Edit tour

Windows Analysis Report
ffmpeg.exe

Overview

General Information

Sample name:	ffmpeg.exe
Analysis ID:	1431131
MD5:	d5db5991390cc69baa848b1ee4400dc2
SHA1:	c5ee37a55272894be2eaf6ffb7a04221cdfd0548
SHA256:	473a53126b95174d1e3b67017df5383bb13bac9c3dc59011a6274bca840e3845
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

ffmpeg.exe (PID: 1540 cmdline: "C:\Users\user\Desktop\ffmpeg.exe" MD5: D5DB5991390CC69BAA848B1EE4400DC2)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ffmpeg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffmpeg.exe	String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffmpeg.exe	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net64bits
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schismtracker.org/
Source: ffmpeg.exe	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffmpeg.exe	String found in binary or memory: http://www.gnu.org/licenses/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffmpeg.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffmpeg.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://x265.org
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://xaimus.com/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://coda.s3m.us/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nothings/stb/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/richgel999/miniz
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/viiri/st2play
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://joaobapt.com/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://kode54.net/)
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://revenant1.net/)
Source: ffmpeg.exe	String found in binary or memory: https://streams.videolan.org/upload/
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://twitter.com/daniel_collin
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.3eality.com/

Source: ffmpeg.exe, 00000000.00000000.2199222367.00007FF68244A000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

memstr_0a74d6b3-5

Source: ffmpeg.exe

Static PE information: Number of sections : 13 > 10

Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF67FE6B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WM/OriginalFilename vs ffmpeg.exe
Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF67FE6B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffmpeg.exe
Source: ffmpeg.exe	Binary or memory string: WM/OriginalFilename vs ffmpeg.exe
Source: ffmpeg.exe	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs ffmpeg.exe

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03

Source: ffmpeg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ffmpeg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ffmpeg.exe	String found in binary or memory: -help
Source: ffmpeg.exe	String found in binary or memory: overlap-add
Source: ffmpeg.exe	String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-saves
Source: ffmpeg.exe	String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffmpeg.exe	String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.}
Source: ffmpeg.exe	String found in binary or memory: #EXT-X-START:
Source: ffmpeg.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffmpeg.exe	String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffmpeg.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffmpeg.exe	String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.h[KD
Source: ffmpeg.exe	String found in binary or memory: start/stop audio
Source: ffmpeg.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Users\user\Desktop\ffmpeg.exe "C:\Users\user\Desktop\ffmpeg.exe"
Source: C:\Users\user\Desktop\ffmpeg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffmpeg.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: ffmpeg.exe

Static PE information: More than 235 > 100 exports found

Source: ffmpeg.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ffmpeg.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ffmpeg.exe

Static file information: File size 85491712 > 1048576

Source: ffmpeg.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4239a00
Source: ffmpeg.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12be00
Source: ffmpeg.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb9b200
Source: ffmpeg.exe	Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14d200

