Edit tour

Windows Analysis Report
ffplay.exe

Overview

General Information

Sample name:	ffplay.exe
Analysis ID:	1431130
MD5:	b8d6ee0990ecfb0ed14cbe9e15ab7b12
SHA1:	f581eb7366b8331e3f5155b944fbda66969159d1
SHA256:	8397faeead13ab45e9324f42e39af60a80db673410a40c22ac2fb351b843cb13
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

ffplay.exe (PID: 1496 cmdline: "C:\Users\user\Desktop\ffplay.exe" MD5: B8D6EE0990ECFB0ED14CBE9E15AB7B12)

conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ffplay.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffplay.exe	String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffplay.exe	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net64bits
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schismtracker.org/
Source: ffplay.exe	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B60D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffplay.exe	String found in binary or memory: http://www.gnu.org/licenses/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffplay.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffplay.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://x265.org
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://xaimus.com/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://coda.s3m.us/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nothings/stb/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/richgel999/miniz
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/viiri/st2play
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://joaobapt.com/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://kode54.net/)
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://revenant1.net/)
Source: ffplay.exe	String found in binary or memory: https://streams.videolan.org/upload/
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://twitter.com/daniel_collin
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.3eality.com/

Source: ffplay.exe, 00000000.00000000.2124948989.00007FF67D666000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

memstr_a091ca65-2

Source: ffplay.exe

Static PE information: Number of sections : 13 > 10

Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B094000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WM/OriginalFilename vs ffplay.exe
Source: ffplay.exe, 00000000.00000000.2122428558.00007FF67B094000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffplay.exe
Source: ffplay.exe	Binary or memory string: WM/OriginalFilename vs ffplay.exe
Source: ffplay.exe	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffplay.exe

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03

Source: ffplay.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ffplay.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ffplay.exe	String found in binary or memory: -help
Source: ffplay.exe	String found in binary or memory: Lshow licensehshow helptopic?help-helpversionshow versionbuildconfshow build configurationformatsshow available formatsmuxersshow available muxersdemuxersshow available demuxersdevicesshow available devicescodecsshow available codecsdecodersshow available decodersencodersshow available encodersbsfsshow available bit stream filtersprotocolsshow available protocolsfiltersshow available filtersshow available pixel formatslayoutsshow standard channel layoutsshow available audio sample formatsdispositionsshow available stream dispositionscolorsshow available color namesloglevelset logging levelvreportgenerate a reportmax_allocset maximum size of a single allocated blockbytescpuflagsforce specific cpu flagscpucountforce specific cpu countcounthide_bannerdo not show program bannersourceslist sources of the input devicedevicesinkslist sinks of the output devicexforce displayed widthwidthyforce displayed heightheightfsforce full screenandisable audiovndisable videosndisable subtitlingastselect desired audio streamstream_specifiervstselect desired video streamsstselect desired subtitle streamssseek to a given position in secondspostplay "duration" seconds of audio/videodurationseek by bytes 0=off 1=on -1=autovalseek_intervalset seek interval for left/right keys, in secondssecondsnodispdisable graphical displaynoborderborderless windowalwaysontopwindow always on topvolumeset startup volume 0=min 100=maxfforce formatfmtstatsshow statusfastnon spec compliant optimizationsgenptsgenerate ptsdrplet decoder reorder pts 0=off 1=on -1=autosyncset audio-video sync. type (type=audio/video/ext)typeautoexitexit at the endexitonkeydownexit on key downexitonmousedownexit on mouse downloopset number of times the playback shall be loopedloop countframedropdrop frames when cpu is too slowinfbufdon't limit the input buffer size (useful with realtime streams)window_titleset window titlewindow titleleftset the x position for the left of the windowx postopset the y position for the top of the windowy posvfset video filtersfilter_graphafset audio filtersrdftspeedrdft speedmsecsshowmodeselect show mode (0 = video, 1 = waves, 2 = RDFT)modeiread specified fileinput_filecodecforce decoderdecoder_nameacodecforce audio decoderscodecforce subtitle decodervcodecforce video decoderautorotateautomatically rotate videofind_stream_inforead and decode the streams to fill missing information with heuristicsfilter_threadsnumber of filter threads per graphenable_vulkanenable vulkan renderervulkan_paramsvulkan configuration using a list of key=value pairs separated by ':'hwacceluse HW accelerated decodingy4D
Source: ffplay.exe	String found in binary or memory: overlap-add
Source: ffplay.exe	String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-savesh
Source: ffplay.exe	String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffplay.exe	String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.=
Source: ffplay.exe	String found in binary or memory: #EXT-X-START:
Source: ffplay.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffplay.exe	String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffplay.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffplay.exe	String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.(LHD
Source: ffplay.exe	String found in binary or memory: start/stop audio
Source: ffplay.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Users\user\Desktop\ffplay.exe "C:\Users\user\Desktop\ffplay.exe"
Source: C:\Users\user\Desktop\ffplay.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffplay.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: ffplay.exe

