@..tls.................(..............@.@..reloc..,..........................@.0B................................................................................................................................

C:\Program Files\HandBrake\portable.ini.template

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	1653
Entropy (8bit):	4.609172811541226
Encrypted:	false
SSDEEP:	48:tQM464JjZ+QlvZdcG+UQGuP5osDuJbaeuLKuA:tgnyUKP5pDuJGeP
MD5:	A55A14ACDB96D6F87B3C5E906FD338A8
SHA1:	E51CD75065E0F53AF1E96F532569F3B7B9508771
SHA-256:	81D2A215AF90F34439F598B02E330654D5D71C7667106F97A143CB319BF9B5E0
SHA-512:	F5403E9C53C930E9BB111A79D6A098037CD48B0B44E29B21021E0FD623977BD2BFAFA1B0EC8BE804FB23ED798132005D426F8E0B2A7B6B581CB810460C3B7B00
Malicious:	false
Reputation:	low
Preview:	.#################################.# HandBrake Portable.#################################.# Notes:.# - Rename this file to portable.ini to activate feature..#.# - storage.dir => Stores Presets, Settings and Log Files. (See Note 1).# - tmp.dir => Temporary files only. i.e Preview images (See Note 1).# - update.check => true \| false (false disables the update check preference and disables update checking completely. true enables user-choice.).# - hardware.enabled => true \| false (Enables the hardware encoders such as QSV, NVENC or VCE).# - process.isolation.enabled => true \| false (See Note 2).# - software.render => true \| false (Only set to true if you are experiencing UI corruption or glitches).# - theme.enabled => true \| false (default true, false disables dark and light themes and uses stock framework appearence.).#.# Note 1:.# Set to 'cwd' to use the current applications directory. It will automat

C:\Program Files\HandBrake\uninst.exe

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	158498
Entropy (8bit):	7.51063935941415
Encrypted:	false
SSDEEP:	3072:A1NjcVVnLpPuAQKLWn0Mri32JEUkRUJ5Or1Zipg2wtxNwMvWoQIOZEtOqu:UNeZ8wCJ5Mk8SpD6t7NcDqu
MD5:	3778B3739192AD84DE5EAFDFA7E3B3A1
SHA1:	7A62DAC5BA9AD668C3B8840725E5757010B7F245
SHA-256:	9A27E9FAD80D3B2AF55CB8707EFF85C47893D94184B450C3A94A3FC0EF61D606
SHA-512:	7E13399DF3B746D9FE8182E6436E97B459B58E03E064BAE8A2CE2D10FAC1788D33E10C3AFC0B53DC0303AB7C11D2F77B750372B958B27FB026E9B0325F626D98
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..................................v`...@.........................................................H._.`'...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata... ...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jan 23 17:33:22 2023, mtime=Tue Feb 7 20:56:26 2023, atime=Mon Jan 23 17:33:22 2023, length=35518831, window=hide
Category:	dropped
Size (bytes):	891
Entropy (8bit):	4.571428713600112
Encrypted:	false
SSDEEP:	12:8meew620YXRhtc8cdpF4wXokYdhsmrk8IgOjAkRkbdpZtbdpOeeueeMBm:8mAwdMkDmrk8IgyAqwdRdreheMBm
MD5:	20FFDEF6027CBE2D4D47E0E6286D999C
SHA1:	1768BA4B76EF28E584FCF0B47519225865094E65
SHA-256:	CA356E392A0E65BDFC6696917A4F9E0BBE75C75FAC859A54888FB830947B7CAC
SHA-512:	7E0269BD9404CADB7640AD8C9E96B90EC0DC4528A71F77CB38AB0605B4E5EA6FBCEED48F00DC3E0B4042890F39E8C7B5772C14259EA045A7E36A4846B847DABA
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......+Y/..E...?;.....+Y/..o............................P.O. .:i.....+00.../C:\.....................1.....GV....PROGRA~1..t......L.GV......E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....\.1.....GV....HANDBR~1..D......GV..GV......}[........................H.a.n.d.B.r.a.k.e.....h.2.o...7V+. .HANDBR~2.EXE..L......7V+.GV.......[........................H.a.n.d.B.r.a.k.e...e.x.e.......W...............-.......V....................C:\Program Files\HandBrake\HandBrake.exe..7.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.H.a.n.d.B.r.a.k.e...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.d.o.c.`.......X.......216041...........!a..%.H.VZAj...o"r.h............!a..%.H.VZAj...o"r.h...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\Uninstall.lnk