Source: ffmpeg.exe

Static PE information: More than 200 imports for msvcrt.dll

Source: ffmpeg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffmpeg.exe	Static PE information: section name: .rodata
Source: ffmpeg.exe	Static PE information: section name: .xdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: ffmpeg.exe, 00000000.00000000.2196705480.00007FF6800DB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Video
Source: ffmpeg.exe	Binary or memory string: VMware Screen Codec / VMware Video
Source: ffmpeg.exe, 00000000.00000002.2202937339.00000236D150C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ffmpeg.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://dashif.org/guidelines/last-segment-number	0%	URL Reputation	safe
http://dashif.org/guidelines/trickmode	0%	URL Reputation	safe
http://relaxng.org/ns/structure/1.0	0%	URL Reputation	safe
https://kode54.net/)	0%	Avira URL Cloud	safe
https://joaobapt.com/)	0%	Avira URL Cloud	safe
https://www.3eality.com/	0%	Avira URL Cloud	safe
http://schismtracker.org/	0%	Avira URL Cloud	safe
http://lame.sf.net64bits	0%	Avira URL Cloud	safe
https://bel.fi/alankila/modguide/interpolate.txt	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	0%	Avira URL Cloud	safe
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	0%	Avira URL Cloud	safe
https://revenant1.net/)	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	0%	Avira URL Cloud	safe
https://coda.s3m.us/)	0%	Avira URL Cloud	safe
http://www.brynosaurus.com/cachedir/	0%	Avira URL Cloud	safe
http://xaimus.com/)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x265.org	ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp	false		high
https://kode54.net/)	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/daniel_collin	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nothings/stb/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/iamgreaser/it2everything/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://joaobapt.com/)	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schismtracker.org/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	ffmpeg.exe	false		high
http://lame.sf.net64bits	ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://bel.fi/alankila/modguide/interpolate.txt	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.3eality.com/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/last-segment-number	ffmpeg.exe	false	URL Reputation: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	ffmpeg.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	ffmpeg.exe	false	Avira URL Cloud: safe	unknown
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://revenant1.net/)	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	ffmpeg.exe, 00000000.00000000.2196705480.00007FF680744000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/viiri/st2play	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://streams.videolan.org/upload/	ffmpeg.exe	false		high
https://coda.s3m.us/)	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ryuhei-mori/tinyfft	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.videolan.org/x264.html	ffmpeg.exe, 00000000.00000000.2196705480.00007FF680894000.00000002.00000001.01000000.00000003.sdmp	false		high
http://xaimus.com/)	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/trickmode	ffmpeg.exe	false	URL Reputation: safe	unknown
http://www.brynosaurus.com/cachedir/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/lieff/minimp3/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://modplug-xmms.sourceforge.net/	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://github.com/lclevy/unmo3	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/richgel999/miniz	ffmpeg.exe, 00000000.00000000.2196705480.00007FF6803EE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.gnu.org/licenses/	ffmpeg.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431131
Start date and time:	2024-04-24 16:08:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ffmpeg.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ffmpeg.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://microloft.net/?r=8e28e856-be8d-4446-a396-cdcd78169ab8&rg=eu	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://gnoticiasimparciais.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://insidesales-email.com/l/1/17013047/Y/eus.p01-2019.10.02-460581/1/ab/4K6W-nzk0hr_GKydLIdUc0LK4HrUUeoMK4jMzee40WM?lnk=https://cd14fe4e.2690c0a545a7f22e8ae6844c.workers.dev/?qrc=barbara.rentler@ros.com	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://p.ksrndkehqnwntyxlhgto.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.serserijeans.com/kdy9bFe5glari2Px0qak17sdy9nFe5k17	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://ustteam.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://2h.ae/HWtB	Get hash	malicious	Unknown	Browse	192.229.211.108