Static PE information: More than 235 > 100 exports found

Source: ffplay.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ffplay.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ffplay.exe

Static file information: File size 85284864 > 1048576

Source: ffplay.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4213000
Source: ffplay.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12be00
Source: ffplay.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb90c00
Source: ffplay.exe	Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14c800

Source: ffplay.exe

Static PE information: More than 200 imports for msvcrt.dll

Source: ffplay.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffplay.exe	Static PE information: section name: .rodata
Source: ffplay.exe	Static PE information: section name: .xdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: ffplay.exe	Binary or memory string: vmncVMware Screen Codec / VMware Video
Source: ffplay.exe	Binary or memory string: VMware Screen Codec / VMware Video
Source: ffplay.exe, 00000000.00000002.2126930103.00000250D120C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ffplay.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://dashif.org/guidelines/last-segment-number	0%	URL Reputation	safe
http://dashif.org/guidelines/trickmode	0%	URL Reputation	safe
http://relaxng.org/ns/structure/1.0	0%	URL Reputation	safe
https://kode54.net/)	0%	Avira URL Cloud	safe
https://joaobapt.com/)	0%	Avira URL Cloud	safe
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	0%	Avira URL Cloud	safe
https://bel.fi/alankila/modguide/interpolate.txt	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	0%	Avira URL Cloud	safe
http://lame.sf.net64bits	0%	Avira URL Cloud	safe
https://revenant1.net/)	0%	Avira URL Cloud	safe
http://schismtracker.org/	0%	Avira URL Cloud	safe
https://www.3eality.com/	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	0%	Avira URL Cloud	safe
http://xaimus.com/)	0%	Avira URL Cloud	safe
http://www.brynosaurus.com/cachedir/	0%	Avira URL Cloud	safe
https://coda.s3m.us/)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x265.org	ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp	false		high
https://kode54.net/)	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/daniel_collin	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nothings/stb/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/iamgreaser/it2everything/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://joaobapt.com/)	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schismtracker.org/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	ffplay.exe	false		high
http://lame.sf.net64bits	ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://bel.fi/alankila/modguide/interpolate.txt	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.3eality.com/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/last-segment-number	ffplay.exe	false	URL Reputation: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	ffplay.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	ffplay.exe	false	Avira URL Cloud: safe	unknown
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://revenant1.net/)	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	ffplay.exe, 00000000.00000000.2122428558.00007FF67B963000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/viiri/st2play	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://streams.videolan.org/upload/	ffplay.exe	false		high
https://coda.s3m.us/)	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ryuhei-mori/tinyfft	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.videolan.org/x264.html	ffplay.exe, 00000000.00000000.2122428558.00007FF67BAB3000.00000002.00000001.01000000.00000003.sdmp	false		high
http://xaimus.com/)	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/trickmode	ffplay.exe	false	URL Reputation: safe	unknown
http://www.brynosaurus.com/cachedir/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B60D000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/lieff/minimp3/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
http://modplug-xmms.sourceforge.net/	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://github.com/lclevy/unmo3	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/richgel999/miniz	ffplay.exe, 00000000.00000000.2122428558.00007FF67B720000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.gnu.org/licenses/	ffplay.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431130
Start date and time:	2024-04-24 16:08:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ffplay.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ffplay.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://microloft.net/?r=8e28e856-be8d-4446-a396-cdcd78169ab8&rg=eu	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://gnoticiasimparciais.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://insidesales-email.com/l/1/17013047/Y/eus.p01-2019.10.02-460581/1/ab/4K6W-nzk0hr_GKydLIdUc0LK4HrUUeoMK4jMzee40WM?lnk=https://cd14fe4e.2690c0a545a7f22e8ae6844c.workers.dev/?qrc=barbara.rentler@ros.com	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://p.ksrndkehqnwntyxlhgto.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.serserijeans.com/kdy9bFe5glari2Px0qak17sdy9nFe5k17	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://ustteam.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://2h.ae/HWtB	Get hash	malicious	Unknown	Browse	192.229.211.108
bg.microsoft.map.fastly.net	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://gnoticiasimparciais.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://p.ksrndkehqnwntyxlhgto.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://ustteam.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.clinical-partners.co.uk	Get hash	malicious	Unknown	Browse	199.232.214.172
	EQxFL1u3m1.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	https://bafybeialjrwo2ct3n2glolpm3zfawtv73xej3opbbgjsfewkonoew4x5xe.ipfs.cf-ipfs.com/?sourceId=ukcompanyformations@vistra.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://stake.libertariancounterpoint.com	Get hash	malicious	Unknown	Browse	199.232.214.172

