Windows Analysis Report
ffplay.exe

Overview

General Information

Sample name: ffplay.exe
Analysis ID: 1431130
MD5: b8d6ee0990ecfb0ed14cbe9e15ab7b12
SHA1: f581eb7366b8331e3f5155b944fbda66969159d1
SHA256: 8397faeead13ab45e9324f42e39af60a80db673410a40c22ac2fb351b843cb13
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Installs a raw input device (often for capturing keystrokes)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: ffplay.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffplay.exe String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffplay.exe String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net64bits
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schismtracker.org/
Source: ffplay.exe String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B60D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffplay.exe String found in binary or memory: http://www.gnu.org/licenses/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffplay.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffplay.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://x265.org
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://xaimus.com/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://coda.s3m.us/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nothings/stb/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/richgel999/miniz
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/viiri/st2play
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://joaobapt.com/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://kode54.net/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://revenant1.net/)
Source: ffplay.exe String found in binary or memory: https://streams.videolan.org/upload/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://twitter.com/daniel_collin
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.3eality.com/
Installs a raw input device (often for capturing keystrokes)
Source: ffplay.exe, 00000000.00000000.2124948989.00007FF67D666000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: GetRawInputData memstr_a091ca65-2
PE file contains more sections than normal
Source: ffplay.exe Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B094000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WM/OriginalFilename vs ffplay.exe
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B094000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffplay.exe
Source: ffplay.exe Binary or memory string: WM/OriginalFilename vs ffplay.exe
Source: ffplay.exe Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffplay.exe
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: ffplay.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ffplay.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ffplay.exe String found in binary or memory: -help
Source: ffplay.exe String found in binary or memory: Lshow licensehshow helptopic?help-helpversionshow versionbuildconfshow build configurationformatsshow available formatsmuxersshow available muxersdemuxersshow available demuxersdevicesshow available devicescodecsshow available codecsdecodersshow available decodersencodersshow available encodersbsfsshow available bit stream filtersprotocolsshow available protocolsfiltersshow available filtersshow available pixel formatslayoutsshow standard channel layoutsshow available audio sample formatsdispositionsshow available stream dispositionscolorsshow available color namesloglevelset logging levelvreportgenerate a reportmax_allocset maximum size of a single allocated blockbytescpuflagsforce specific cpu flagscpucountforce specific cpu countcounthide_bannerdo not show program bannersourceslist sources of the input devicedevicesinkslist sinks of the output devicexforce displayed widthwidthyforce displayed heightheightfsforce full screenandisable audiovndisable videosndisable subtitlingastselect desired audio streamstream_specifiervstselect desired video streamsstselect desired subtitle streamssseek to a given position in secondspostplay "duration" seconds of audio/videodurationseek by bytes 0=off 1=on -1=autovalseek_intervalset seek interval for left/right keys, in secondssecondsnodispdisable graphical displaynoborderborderless windowalwaysontopwindow always on topvolumeset startup volume 0=min 100=maxfforce formatfmtstatsshow statusfastnon spec compliant optimizationsgenptsgenerate ptsdrplet decoder reorder pts 0=off 1=on -1=autosyncset audio-video sync. type (type=audio/video/ext)typeautoexitexit at the endexitonkeydownexit on key downexitonmousedownexit on mouse downloopset number of times the playback shall be loopedloop countframedropdrop frames when cpu is too slowinfbufdon't limit the input buffer size (useful with realtime streams)window_titleset window titlewindow titleleftset the x position for the left of the windowx postopset the y position for the top of the windowy posvfset video filtersfilter_graphafset audio filtersrdftspeedrdft speedmsecsshowmodeselect show mode (0 = video, 1 = waves, 2 = RDFT)modeiread specified fileinput_filecodecforce decoderdecoder_nameacodecforce audio decoderscodecforce subtitle decodervcodecforce video decoderautorotateautomatically rotate videofind_stream_inforead and decode the streams to fill missing information with heuristicsfilter_threadsnumber of filter threads per graphenable_vulkanenable vulkan renderervulkan_paramsvulkan configuration using a list of key=value pairs separated by ':'hwacceluse HW accelerated decodingy4D
Source: ffplay.exe String found in binary or memory: overlap-add
Source: ffplay.exe String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-savesh
Source: ffplay.exe String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffplay.exe String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.=
Source: ffplay.exe String found in binary or memory: #EXT-X-START:
Source: ffplay.exe String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffplay.exe String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffplay.exe String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffplay.exe String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.(LHD
Source: ffplay.exe String found in binary or memory: start/stop audio
Source: ffplay.exe String found in binary or memory: start/stop audio
Source: unknown Process created: C:\Users\user\Desktop\ffplay.exe "C:\Users\user\Desktop\ffplay.exe"
Source: C:\Users\user\Desktop\ffplay.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe Section loaded: ntasn1.dll Jump to behavior
Source: ffplay.exe Static PE information: More than 235 > 100 exports found
Source: ffplay.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ffplay.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ffplay.exe Static file information: File size 85284864 > 1048576
Source: ffplay.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4213000
Source: ffplay.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12be00
Source: ffplay.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb90c00
Source: ffplay.exe Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14c800
Source: ffplay.exe Static PE information: More than 200 imports for msvcrt.dll
Source: ffplay.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: ffplay.exe Static PE information: section name: .rodata
Source: ffplay.exe Static PE information: section name: .xdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: ffplay.exe Binary or memory string: vmncVMware Screen Codec / VMware Video
Source: ffplay.exe Binary or memory string: VMware Screen Codec / VMware Video
Source: ffplay.exe, 00000000.00000002.2126930103.00000250D120C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431130 Sample: ffplay.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 3 5 ffplay.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true