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	589
Entropy (8bit):	2.8296129697018704
Encrypted:	false
SSDEEP:	6:4xtCl01vMl//A9LY/dlrtw/vNUMy0fK1KRSAt+bdlrFCRSAztbdlrF6S:8wl0ZkXXdpWvJK42bdpgRtbdpt
MD5:	F560D717E8BD6754EC81E895C2EF65F8
SHA1:	F8DB4E809743C3D1462A3B969FFCE71645EE579E
SHA-256:	FB1B101FABA4194D51E31A6020D0CD2A32323D6A3DA64644D1E9727E21169FAD
SHA-512:	5AED86AFA13FCD740B181587368F0DEA291C7391C16FAA23FE11963CC7C64B44C040C60BB0AE16FEA272F1F715DB9A7C5E807E7151AFB7C2720D10AF846D32C9
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................S....P.O. .:i.....+00.../C:\...................h.1...........Program Files.L............................................P.r.o.g.r.a.m. .F.i.l.e.s.....\.1...........HandBrake.D............................................H.a.n.d.B.r.a.k.e.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......4.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.d.o.c.....

C:\Users\Public\Desktop\HandBrake.lnk

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jan 23 17:33:22 2023, mtime=Tue Feb 7 20:56:45 2023, atime=Mon Jan 23 17:33:22 2023, length=35518831, window=hide
Category:	dropped
Size (bytes):	873
Entropy (8bit):	4.589397036696035
Encrypted:	false
SSDEEP:	12:8mAw620YXRhtc8cdpF4wXokYdhsmrk8IgOjA8bdpZtbdpOeeueeMBm:8mJwdMkDmrk8IgyAIdRdreheMBm
MD5:	A0AFE6A1B3A73A8A3724051D9E271E22
SHA1:	3442F8321CB01419250DB61FBCD8EA6AC31B0278
SHA-256:	443CFBD2CC9F93A285B685C4ADF8CF22158BF71DAE5B6CF2A1B5111C437B2A8E
SHA-512:	304C588B47D83A8D5E11469AD7AC802B71E26394039800BD9354C29558D73D688FF75E1C09DC878C92FE50BEC620C55CB56EF36FF367EBB5DD3EE31BB15BCDD9
Malicious:	false
Preview:	L..................F.... ......+Y/...Q..?;.....+Y/..o............................P.O. .:i.....+00.../C:\.....................1.....GV....PROGRA~1..t......L.GV......E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....\.1.....GV....HANDBR~1..D......GV..GV......}[........................H.a.n.d.B.r.a.k.e.....h.2.o...7V+. .HANDBR~2.EXE..L......7V+.GV.......[........................H.a.n.d.B.r.a.k.e...e.x.e.......W...............-.......V....................C:\Program Files\HandBrake\HandBrake.exe........\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.H.a.n.d.B.r.a.k.e...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.n.d.B.r.a.k.e.\.d.o.c.`.......X.......216041...........!a..%.H.VZAj...o"r.h............!a..%.H.VZAj...o"r.h...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Local\Temp\nskB087.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.471852540236525
Encrypted:	false
SSDEEP:	384:EXsC43tPegZ3eBaRwCPOYY7nNYXC06/Yosa:EXJTgZ3eBTCmrnNA5p
MD5:	ECE25721125D55AA26CDFE019C871476
SHA1:	B87685AE482553823BF95E73E790DE48DC0C11BA
SHA-256:	C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF
SHA-512:	4E384735D03C943F5EB3396BB3A9CB42C9D8A5479FE2871DE5B8BC18DB4BBD6E2C5F8FD71B6840512A7249E12A1C63E0E760417E4BAA3DC30F51375588410480
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L....Oa...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskB087.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskB087.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1348
Entropy (8bit):	3.691037369231454
Encrypted:	false
SSDEEP:	24:Q+sxvtSSAD5ylSjqWCs7y6J9aY9nO6k8lezCxGYjCk6CJYpnaH6hCPNXoUC+nc49:rsx9AQSjqQz9aD8l3pka6UXAG
MD5:	B9BCB36846AC89906B0A6BF49D8A2687
SHA1:	FFD33DD4E2D8AAD2AC5B91D2203817A9FEEBA935
SHA-256:	5DC837B855147822C97D87147C9089723285299B90BD1FB4C40B5ECE3F7345B3
SHA-512:	E95D30BA38DD710AC6D15C7530473862828A5512FA48D00D1E51475BBB87904A084982DF21F2A217A7BE03116A448ADC1541E1A7F03747D29E988A72A3E2A174
Malicious:	false
Preview:	..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.4.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.k.B.0.8.7...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.1.9.7.6.1.0.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .H.a.n.d.B.r.a.k.e. .1...6...1. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.3.2.8.2.8.4.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.8.5.....T.e.x.t.=.H.a.n.d.B.r.a.k.e. .1...6...1. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.