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.764360271837844
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ffplay.exe
File size:	85'284'864 bytes
MD5:	b8d6ee0990ecfb0ed14cbe9e15ab7b12
SHA1:	f581eb7366b8331e3f5155b944fbda66969159d1
SHA256:	8397faeead13ab45e9324f42e39af60a80db673410a40c22ac2fb351b843cb13
SHA512:	10e077b5082319fc19e89b8f85d4c914416b07bd5b5d822d0f20dbeb15eabb1b48208be315843ad7991534b78a0cd7c62532b5de99d8f0fe52d1ad63fefbf3d7
SSDEEP:	1572864:q++HcS1AjhAwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFhjm:q+
TLSH:	D7189E9EE2D350DCD12BD4F043AAF773BA34787D11206A7A26D99A306E22F80575EF14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...{..f................0!..T...n.............@.........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x660FA07B [Fri Apr 5 06:55:55 2024 UTC]
TLS Callbacks:	0x41a4b280, 0x1, 0x410d6ee0, 0x1, 0x410d6eb0, 0x1, 0x41448410, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8466d902df9051ea3276b5545e11dcc8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [04DF1CE5h]
mov dword ptr [eax], 00000000h
call 00007FD234CB4A3Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FD238C2B8A4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FD234CB4C99h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
xor eax, eax
ret
nop word ptr [eax+eax+00000000h]
nop
dec eax
jmp dword ptr [ecx+08h]
nop word ptr [eax+eax+00000000h]
nop
dec eax
jmp dword ptr [ecx+10h]
nop word ptr [eax+eax+00000000h]
nop
dec eax
jmp dword ptr [ecx+18h]
nop word ptr [eax+eax+00000000h]
nop
dec eax
jmp dword ptr [ecx+20h]
nop word ptr [eax+eax+00000000h]
nop
dec eax
jmp dword ptr [ecx+28h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push esi
push ebx
dec eax
sub esp, 38h
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6914000	0x1a1f	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6916000	0x6f70	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x691f000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4ed5000	0xeae10	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6920000	0x40ed0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4828d60	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x69179c8	0x1838	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4212e80	0x4213000	9000c0364ee1a41fc3a3013aba1d0ac1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4214000	0x12bc80	0x12be00	b5b75f4505a8faabcd251dee243b99ee	False	0.15027420279283035	data	4.843661534094306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rodata	0x4340000	0x39cc	0x3a00	a64f76b5697ad7b396a3eb484e6a487a	False	0.26589439655172414	data	5.855705171693117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4344000	0xb90bc0	0xb90c00	095d0b21c15f080ee330b929076f0a39	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x4ed5000	0xeae10	0xeb000	6d800c663bca80fb6e9cd9e0769545a5	False	0.5446507230718085	data	7.018914384089442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x4fc0000	0x14c65c	0x14c800	07597ac4e7ab36edf1ec7c1942847ba6	False	0.17957148731203007	data	5.202599389276095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x510d000	0x1806db0	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x6914000	0x1a1f	0x1c00	21fadb309dc0d788a2e76a2c660454f8	False	0.43345424107142855	data	5.67827569712432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x6916000	0x6f70	0x7000	8174fc83b32e3e1875eab9e7918ccb7c	False	0.27811104910714285	data	5.087812481931378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x691d000	0x70	0x200	1b54d0a767502278b82a8464411ca680	False	0.091796875	data	0.5019639270558708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x691e000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x691f000	0x730	0x800	fd4fd89d5e3585cd5ec228f7ae3b227c	False	0.14697265625	data	2.114214149621193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6920000	0x40ed0	0x41000	e0a936533de5d9af1817e08bac092a60	False	0.21448317307692308	data	5.482484805369971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x691f058	0x1ef	XML 1.0 document, ASCII text	English	United States	0.498989898989899