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.764265766205517
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ffmpeg.exe
File size:	85'491'712 bytes
MD5:	d5db5991390cc69baa848b1ee4400dc2
SHA1:	c5ee37a55272894be2eaf6ffb7a04221cdfd0548
SHA256:	473a53126b95174d1e3b67017df5383bb13bac9c3dc59011a6274bca840e3845
SHA512:	a6f3c7cdfc705b54c2da7f642ffc575816e99fef9ae3a299d7e40c94d7fbf20f41efe674eec803ee3818e0bba023fc7dd3503ade31ee2115d16c19154a7d9d22
SSDEEP:	1572864:PcSbTs6JjTwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFhjR:PcJ
TLSH:	E2188E9EE2D350DCD12BD4F043AAF773BA34787D11206A7A26D99A306E22F80575EF14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...{..f...............*..#..\|...n.............@.............................p.......a....`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x660FA07B [Fri Apr 5 06:55:55 2024 UTC]
TLS Callbacks:	0x41a72100, 0x1, 0x410fdd80, 0x1, 0x410fdd50, 0x1, 0x4146f2b0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3dd39afad8e7fdad8409b8bac985274b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [04E22CE5h]
mov dword ptr [eax], 00000000h
call 00007FC45086AD5Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FC454808BD4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FC45086AFB9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea eax, dword ptr [ecx+000000D0h]
ret
nop dword ptr [eax+eax+00000000h]
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov ecx, edx
call 00007FC450D8D325h
dec eax
mov ecx, ebx
dec eax
add esp, 20h
pop ebx
jmp 00007FC4518E0D18h
nop dword ptr [eax]
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 48h
dec eax
mov eax, dword ptr [edx+000000C8h]
dec eax
mov ebx, ecx
dec eax
mov esi, edx
dec eax
mov ecx, dword ptr [eax+08h]
test byte ptr [ebx+60h], 00000001h
je 00007FC45086B10Ah
dec eax
mov eax, dword ptr [ebx+000000A0h]
dec eax
mov eax, dword ptr [eax+000000C8h]
dec eax
test eax, eax
je 00007FC45086B0ACh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6948000	0x1a1f	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x694a000	0x7004	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6954000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4f07000	0xeb6c8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6955000	0x41254	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4859ca0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x694b9e8	0x1858	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4239840	0x4239a00	c1df78e07fc2927ff21d5cd1075ea596	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x423b000	0x12bc80	0x12be00	bcb88f576cba66440670e20d51f75367	False	0.1502644330971238	data	4.841914052442998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rodata	0x4367000	0x39cc	0x3a00	a64f76b5697ad7b396a3eb484e6a487a	False	0.26589439655172414	data	5.855705171693117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x436b000	0xb9b0b0	0xb9b200	4e786d72ae3db7ce279324c7e5993225	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x4f07000	0xeb6c8	0xeb800	13cef89d5399e8ca1bb07bcb3394fb62	False	0.5443475484341825	data	7.009454804058532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x4ff3000	0x14d0cc	0x14d200	60c2926626ef4603ce92107b1f3fdf6e	False	0.17951527321763602	data	5.202455756581229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5141000	0x1806d30	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x6948000	0x1a1f	0x1c00	0e3244be59131367da2d90cdb62cfeba	False	0.43289620535714285	data	5.7040782481794485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x694a000	0x7004	0x7200	bc960c95cfede022576dde122e0edc3f	False	0.2748423793859649	data	5.0800551168373485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x6952000	0x70	0x200	fecbca9ded2667d4ed6b5a35ecaeb4ca	False	0.091796875	data	0.4871042392862215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6953000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6954000	0x730	0x800	f20b15ac6e455f9f43836e6e9e67e4a1	False	0.1474609375	data	2.114214149621193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6955000	0x41254	0x41400	d463dc92d7625efcd530e08da6fb395c	False	0.2149073575191571	data	5.485302111253753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6954058	0x1ef	XML 1.0 document, ASCII text	English	United States	0.498989898989899