C:\Users\user\AppData\Local\Temp\nskB087.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 8, resolution 2834 x 2834 px/m, 256 important colors, cbSize 52574, bits offset 1078
Category:	dropped
Size (bytes):	52574
Entropy (8bit):	2.732433364316799
Encrypted:	false
SSDEEP:	384:LQoRR6jym4ExifyxL9OpN095ZXUoYY/NGFwcpU:Ey+y+QyV9U85ZXUoYY1khpU
MD5:	FE27AF40D69D1F2A72076894E0E6892A
SHA1:	949BA274D2B6122918BB70E557C0D4E573478088
SHA-256:	E668F52179D72316CE77862E42708927C5DEEE34E37CE83AD883CD0E0B3D44EF
SHA-512:	23DBAE163948992D1A34CCF6BF9CDCF1B5387E9D6ABB2B42056C88528738411E53E73AFF0D8D8B5BA3C302D858F74C6803F7D70471318E684D29229FA90FB271
Malicious:	false
Preview:	BM^.......6...(.......:....................................6....%..'5.146.r.5.z-/..N...f...U(.'Z9..f(..d,..t)..v%..h6..g:..v8..w7.5k9...O.<.B..7K.$<I...r..1n.00k.\|.I.w7J.W.{.d.y..DZ.&HY..vE.3sP..Qn.#Wr..br.(c{.LQR.tZT.EnV.GXb.uKq.Tml.wxy.......... ....+..1../B..MO..PO..Kj..ce..po...........;...$.$.,...........+.-.6...". .,...G...H...K...O...Q...S...U...Z.+.V...\.;.B...h.5.d.).f.;.k...c.5.t.K.W.E.K.G.h.W.l.A.k.\.s.G.r.V.x.j.w.B.x.Y.x.e.{.9.B...r.L.S.m.t._.h.i.p......$..&.......&..2..^...h...x....]..!]...o..'l...N..6F...w..,{..OR..oP..Jy..qu..NS..Wd..km..........-7...Q..-Q...p..1i...Y.."Z...c..k..QV..Vf..nr..Hs.......8...\...K...q...x.......-...4...#...B..._...e...L...`...{......-...6.......2.......'...N...r...R...p...N...i...X...m...e..z...k..w..b.......7.......<...K...}...G...q...K...k...D.......-.......3.......\...i...t...J...o..............................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999881256314488
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HandBrake-1.6.1-x86_64-Win_GUI.exe
File size:	23066024
MD5:	aa2240842cb69ca6ce2b7233cbe9e56e
SHA1:	e95b9318b0b9ab8ed5ef0dd9eece88ca55d16680
SHA256:	7b3ab4a232913174b365eb918d7978852a7a36fd38d20d4bb42aa184f113a130
SHA512:	b04ded4ce89a553bb1e2974aa96397a4712b6208ac41c07a53e7b24a533d81f682b3bd0bd8e692432bbdaf926278d0933ee09d894fa7648df7f4aba0b8f7ba9e
SSDEEP:	393216:k48sP5H9Oy1fwLI8rj2K1OHIGiz1LytF5pRgP6YF5y7Drh3rNn/oAWAh:kKPN9X1fcI2VERRC6YF5y73FN/jWAh
TLSH:	4E3733571749FD20D922C9779B81623826B6BB951FF0A3A1F57F03821B0B4E9C235EB1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	cadaccd2caeccc1c