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptReleaseContext, CryptSetHashParam, CryptSetProvParam, CryptSignHashA, DeregisterEventSource, GetUserNameA, InitializeSecurityDescriptor, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetSecurityDescriptorDacl, SystemFunction036
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
CRYPT32.dll	CertCloseStore, CertDeleteCertificateFromStore, CertEnumCRLsInStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore, CertOpenSystemStoreW, PFXImportCertStore
GDI32.dll	BitBlt, ChoosePixelFormat, CombineRgn, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateFontIndirectW, CreateFontW, CreatePen, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, DescribePixelFormat, EnumFontFamiliesW, ExtTextOutW, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetDeviceGammaRamp, GetICMProfileW, GetObjectA, GetPixelFormat, GetStockObject, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextFaceW, GetTextMetricsW, Rectangle, SelectObject, SetBkMode, SetDeviceGammaRamp, SetPixelFormat, SetTextColor, SwapBuffers
IMM32.dll	ImmAssociateContext, ImmGetCandidateListW, ImmGetCompositionStringW, ImmGetContext, ImmGetIMEFileNameA, ImmNotifyIME, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionStringW, ImmSetCompositionWindow
IPHLPAPI.DLL	GetAdaptersAddresses, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AreFileApisANSI, CancelIo, CancelIoEx, CloseHandle, CompareStringA, ConvertFiberToThread, ConvertThreadToFiberEx, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileW, CreateMutexA, CreateSemaphoreA, CreateSemaphoreW, CreateThread, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileExW, FindFirstFileW, FindNextFileW, FormatMessageA, FormatMessageW, FreeLibrary, GetACP, GetCommandLineW, GetComputerNameA, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFinalPathNameByHandleA, GetFullPathNameA, GetFullPathNameW, GetHandleInformation, GetLastError, GetLocaleInfoA, GetLongPathNameA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNumaHighestNodeNumber, GetNumaNodeProcessorMaskEx, GetOverlappedResult, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessTimes, GetStdHandle, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathA, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTimeZoneInformation, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalLock, GlobalMemoryStatusEx, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, MapViewOfFile, MoveFileExA, MoveFileExW, MulDiv, MultiByteToWideChar, OpenFileMappingA, OpenProcess, OutputDebugStringA, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleMode, SetConsoleTextAttribute, SetDllDirectoryA, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFilePointer, SetFilePointerEx, SetHandleInformation, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadErrorMode, SetThreadExecutionState, SetThreadGroupAffinity, SetThreadPriority, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, VirtualUnlock, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler, lstrcmpiW
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argv, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _access, _access, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _assert, _beginthreadex, _cexit, _chmod, _close, _commode, _close, _dup, _dup2, _endthreadex, _environ, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _ftime64, _fullpath, _get_osfhandle, _getcwd, _getmaxstdio, _getpid, _gmtime64, _hypot, _i64toa, _initterm, _isatty, _isctype, _itoa, _localtime64, _lock, _locking, _lseeki64, _ltoa, _mbsrchr, _mkdir, _mkdir, _mktime64, _onexit, _open, _open, _open_osfhandle, _read, _rmdir, _rmdir, _nextafter, _setjmp, _setmaxstdio, _setmode, _setmode, _sopen, _stat64, _strdup, _strdup, _stricmp, _strlwr, _strnicmp, _strrev, _strtoi64, _strtoui64, _strtoui64, _strupr, _time64, _timezone, _ui64toa, _ultoa, _unlink, _unlink, _unlock, _vscprintf, _vsnprintf, _vsnwprintf, _waccess, _wassert, _wcsdup, _wcsicmp, _wcsnicmp, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wgetenv, _wmkdir, _wopen, _wrename, _write, _wrmdir, _wsopen, _wstat64, _wunlink, abort, acos, asin, atan, atof, atoi, bsearch, calloc, clock, cosh, div, exit, fclose, feof, ferror, fflush, fgetc, fgetpos, fgets, fopen, fopen_s, fprintf, fputc, fputs, fread, free, fsetpos, fseek, ftell, fwrite, getc, getchar, getenv, getwc, isalnum, isalpha, iscntrl, isgraph, islower, isprint, ispunct, isspace, isupper, iswctype, isxdigit, localeconv, log10, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, perror, printf, putc, putwc, qsort, raise, rand, realloc, rename, rewind, setlocale, setvbuf, signal, sinh, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcpy_s, strcspn, strerror, strftime, strlen, strncat, strncmp, strncpy, strncpy_s, strpbrk, strrchr, strspn, strstr, strtok, strtok_s, strtol, strtoul, strxfrm, tan, tanh, tolower, toupper, towlower, towupper, ungetwc, ungetc, vfprintf, wcscat, wcscmp, wcscoll, wcscpy, wcscpy_s, wcsftime, wcslen, wcsncmp, wcsrchr, wcsstr, wcstombs, wcstombs_s, wcstoul, wcsxfrm
ncrypt.dll	NCryptDecrypt, NCryptDeleteKey, NCryptFreeObject, NCryptGetProperty, NCryptOpenKey, NCryptOpenStorageProvider, NCryptSignHash
ole32.dll	CLSIDFromString, CoCreateInstance, CoGetMalloc, CoInitialize, CoInitializeEx, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CreateBindCtx, OleLoadFromStream, OleSaveToStream, PropVariantClear, StringFromGUID2
OLEAUT32.dll	OleCreatePropertyFrame, SysFreeString
SETUPAPI.dll	CM_Get_Device_IDA, CM_Get_Parent, CM_Locate_DevNodeA, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiGetClassDevsA, SetupDiGetDeviceInterfaceDetailA, SetupDiGetDeviceRegistryPropertyA
SHELL32.dll	CommandLineToArgvW, DragAcceptFiles, DragFinish, DragQueryFileW, ExtractIconExW, SHGetFolderPathW, SHGetSpecialFolderPathA, ShellExecuteW
SHLWAPI.dll	SHCreateStreamOnFileA
USER32.dll	AdjustWindowRectEx, AttachThreadInput, BeginPaint, CallNextHookEx, CallWindowProcW, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CopyIcon, CopyImage, CreateIconFromResource, CreateIconIndirect, CreateWindowExA, CreateWindowExW, DefWindowProcA, DefWindowProcW, DestroyCursor, DestroyIcon, DestroyWindow, DialogBoxIndirectParamW, DispatchMessageA, DispatchMessageW, DrawIcon, DrawTextW, EmptyClipboard, EndDialog, EndPaint, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsW, FillRect, FindWindowW, FlashWindowEx, FrameRect, GetAsyncKeyState, GetClassInfoExW, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardSequenceNumber, GetCursorInfo, GetCursorPos, GetDC, GetDesktopWindow, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetMenu, GetMessageExtraInfo, GetMessageW, GetMonitorInfoW, GetParent, GetProcessWindowStation, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetUpdateRect, GetUserObjectInformationW, GetWindowLongPtrA, GetWindowLongPtrW, GetWindowLongW, GetWindowRect, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, IntersectRect, InvalidateRect, IsClipboardFormatAvailable, IsIconic, KillTimer, LoadCursorA, LoadCursorW, LoadIconW, MapVirtualKeyW, MessageBoxA, MessageBoxW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MsgWaitForMultipleObjects, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostThreadMessageW, PtInRect, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterDeviceNotificationW, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetTimer, SetWindowLongPtrA, SetWindowLongPtrW, SetWindowLongW, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowWindow, SystemParametersInfoA, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, ValidateRect
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
AVICAP32.dll	capCreateCaptureWindowA, capGetDriverDescriptionA
WINMM.dll	timeBeginPeriod, timeEndPeriod, waveInAddBuffer, waveInClose, waveInGetDevCapsW, waveInGetNumDevs, waveInOpen, waveInPrepareHeader, waveInReset, waveInStart, waveInUnprepareHeader, waveOutClose, waveOutGetDevCapsW, waveOutGetErrorTextW, waveOutGetNumDevs, waveOutOpen, waveOutPrepareHeader, waveOutReset, waveOutUnprepareHeader, waveOutWrite
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecvFrom, WSAResetEvent, WSASendTo, WSASetLastError, WSASocketA, WSAStartup, WSAStringToAddressA, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, inet_ntop, inet_pton, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Exports