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptReleaseContext, CryptSetHashParam, CryptSetProvParam, CryptSignHashA, DeregisterEventSource, GetUserNameA, InitializeSecurityDescriptor, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetSecurityDescriptorDacl, SystemFunction036
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
CRYPT32.dll	CertCloseStore, CertDeleteCertificateFromStore, CertEnumCRLsInStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore, CertOpenSystemStoreW, PFXImportCertStore
GDI32.dll	BitBlt, ChoosePixelFormat, CombineRgn, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateFontIndirectW, CreateFontW, CreatePen, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, DescribePixelFormat, EnumFontFamiliesW, ExtTextOutW, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetDeviceGammaRamp, GetICMProfileW, GetObjectA, GetPixelFormat, GetStockObject, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextFaceW, GetTextMetricsW, Rectangle, SelectObject, SetBkMode, SetDeviceGammaRamp, SetPixelFormat, SetTextColor, SwapBuffers
IMM32.dll	ImmAssociateContext, ImmGetCandidateListW, ImmGetCompositionStringW, ImmGetContext, ImmGetIMEFileNameA, ImmNotifyIME, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionStringW, ImmSetCompositionWindow
IPHLPAPI.DLL	GetAdaptersAddresses, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AreFileApisANSI, CancelIo, CancelIoEx, CloseHandle, CompareStringA, ConvertFiberToThread, ConvertThreadToFiberEx, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileW, CreateMutexA, CreateSemaphoreA, CreateSemaphoreW, CreateThread, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileExW, FindFirstFileW, FindNextFileW, FormatMessageA, FormatMessageW, FreeLibrary, GetACP, GetCommandLineW, GetComputerNameA, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFinalPathNameByHandleA, GetFullPathNameA, GetFullPathNameW, GetHandleInformation, GetLastError, GetLocaleInfoA, GetLongPathNameA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNumaHighestNodeNumber, GetNumaNodeProcessorMaskEx, GetOverlappedResult, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessTimes, GetStdHandle, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathA, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTimeZoneInformation, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalLock, GlobalMemoryStatusEx, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetProcessMemoryInfo, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, MapViewOfFile, MoveFileExA, MoveFileExW, MulDiv, MultiByteToWideChar, OpenFileMappingA, OpenProcess, OutputDebugStringA, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetConsoleMode, SetConsoleTextAttribute, SetDllDirectoryA, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFilePointer, SetFilePointerEx, SetHandleInformation, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadErrorMode, SetThreadExecutionState, SetThreadGroupAffinity, SetThreadPriority, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, VirtualUnlock, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler, lstrcmpiW
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argv, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _access, _access, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _assert, _beginthreadex, _cexit, _chmod, _close, _commode, _close, _dup, _dup2, _endthreadex, _environ, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _ftime64, _fullpath, _get_osfhandle, _getch, _getcwd, _getmaxstdio, _getpid, _gmtime64, _hypot, _i64toa, _initterm, _isatty, _isctype, _itoa, _kbhit, _localtime64, _lock, _locking, _lseeki64, _ltoa, _mbsrchr, _mkdir, _mkdir, _mktime64, _onexit, _open, _open, _open_osfhandle, _read, _rmdir, _rmdir, _nextafter, _setjmp, _setmaxstdio, _setmode, _setmode, _sopen, _stat64, _strdup, _strdup, _stricmp, _strlwr, _strnicmp, _strrev, _strtoi64, _strtoui64, _strtoui64, _strupr, _time64, _timezone, _ui64toa, _ultoa, _unlink, _unlink, _unlock, _vscprintf, _vsnprintf, _vsnwprintf, _waccess, _wassert, _wcsdup, _wcsicmp, _wcsnicmp, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wgetenv, _wmkdir, _wopen, _wrename, _write, _wrmdir, _wsopen, _wstat64, _wunlink, abort, acos, asin, atan, atof, atoi, bsearch, calloc, clock, cosh, div, exit, fclose, feof, ferror, fflush, fgetc, fgetpos, fgets, fopen, fopen_s, fprintf, fputc, fputs, fread, free, fsetpos, fseek, ftell, fwrite, getc, getchar, getenv, getwc, isalnum, isalpha, iscntrl, isgraph, islower, isprint, ispunct, isspace, isupper, iswctype, isxdigit, localeconv, log10, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, perror, printf, putc, putwc, qsort, raise, rand, realloc, rename, rewind, setlocale, setvbuf, signal, sinh, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcpy_s, strcspn, strerror, strftime, strlen, strncat, strncmp, strncpy, strncpy_s, strpbrk, strrchr, strspn, strstr, strtok, strtok_s, strtol, strtoul, strxfrm, tan, tanh, tolower, toupper, towlower, towupper, ungetwc, ungetc, vfprintf, wcscat, wcscmp, wcscoll, wcscpy, wcscpy_s, wcsftime, wcslen, wcsncmp, wcsrchr, wcsstr, wcstombs, wcstombs_s, wcstoul, wcsxfrm
ncrypt.dll	NCryptDecrypt, NCryptDeleteKey, NCryptFreeObject, NCryptGetProperty, NCryptOpenKey, NCryptOpenStorageProvider, NCryptSignHash
ole32.dll	CLSIDFromString, CoCreateInstance, CoGetMalloc, CoInitialize, CoInitializeEx, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CreateBindCtx, OleLoadFromStream, OleSaveToStream, PropVariantClear, StringFromGUID2
OLEAUT32.dll	OleCreatePropertyFrame, SysFreeString
SETUPAPI.dll	CM_Get_Device_IDA, CM_Get_Parent, CM_Locate_DevNodeA, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiGetClassDevsA, SetupDiGetDeviceInterfaceDetailA, SetupDiGetDeviceRegistryPropertyA
SHELL32.dll	CommandLineToArgvW, DragAcceptFiles, DragFinish, DragQueryFileW, ExtractIconExW, SHGetFolderPathW, SHGetSpecialFolderPathA, ShellExecuteW
SHLWAPI.dll	SHCreateStreamOnFileA
USER32.dll	AdjustWindowRectEx, AttachThreadInput, BeginPaint, CallNextHookEx, CallWindowProcW, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CopyIcon, CopyImage, CreateIconFromResource, CreateIconIndirect, CreateWindowExA, CreateWindowExW, DefWindowProcA, DefWindowProcW, DestroyCursor, DestroyIcon, DestroyWindow, DialogBoxIndirectParamW, DispatchMessageA, DispatchMessageW, DrawIcon, DrawTextW, EmptyClipboard, EndDialog, EndPaint, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsW, FillRect, FindWindowW, FlashWindowEx, FrameRect, GetAsyncKeyState, GetClassInfoExW, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardSequenceNumber, GetCursorInfo, GetCursorPos, GetDC, GetDesktopWindow, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetMenu, GetMessageExtraInfo, GetMessageW, GetMonitorInfoW, GetParent, GetProcessWindowStation, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetUpdateRect, GetUserObjectInformationW, GetWindowLongPtrA, GetWindowLongPtrW, GetWindowLongW, GetWindowRect, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, IntersectRect, InvalidateRect, IsClipboardFormatAvailable, IsIconic, KillTimer, LoadCursorA, LoadCursorW, LoadIconW, MapVirtualKeyW, MessageBoxA, MessageBoxW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MsgWaitForMultipleObjects, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostThreadMessageW, PtInRect, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterDeviceNotificationW, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetTimer, SetWindowLongPtrA, SetWindowLongPtrW, SetWindowLongW, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowWindow, SystemParametersInfoA, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, ValidateRect
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
AVICAP32.dll	capCreateCaptureWindowA, capGetDriverDescriptionA
WINMM.dll	timeBeginPeriod, timeEndPeriod, waveInAddBuffer, waveInClose, waveInGetDevCapsW, waveInGetNumDevs, waveInOpen, waveInPrepareHeader, waveInReset, waveInStart, waveInUnprepareHeader, waveOutClose, waveOutGetDevCapsW, waveOutGetErrorTextW, waveOutGetNumDevs, waveOutOpen, waveOutPrepareHeader, waveOutReset, waveOutUnprepareHeader, waveOutWrite
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecvFrom, WSAResetEvent, WSASendTo, WSASetLastError, WSASocketA, WSAStartup, WSAStringToAddressA, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, inet_ntop, inet_pton, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Exports