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/22/2022 9:05:10 AM 9/22/2023 9:05:09 AM
Subject Chain	E=sr55.hb@outlook.com, CN="Open Source Developer, Scott Rae", O=Open Source Developer, L=Livingston, C=GB
Version:	3
Thumbprint MD5:	452147403A342C828C4B7F2EB3AC08BD
Thumbprint SHA-1:	E559ACCC032F1DC7539F8465272756E35F323231
Thumbprint SHA-256:	B9E486847177BDCAE328EA9F38DC523972BC85D40A64245E51F4081503D71D30
Serial:	781399CCF05A0B8F8AB7FA5FA24DE387

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F57A54BFADAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F57A54BFAAAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d000	0x1e010	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x15fce48	0x2760
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.6615349264705882	data	6.439707948554623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.4993489583333333	data	4.013698650446401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x12000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d000	0x1e010	0x1e200	False	0.9129765300829875	data	7.669332014530444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3d280	0x18c1c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x55ea0	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States
RT_ICON	0x58bc8	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States
RT_ICON	0x59ff0	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States
RT_DIALOG	0x5a518	0xb4	data	English	United States
RT_DIALOG	0x5a5d0	0x120	data	English	United States
RT_DIALOG	0x5a6f0	0x202	data	English	United States
RT_DIALOG	0x5a8f8	0xf8	data	English	United States
RT_DIALOG	0x5a9f0	0xee	data	English	United States
RT_GROUP_ICON	0x5aae0	0x3e	data	English	United States
RT_MANIFEST	0x5ab20	0x4ec	XML 1.0 document, ASCII text, with very long lines (1260), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	22:56:13
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HandBrake-1.6.1-x86_64-Win_GUI.exe
Imagebase:	0x400000
File size:	23066024 bytes
MD5 hash:	AA2240842CB69CA6CE2B7233CBE9E56E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HandBrake-1.6.1-x86_64-Win_GUI.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\HandBrake\HandBrake.Worker.exe

C:\Program Files\HandBrake\HandBrake.exe

C:\Program Files\HandBrake\doc\COPYING

C:\Program Files\HandBrake\hb.dll

C:\Program Files\HandBrake\portable.ini.template

C:\Program Files\HandBrake\uninst.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\HandBrake.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake\Uninstall.lnk

C:\Users\Public\Desktop\HandBrake.lnk

C:\Users\user\AppData\Local\Temp\nskB087.tmp\InstallOptions.dll

C:\Users\user\AppData\Local\Temp\nskB087.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nskB087.tmp\ioSpecial.ini

C:\Users\user\AppData\Local\Temp\nskB087.tmp\modern-wizard.bmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
HandBrake-1.6.1-x86_64-Win_GUI.exe