Name	Ordinal	Address
FT_Activate_Size	1	0x14128ac20
FT_Add_Default_Modules	2	0x141293780
FT_Add_Module	3	0x14128f850
FT_Angle_Diff	4	0x14128efb0
FT_Atan2	5	0x14128eaa0
FT_Attach_File	6	0x14128f320
FT_Attach_Stream	7	0x14128f230
FT_Bitmap_Blend	8	0x1412f1700
FT_Bitmap_Convert	9	0x1412f0aa0
FT_Bitmap_Copy	10	0x1412f08b0
FT_Bitmap_Done	11	0x1412f1f50
FT_Bitmap_Embolden	12	0x1412f1010
FT_Bitmap_Init	13	0x1412f0870
FT_Bitmap_New	14	0x1412f0890
FT_CeilFix	15	0x141287a70
FT_Cos	16	0x14128e920
FT_DivFix	17	0x141287bb0
FT_Done_Face	18	0x141289390
FT_Done_FreeType	19	0x141293a10
FT_Done_Glyph	20	0x1412f2d50
FT_Done_Library	21	0x14128b300
FT_Done_MM_Var	22	0x1412f30c0
FT_Done_Size	23	0x141289450
FT_Error_String	24	0x1412886b0
FT_Face_GetCharVariantIndex	25	0x14128abb0
FT_Face_GetCharVariantIsDefault	26	0x14128ab60
FT_Face_GetCharsOfVariant	27	0x14128aa70
FT_Face_GetVariantSelectors	28	0x14128ab10
FT_Face_GetVariantsOfChar	29	0x14128aac0
FT_Face_Properties	30	0x14128a3d0
FT_FloorFix	31	0x141287a80
FT_Get_Advance	32	0x141290a80
FT_Get_Advances	33	0x141290820
FT_Get_BDF_Charset_ID	34	0x1413c7800
FT_Get_BDF_Property	35	0x1413c78c0
FT_Get_CMap_Format	36	0x14128a900
FT_Get_CMap_Language_ID	37	0x14128a880
FT_Get_Char_Index	38	0x14128a270
FT_Get_Charmap_Index	39	0x14128a230
FT_Get_Color_Glyph_ClipBox	40	0x14128b5f0
FT_Get_Color_Glyph_Layer	41	0x14128b560
FT_Get_Color_Glyph_Paint	42	0x14128b5b0
FT_Get_Colorline_Stops	43	0x14128b6c0
FT_Get_Default_Named_Instance	44	0x1412f3a10
FT_Get_First_Char	45	0x14128a340
FT_Get_Font_Format	46	0x1412886c0
FT_Get_Glyph	47	0x1412f2830
FT_Get_Glyph_Name	48	0x14128a550
FT_Get_Kerning	49	0x141289f50
FT_Get_MM_Blend_Coordinates	50	0x1412f3700
FT_Get_MM_Var	51	0x1412f2fe0
FT_Get_MM_WeightVector	52	0x1412f3270
FT_Get_Module	53	0x14128ae30
FT_Get_Multi_Master	54	0x1412f2f00
FT_Get_Name_Index	55	0x14128a4a0
FT_Get_Next_Char	56	0x14128a2a0
FT_Get_PS_Font_Info	57	0x1413c7940
FT_Get_PS_Font_Private	58	0x1413c7a00
FT_Get_PS_Font_Value	59	0x1413c7a70
FT_Get_Paint	60	0x14128b670
FT_Get_Paint_Layers	61	0x14128b630
FT_Get_Postscript_Name	62	0x14128a660
FT_Get_Renderer	63	0x14128acc0
FT_Get_Sfnt_LangTag	64	0x14128d450
FT_Get_Sfnt_Name	65	0x14128d330
FT_Get_Sfnt_Name_Count	66	0x14128d120
FT_Get_Sfnt_Table	67	0x14128a700
FT_Get_SubGlyph_Info	68	0x14128b4d0
FT_Get_Track_Kerning	69	0x14128a110
FT_Get_Transform	70	0x141289340
FT_Get_TrueType_Engine_Type	71	0x14128b480
FT_Get_Var_Axis_Flags	72	0x1412f38c0
FT_Get_Var_Blend_Coordinates	73	0x1412f37e0
FT_Get_Var_Design_Coordinates	74	0x1412f34b0
FT_Get_X11_Font_Format	75	0x1412886f0
FT_GlyphSlot_Own_Bitmap	76	0x1412f1ea0
FT_Glyph_Copy	77	0x1412f2630
FT_Glyph_Get_CBox	78	0x1412f29a0
FT_Glyph_Stroke	79	0x1412f63d0
FT_Glyph_StrokeBorder	80	0x1412f6520
FT_Glyph_To_Bitmap	81	0x1412f2a50
FT_Glyph_Transform	82	0x1412f2940
FT_Has_PS_Glyph_Names	83	0x1413c79b0
FT_Init_FreeType	84	0x141293980
FT_Library_SetLcdFilter	85	0x141288da0
FT_Library_SetLcdFilterWeights	86	0x141288d90
FT_Library_SetLcdGeometry	87	0x141288db0