Name	Ordinal	Address
FT_Activate_Size	1	0x1412b1ac0
FT_Add_Default_Modules	2	0x1412ba620
FT_Add_Module	3	0x1412b66f0
FT_Angle_Diff	4	0x1412b5e50
FT_Atan2	5	0x1412b5940
FT_Attach_File	6	0x1412b61c0
FT_Attach_Stream	7	0x1412b60d0
FT_Bitmap_Blend	8	0x1413185a0
FT_Bitmap_Convert	9	0x141317940
FT_Bitmap_Copy	10	0x141317750
FT_Bitmap_Done	11	0x141318df0
FT_Bitmap_Embolden	12	0x141317eb0
FT_Bitmap_Init	13	0x141317710
FT_Bitmap_New	14	0x141317730
FT_CeilFix	15	0x1412ae910
FT_Cos	16	0x1412b57c0
FT_DivFix	17	0x1412aea50
FT_Done_Face	18	0x1412b0230
FT_Done_FreeType	19	0x1412ba8b0
FT_Done_Glyph	20	0x141319bf0
FT_Done_Library	21	0x1412b21a0
FT_Done_MM_Var	22	0x141319f60
FT_Done_Size	23	0x1412b02f0
FT_Error_String	24	0x1412af550
FT_Face_GetCharVariantIndex	25	0x1412b1a50
FT_Face_GetCharVariantIsDefault	26	0x1412b1a00
FT_Face_GetCharsOfVariant	27	0x1412b1910
FT_Face_GetVariantSelectors	28	0x1412b19b0
FT_Face_GetVariantsOfChar	29	0x1412b1960
FT_Face_Properties	30	0x1412b1270
FT_FloorFix	31	0x1412ae920
FT_Get_Advance	32	0x1412b7920
FT_Get_Advances	33	0x1412b76c0
FT_Get_BDF_Charset_ID	34	0x1413ee6a0
FT_Get_BDF_Property	35	0x1413ee760
FT_Get_CMap_Format	36	0x1412b17a0
FT_Get_CMap_Language_ID	37	0x1412b1720
FT_Get_Char_Index	38	0x1412b1110
FT_Get_Charmap_Index	39	0x1412b10d0
FT_Get_Color_Glyph_ClipBox	40	0x1412b2490
FT_Get_Color_Glyph_Layer	41	0x1412b2400
FT_Get_Color_Glyph_Paint	42	0x1412b2450
FT_Get_Colorline_Stops	43	0x1412b2560
FT_Get_Default_Named_Instance	44	0x14131a8b0
FT_Get_First_Char	45	0x1412b11e0
FT_Get_Font_Format	46	0x1412af560
FT_Get_Glyph	47	0x1413196d0
FT_Get_Glyph_Name	48	0x1412b13f0
FT_Get_Kerning	49	0x1412b0df0
FT_Get_MM_Blend_Coordinates	50	0x14131a5a0
FT_Get_MM_Var	51	0x141319e80
FT_Get_MM_WeightVector	52	0x14131a110
FT_Get_Module	53	0x1412b1cd0
FT_Get_Multi_Master	54	0x141319da0
FT_Get_Name_Index	55	0x1412b1340
FT_Get_Next_Char	56	0x1412b1140
FT_Get_PS_Font_Info	57	0x1413ee7e0
FT_Get_PS_Font_Private	58	0x1413ee8a0
FT_Get_PS_Font_Value	59	0x1413ee910
FT_Get_Paint	60	0x1412b2510
FT_Get_Paint_Layers	61	0x1412b24d0
FT_Get_Postscript_Name	62	0x1412b1500
FT_Get_Renderer	63	0x1412b1b60
FT_Get_Sfnt_LangTag	64	0x1412b42f0
FT_Get_Sfnt_Name	65	0x1412b41d0
FT_Get_Sfnt_Name_Count	66	0x1412b3fc0
FT_Get_Sfnt_Table	67	0x1412b15a0
FT_Get_SubGlyph_Info	68	0x1412b2370
FT_Get_Track_Kerning	69	0x1412b0fb0
FT_Get_Transform	70	0x1412b01e0
FT_Get_TrueType_Engine_Type	71	0x1412b2320
FT_Get_Var_Axis_Flags	72	0x14131a760
FT_Get_Var_Blend_Coordinates	73	0x14131a680
FT_Get_Var_Design_Coordinates	74	0x14131a350
FT_Get_X11_Font_Format	75	0x1412af590
FT_GlyphSlot_Own_Bitmap	76	0x141318d40
FT_Glyph_Copy	77	0x1413194d0
FT_Glyph_Get_CBox	78	0x141319840
FT_Glyph_Stroke	79	0x14131d270
FT_Glyph_StrokeBorder	80	0x14131d3c0
FT_Glyph_To_Bitmap	81	0x1413198f0
FT_Glyph_Transform	82	0x1413197e0
FT_Has_PS_Glyph_Names	83	0x1413ee850
FT_Init_FreeType	84	0x1412ba820
FT_Library_SetLcdFilter	85	0x1412afc40
