Windows Analysis Report
ffprobe.exe

Overview

General Information

Sample name: ffprobe.exe
Analysis ID: 1431132
MD5: f541b1e02ad904057651a9457b7bc199
SHA1: 91feeb7b66e537f054d6b6b58aac2b3d046875a4
SHA256: 72c01f83221e3da073ab2659416c59f96266679044f39b7a58cfa783731efaf2
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Installs a raw input device (often for capturing keystrokes)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: ffprobe.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffprobe.exe String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffprobe.exe String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://lame.sf.net64bits
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schismtracker.org/
Source: ffprobe.exe String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffprobe.exe String found in binary or memory: http://www.gnu.org/licenses/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffprobe.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffprobe.exe String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://x265.org
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://xaimus.com/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://coda.s3m.us/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nothings/stb/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/richgel999/miniz
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/viiri/st2play
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://joaobapt.com/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://kode54.net/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://revenant1.net/)
Source: ffprobe.exe String found in binary or memory: https://streams.videolan.org/upload/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://twitter.com/daniel_collin
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.3eality.com/
Installs a raw input device (often for capturing keystrokes)
Source: ffprobe.exe, 00000000.00000000.1342396678.00007FF6ACA03000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: GetRawInputData memstr_80fc0211-e
PE file contains more sections than normal
Source: ffprobe.exe Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA42D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA42D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name^ vs ffprobe.exe
Source: ffprobe.exe Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name^ vs ffprobe.exe
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: ffprobe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ffprobe.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ffprobe.exe String found in binary or memory: -help
Source: ffprobe.exe String found in binary or memory: Lshow licensehshow helptopic?help-helpshow versionbuildconfshow build configurationformatsshow available formatsmuxersshow available muxersdemuxersshow available demuxersdevicesshow available devicescodecsshow available codecsdecodersshow available decodersencodersshow available encodersbsfsshow available bit stream filtersprotocolsshow available protocolsfiltersshow available filterspix_fmtsshow available pixel formatslayoutsshow standard channel layoutssample_fmtsshow available audio sample formatsdispositionsshow available stream dispositionscolorsshow available color namesloglevelset logging levelvreportgenerate a reportmax_allocset maximum size of a single allocated blockbytescpuflagsforce specific cpu flagscpucountforce specific cpu countcounthide_bannerdo not show program bannersourceslist sources of the input devicedevicesinkslist sinks of the output devicefforce formatshow unit of the displayed valuesuse SI prefixes for the displayed valuesbyte_binary_prefixuse binary prefixes for byte unitssexagesimaluse sexagesimal format HOURS:MM:SS.MICROSECONDS for time unitsprettyprettify the format of displayed values, make it more human readableoutput_formatset the output printing format (available formats are: default, compact, csv, flat, ini, json, xml)print_formatalias for -output_format (deprecated)ofalias for -output_formatselect_streamsselect the specified streamsstream_specifiersectionsprint sections structure and section information, and exitshow_datashow packets datashow_data_hashshow packets data hashshow_errorshow probing errorshow_formatshow format/container infoshow_framesshow frames infoshow_entriesshow a set of specified entriesentry_listshow_logshow logshow_packetsshow packets infoshow_programsshow programs infoshow_stream_groupsshow stream groups infoshow_streamsshow streams infoshow_chaptersshow chapters infocount_framescount the number of frames per streamcount_packetscount the number of packets per streamshow_program_versionshow ffprobe versionshow_library_versionsshow library versionsshow_versionsshow program and library versionsshow_pixel_formatsshow pixel format descriptionsshow optional fieldsshow_private_datashow private datasame as show_private_databitexactforce bitexact outputread_intervalsset read intervalsiread specified fileinput_fileowrite to specified outputoutput_fileprint_filenameoverride the printed input filenameprint_filefind_stream_inforead and decode the streams to fill missing information with heuristics 5D
Source: ffprobe.exe String found in binary or memory: overlap-add
Source: ffprobe.exe String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-saves
Source: ffprobe.exe String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffprobe.exe String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.
Source: ffprobe.exe String found in binary or memory: #EXT-X-START:
Source: ffprobe.exe String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffprobe.exe String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffprobe.exe String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffprobe.exe String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.
Source: ffprobe.exe String found in binary or memory: start/stop audio
Source: ffprobe.exe String found in binary or memory: start/stop audio
Source: unknown Process created: C:\Users\user\Desktop\ffprobe.exe "C:\Users\user\Desktop\ffprobe.exe"
Source: C:\Users\user\Desktop\ffprobe.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe Section loaded: ntasn1.dll Jump to behavior
Source: ffprobe.exe Static PE information: More than 235 > 100 exports found
Source: ffprobe.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ffprobe.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ffprobe.exe Static file information: File size 85333504 > 1048576
Source: ffprobe.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x421a000
Source: ffprobe.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12da00
Source: ffprobe.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb93800
Source: ffprobe.exe Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14ca00
Source: ffprobe.exe Static PE information: More than 200 imports for msvcrt.dll
Source: ffprobe.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: ffprobe.exe Static PE information: section name: .rodata
Source: ffprobe.exe Static PE information: section name: .xdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: ffprobe.exe, 00000000.00000002.1344065345.000001F23E0BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ffprobe.exe, 00000000.00000002.1344065345.000001F23E0BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA693000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: vmncVMware Screen Codec / VMware Video@
Source: ffprobe.exe Binary or memory string: VMware Screen Codec / VMware Video
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431132 Sample: ffprobe.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 3 5 ffprobe.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true