FT_Library_Version	88	0x14128b2c0
FT_List_Add	89	0x1412935c0
FT_List_Finalize	90	0x141293710
FT_List_Find	91	0x141293590
FT_List_Insert	92	0x141293600
FT_List_Iterate	93	0x1412936c0
FT_List_Remove	94	0x141293630
FT_List_Up	95	0x141293670
FT_Load_Char	96	0x141290be0
FT_Load_Glyph	97	0x141290020
FT_Load_Sfnt_Table	98	0x14128a760
FT_Matrix_Invert	99	0x141287d60
FT_Matrix_Multiply	100	0x141287c20
FT_MulDiv	101	0x141287a90
FT_MulFix	102	0x141287b90
FT_New_Face	103	0x141291760
FT_New_Glyph	104	0x1412f2740
FT_New_Library	105	0x14128b220
FT_New_Memory_Face	106	0x141292610
FT_New_Size	107	0x14128f690
FT_Open_Face	108	0x141292690
FT_Outline_Check	109	0x14128bb90
FT_Outline_Copy	110	0x14128bc10
FT_Outline_Decompose	111	0x14128b700
FT_Outline_Done	112	0x14128bcc0
FT_Outline_Embolden	113	0x14128cce0
FT_Outline_EmboldenXY	114	0x14128c7d0
FT_Outline_GetInsideBorder	115	0x1412f5700
FT_Outline_GetOutsideBorder	116	0x1412f5720
FT_Outline_Get_Bitmap	117	0x14128c410
FT_Outline_Get_CBox	118	0x14128bd80
FT_Outline_Get_Orientation	119	0x14128c5f0
FT_Outline_New	120	0x141293130
FT_Outline_Render	121	0x14128c290
FT_Outline_Reverse	122	0x14128c1e0
FT_Outline_Transform	123	0x14128c520
FT_Outline_Translate	124	0x14128c190
FT_Palette_Data_Get	125	0x141288590
FT_Palette_Select	126	0x141288610
FT_Palette_Set_Foreground_Color	127	0x141288680
FT_Property_Get	128	0x14128b1c0
FT_Property_Set	129	0x14128b1a0
FT_Reference_Face	130	0x141289370
FT_Reference_Library	131	0x14128b200
FT_Remove_Module	132	0x14128af60
FT_Render_Glyph	133	0x14128ffe0
FT_Request_Size	134	0x141289cd0
FT_RoundFix	135	0x141287a50
FT_Select_Charmap	136	0x14128a1a0
FT_Select_Size	137	0x141289c60
FT_Set_Char_Size	138	0x141289e00
FT_Set_Charmap	139	0x14128a980
FT_Set_Debug_Hook	140	0x14128b450
FT_Set_Default_Log_Handler	141	0x1412f6b00
FT_Set_Default_Properties	142	0x1412937c0
FT_Set_Log_Handler	143	0x1412f6af0
FT_Set_MM_Blend_Coordinates	144	0x1412f3590
FT_Set_MM_Design_Coordinates	145	0x1412f30f0
FT_Set_MM_WeightVector	146	0x1412f31b0
FT_Set_Named_Instance	147	0x1412f38e0
FT_Set_Pixel_Sizes	148	0x141289eb0
FT_Set_Renderer	149	0x14128ad00
FT_Set_Transform	150	0x1412892b0
FT_Set_Var_Blend_Coordinates	151	0x1412f36f0
FT_Set_Var_Design_Coordinates	152	0x1412f3350
FT_Sfnt_Table_Info	153	0x14128a7f0
FT_Sin	154	0x14128e970
FT_Stream_OpenLZW	155	0x1412e3600
FT_Stroker_BeginSubPath	156	0x1412f5b50
FT_Stroker_ConicTo	157	0x1412f5af0
FT_Stroker_CubicTo	158	0x1412f5b20
FT_Stroker_Done	159	0x1412f58a0
FT_Stroker_EndSubPath	160	0x1412f5bb0
FT_Stroker_Export	161	0x1412f5f70
FT_Stroker_ExportBorder	162	0x1412f5f40
FT_Stroker_GetBorderCounts	163	0x1412f5e00
FT_Stroker_GetCounts	164	0x1412f5e90
FT_Stroker_LineTo	165	0x1412f5980
FT_Stroker_New	166	0x1412f5740
FT_Stroker_ParseOutline	167	0x1412f5fc0
FT_Stroker_Rewind	168	0x1412f5870
FT_Stroker_Set	169	0x1412f5820
FT_Tan	170	0x14128e9c0
FT_Trace_Set_Default_Level	171	0x1412f6ae0
FT_Trace_Set_Level	172	0x1412f6ad0
FT_Vector_From_Polar	173	0x14128ef80
FT_Vector_Length	174	0x14128ecf0