FT_Library_SetLcdFilterWeights	86	0x1412afc30
FT_Library_SetLcdGeometry	87	0x1412afc50
FT_Library_Version	88	0x1412b2160
FT_List_Add	89	0x1412ba460
FT_List_Finalize	90	0x1412ba5b0
FT_List_Find	91	0x1412ba430
FT_List_Insert	92	0x1412ba4a0
FT_List_Iterate	93	0x1412ba560
FT_List_Remove	94	0x1412ba4d0
FT_List_Up	95	0x1412ba510
FT_Load_Char	96	0x1412b7a80
FT_Load_Glyph	97	0x1412b6ec0
FT_Load_Sfnt_Table	98	0x1412b1600
FT_Matrix_Invert	99	0x1412aec00
FT_Matrix_Multiply	100	0x1412aeac0
FT_MulDiv	101	0x1412ae930
FT_MulFix	102	0x1412aea30
FT_New_Face	103	0x1412b8600
FT_New_Glyph	104	0x1413195e0
FT_New_Library	105	0x1412b20c0
FT_New_Memory_Face	106	0x1412b94b0
FT_New_Size	107	0x1412b6530
FT_Open_Face	108	0x1412b9530
FT_Outline_Check	109	0x1412b2a30
FT_Outline_Copy	110	0x1412b2ab0
FT_Outline_Decompose	111	0x1412b25a0
FT_Outline_Done	112	0x1412b2b60
FT_Outline_Embolden	113	0x1412b3b80
FT_Outline_EmboldenXY	114	0x1412b3670
FT_Outline_GetInsideBorder	115	0x14131c5a0
FT_Outline_GetOutsideBorder	116	0x14131c5c0
FT_Outline_Get_Bitmap	117	0x1412b32b0
FT_Outline_Get_CBox	118	0x1412b2c20
FT_Outline_Get_Orientation	119	0x1412b3490
FT_Outline_New	120	0x1412b9fd0
FT_Outline_Render	121	0x1412b3130
FT_Outline_Reverse	122	0x1412b3080
FT_Outline_Transform	123	0x1412b33c0
FT_Outline_Translate	124	0x1412b3030
FT_Palette_Data_Get	125	0x1412af430
FT_Palette_Select	126	0x1412af4b0
FT_Palette_Set_Foreground_Color	127	0x1412af520
FT_Property_Get	128	0x1412b2060
FT_Property_Set	129	0x1412b2040
FT_Reference_Face	130	0x1412b0210
FT_Reference_Library	131	0x1412b20a0
FT_Remove_Module	132	0x1412b1e00
FT_Render_Glyph	133	0x1412b6e80
FT_Request_Size	134	0x1412b0b70
FT_RoundFix	135	0x1412ae8f0
FT_Select_Charmap	136	0x1412b1040
FT_Select_Size	137	0x1412b0b00
FT_Set_Char_Size	138	0x1412b0ca0
FT_Set_Charmap	139	0x1412b1820
FT_Set_Debug_Hook	140	0x1412b22f0
FT_Set_Default_Log_Handler	141	0x14131d9a0
FT_Set_Default_Properties	142	0x1412ba660
FT_Set_Log_Handler	143	0x14131d990
FT_Set_MM_Blend_Coordinates	144	0x14131a430
FT_Set_MM_Design_Coordinates	145	0x141319f90
FT_Set_MM_WeightVector	146	0x14131a050
FT_Set_Named_Instance	147	0x14131a780
FT_Set_Pixel_Sizes	148	0x1412b0d50
FT_Set_Renderer	149	0x1412b1ba0
FT_Set_Transform	150	0x1412b0150
FT_Set_Var_Blend_Coordinates	151	0x14131a590
FT_Set_Var_Design_Coordinates	152	0x14131a1f0
FT_Sfnt_Table_Info	153	0x1412b1690
FT_Sin	154	0x1412b5810
FT_Stream_OpenLZW	155	0x14130a4a0
FT_Stroker_BeginSubPath	156	0x14131c9f0
FT_Stroker_ConicTo	157	0x14131c990
FT_Stroker_CubicTo	158	0x14131c9c0
FT_Stroker_Done	159	0x14131c740
FT_Stroker_EndSubPath	160	0x14131ca50
FT_Stroker_Export	161	0x14131ce10
FT_Stroker_ExportBorder	162	0x14131cde0
FT_Stroker_GetBorderCounts	163	0x14131cca0
FT_Stroker_GetCounts	164	0x14131cd30
FT_Stroker_LineTo	165	0x14131c820
FT_Stroker_New	166	0x14131c5e0
FT_Stroker_ParseOutline	167	0x14131ce60
FT_Stroker_Rewind	168	0x14131c710
FT_Stroker_Set	169	0x14131c6c0
FT_Tan	170	0x1412b5860
