Windows Analysis Report
ffmpeg.exe

Overview

General Information

Sample name: ffmpeg.exe
Analysis ID: 1431131
MD5: d5db5991390cc69baa848b1ee4400dc2
SHA1: c5ee37a55272894be2eaf6ffb7a04221cdfd0548
SHA256: 473a53126b95174d1e3b67017df5383bb13bac9c3dc59011a6274bca840e3845
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Installs a raw input device (often for capturing keystrokes)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: ffmpeg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffmpeg.exe String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffmpeg.exe String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net64bits
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schismtracker.org/
Source: ffmpeg.exe String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffmpeg.exe String found in binary or memory: http://www.gnu.org/licenses/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffmpeg.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffmpeg.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://x265.org
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://xaimus.com/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://coda.s3m.us/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nothings/stb/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/richgel999/miniz
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/viiri/st2play
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://joaobapt.com/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://kode54.net/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://revenant1.net/)
Source: ffmpeg.exe String found in binary or memory: https://streams.videolan.org/upload/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://twitter.com/daniel_collin
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.3eality.com/
Installs a raw input device (often for capturing keystrokes)
Source: ffmpeg.exe, 00000000.00000000.2199222367.00007FF68244A000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: GetRawInputData memstr_0a74d6b3-5
PE file contains more sections than normal
Source: ffmpeg.exe Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF67FE6B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WM/OriginalFilename vs ffmpeg.exe
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF67FE6B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffmpeg.exe
Source: ffmpeg.exe Binary or memory string: WM/OriginalFilename vs ffmpeg.exe
Source: ffmpeg.exe Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffmpeg.exe
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: ffmpeg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ffmpeg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ffmpeg.exe String found in binary or memory: -help
Source: ffmpeg.exe String found in binary or memory: overlap-add
Source: ffmpeg.exe String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-saves
Source: ffmpeg.exe String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffmpeg.exe String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.}
Source: ffmpeg.exe String found in binary or memory: #EXT-X-START:
Source: ffmpeg.exe String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffmpeg.exe String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffmpeg.exe String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffmpeg.exe String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.h[KD
Source: ffmpeg.exe String found in binary or memory: start/stop audio
Source: ffmpeg.exe String found in binary or memory: start/stop audio
Source: unknown Process created: C:\Users\user\Desktop\ffmpeg.exe "C:\Users\user\Desktop\ffmpeg.exe"
Source: C:\Users\user\Desktop\ffmpeg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe Section loaded: ntasn1.dll Jump to behavior
Source: ffmpeg.exe Static PE information: More than 235 > 100 exports found
Source: ffmpeg.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ffmpeg.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ffmpeg.exe Static file information: File size 85491712 > 1048576
Source: ffmpeg.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4239a00
Source: ffmpeg.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12be00
Source: ffmpeg.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb9b200
Source: ffmpeg.exe Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14d200
Source: ffmpeg.exe Static PE information: More than 200 imports for msvcrt.dll
Source: ffmpeg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: ffmpeg.exe Static PE information: section name: .rodata
Source: ffmpeg.exe Static PE information: section name: .xdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6800DB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: vmncVMware Screen Codec / VMware Video
Source: ffmpeg.exe Binary or memory string: VMware Screen Codec / VMware Video
Source: ffmpeg.exe, 00000000.00000002.2202937339.00000236D150C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431131 Sample: ffmpeg.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 3 5 ffmpeg.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true