FT_Vector_Polarize	175	0x14128ee70
FT_Vector_Rotate	176	0x14128eb60
FT_Vector_Transform	177	0x14128c480
FT_Vector_Unit	178	0x14128eb20
TT_New_Context	179	0x1412a2130
TT_RunIns	180	0x14129f070
gme_ay_type	181	0x144a2a060
gme_clear_playlist	182	0x14166dc10
gme_delete	183	0x14166d8b0
gme_enable_accuracy	184	0x14166dbe0
gme_equalizer	185	0x14166dcb0
gme_free_info	186	0x14166daa0
gme_gbs_type	187	0x144a2a1f8
gme_gym_type	188	0x144a2a370
gme_hes_type	189	0x144a2a5a0
gme_identify_extension	190	0x14166d340
gme_identify_file	191	0x14166dcf0
gme_identify_header	192	0x14166d240
gme_ignore_silence	193	0x14166dba0
gme_kss_type	194	0x144a2a718
gme_load_custom	195	0x14166d880
gme_load_data	196	0x14166df20
gme_load_file	197	0x14166d870
gme_multi_channel	198	0x14166dc30
gme_mute_voice	199	0x14166dbc0
gme_mute_voices	200	0x14166dbd0
gme_new_emu	201	0x14166d5c0
gme_new_emu_multi_channel	202	0x14166d710
gme_nsf_type	203	0x144a2aba8
gme_nsfe_type	204	0x144a2acc0
gme_open_data	205	0x14166df70
gme_open_file	206	0x14166ddc0
gme_play	207	0x14166db20
gme_sap_type	208	0x144a2ae50
gme_seek	209	0x14166db70
gme_seek_samples	210	0x14166db80
gme_set_autoload_playback_limit	211	0x14166d430
gme_set_equalizer	212	0x14166dc50
gme_set_fade	213	0x14166db30
gme_set_stereo_depth	214	0x14166dac0
gme_set_tempo	215	0x14166dbb0
gme_set_user_cleanup	216	0x14166db00
gme_set_user_data	217	0x14166daf0
gme_spc_type	218	0x144a2b020
gme_start_track	219	0x14166db10
gme_tell	220	0x14166db50
gme_tell_samples	221	0x14166db60
gme_track_count	222	0x14166d8f0
gme_track_ended	223	0x14166db40
gme_track_info	224	0x14166d900
gme_type	225	0x14166d8d0
gme_type_extension	226	0x14166d410
gme_type_list	227	0x14166d130
gme_type_multitrack	228	0x14166dc20
gme_type_system	229	0x14166dce0
gme_user_data	230	0x14166dae0
gme_vgm_type	231	0x144a2b2f0
gme_vgz_type	232	0x144a2b2a0
gme_voice_count	233	0x14166db90
gme_voice_name	234	0x14166dcd0
gme_warning	235	0x14166d8e0
gme_wrong_file_type	236	0x144a29eb0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 16:09:21.889329910 CEST	1.1.1.1	192.168.2.5	0x1262	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 16:09:21.889329910 CEST	1.1.1.1	192.168.2.5	0x1262	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 16:09:22.412235975 CEST	1.1.1.1	192.168.2.5	0xf502	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 16:09:22.412235975 CEST	1.1.1.1	192.168.2.5	0xf502	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:09:09
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\ffplay.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ffplay.exe"
Imagebase:	0x7ff676d50000
File size:	85'284'864 bytes
MD5 hash:	B8D6EE0990ECFB0ED14CBE9E15AB7B12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:09:10
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ffplay.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ffplay.exePID: 1496, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 3668, Parent PID: 1496

General

Chronological Activities

Disassembly

Windows Analysis Report
ffplay.exe