FT_Trace_Set_Default_Level	171	0x14131d980
FT_Trace_Set_Level	172	0x14131d970
FT_Vector_From_Polar	173	0x1412b5e20
FT_Vector_Length	174	0x1412b5b90
FT_Vector_Polarize	175	0x1412b5d10
FT_Vector_Rotate	176	0x1412b5a00
FT_Vector_Transform	177	0x1412b3320
FT_Vector_Unit	178	0x1412b59c0
TT_New_Context	179	0x1412c8fd0
TT_RunIns	180	0x1412c5f10
gme_ay_type	181	0x144a5afa0
gme_clear_playlist	182	0x141694ab0
gme_delete	183	0x141694750
gme_enable_accuracy	184	0x141694a80
gme_equalizer	185	0x141694b50
gme_free_info	186	0x141694940
gme_gbs_type	187	0x144a5b138
gme_gym_type	188	0x144a5b2b0
gme_hes_type	189	0x144a5b4e0
gme_identify_extension	190	0x1416941e0
gme_identify_file	191	0x141694b90
gme_identify_header	192	0x1416940e0
gme_ignore_silence	193	0x141694a40
gme_kss_type	194	0x144a5b658
gme_load_custom	195	0x141694720
gme_load_data	196	0x141694dc0
gme_load_file	197	0x141694710
gme_multi_channel	198	0x141694ad0
gme_mute_voice	199	0x141694a60
gme_mute_voices	200	0x141694a70
gme_new_emu	201	0x141694460
gme_new_emu_multi_channel	202	0x1416945b0
gme_nsf_type	203	0x144a5bae8
gme_nsfe_type	204	0x144a5bc00
gme_open_data	205	0x141694e10
gme_open_file	206	0x141694c60
gme_play	207	0x1416949c0
gme_sap_type	208	0x144a5bd90
gme_seek	209	0x141694a10
gme_seek_samples	210	0x141694a20
gme_set_autoload_playback_limit	211	0x1416942d0
gme_set_equalizer	212	0x141694af0
gme_set_fade	213	0x1416949d0
gme_set_stereo_depth	214	0x141694960
gme_set_tempo	215	0x141694a50
gme_set_user_cleanup	216	0x1416949a0
gme_set_user_data	217	0x141694990
gme_spc_type	218	0x144a5bf60
gme_start_track	219	0x1416949b0
gme_tell	220	0x1416949f0
gme_tell_samples	221	0x141694a00
gme_track_count	222	0x141694790
gme_track_ended	223	0x1416949e0
gme_track_info	224	0x1416947a0
gme_type	225	0x141694770
gme_type_extension	226	0x1416942b0
gme_type_list	227	0x141693fd0
gme_type_multitrack	228	0x141694ac0
gme_type_system	229	0x141694b80
gme_user_data	230	0x141694980
gme_vgm_type	231	0x144a5c230
gme_vgz_type	232	0x144a5c1e0
gme_voice_count	233	0x141694a30
gme_voice_name	234	0x141694b70
gme_warning	235	0x141694780
gme_wrong_file_type	236	0x144a5adf0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 16:09:24.225728989 CEST	1.1.1.1	192.168.2.6	0x6577	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 16:09:24.225728989 CEST	1.1.1.1	192.168.2.6	0x6577	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:09:13
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\ffmpeg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ffmpeg.exe"
Imagebase:	0x7ff67bb00000
File size:	85'491'712 bytes
MD5 hash:	D5DB5991390CC69BAA848B1EE4400DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:09:13
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ffmpeg.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ffmpeg.exePID: 1540, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 6368, Parent PID: 1540

General

Chronological Activities

Disassembly

Windows Analysis Report
ffmpeg.exe