Edit tour

Windows Analysis Report
ffprobe.exe

Overview

General Information

Sample name:	ffprobe.exe
Analysis ID:	1431132
MD5:	f541b1e02ad904057651a9457b7bc199
SHA1:	91feeb7b66e537f054d6b6b58aac2b3d046875a4
SHA256:	72c01f83221e3da073ab2659416c59f96266679044f39b7a58cfa783731efaf2
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

ffprobe.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\ffprobe.exe" MD5: F541B1E02AD904057651A9457B7BC199)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ffprobe.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:
Source: ffprobe.exe	String found in binary or memory: http://dashif.org/guidelines/last-segment-number
Source: ffprobe.exe	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lame.sf.net64bits
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://modplug-xmms.sourceforge.net/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schismtracker.org/
Source: ffprobe.exe	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: ffprobe.exe	String found in binary or memory: http://www.gnu.org/licenses/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: ffprobe.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers
Source: ffprobe.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://x265.org
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://xaimus.com/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bel.fi/alankila/modguide/interpolate.txt
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://coda.s3m.us/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/iamgreaser/it2everything/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lclevy/unmo3
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/lieff/minimp3/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nothings/stb/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/richgel999/miniz
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ryuhei-mori/tinyfft
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/viiri/st2play
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://joaobapt.com/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://kode54.net/)
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://revenant1.net/)
Source: ffprobe.exe	String found in binary or memory: https://streams.videolan.org/upload/
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://twitter.com/daniel_collin
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.3eality.com/

Source: ffprobe.exe, 00000000.00000000.1342396678.00007FF6ACA03000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

memstr_80fc0211-e

Source: ffprobe.exe

Static PE information: Number of sections : 13 > 10

Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA42D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA42D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name^ vs ffprobe.exe
Source: ffprobe.exe	Binary or memory string: WM/OriginalFilename vs ffprobe.exe
Source: ffprobe.exe	Binary or memory string: commentID3WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptionWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name^ vs ffprobe.exe

Source: classification engine

Classification label: clean3.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03

Source: ffprobe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ffprobe.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ffprobe.exe	String found in binary or memory: -help
Source: ffprobe.exe	String found in binary or memory: Lshow licensehshow helptopic?help-helpshow versionbuildconfshow build configurationformatsshow available formatsmuxersshow available muxersdemuxersshow available demuxersdevicesshow available devicescodecsshow available codecsdecodersshow available decodersencodersshow available encodersbsfsshow available bit stream filtersprotocolsshow available protocolsfiltersshow available filterspix_fmtsshow available pixel formatslayoutsshow standard channel layoutssample_fmtsshow available audio sample formatsdispositionsshow available stream dispositionscolorsshow available color namesloglevelset logging levelvreportgenerate a reportmax_allocset maximum size of a single allocated blockbytescpuflagsforce specific cpu flagscpucountforce specific cpu countcounthide_bannerdo not show program bannersourceslist sources of the input devicedevicesinkslist sinks of the output devicefforce formatshow unit of the displayed valuesuse SI prefixes for the displayed valuesbyte_binary_prefixuse binary prefixes for byte unitssexagesimaluse sexagesimal format HOURS:MM:SS.MICROSECONDS for time unitsprettyprettify the format of displayed values, make it more human readableoutput_formatset the output printing format (available formats are: default, compact, csv, flat, ini, json, xml)print_formatalias for -output_format (deprecated)ofalias for -output_formatselect_streamsselect the specified streamsstream_specifiersectionsprint sections structure and section information, and exitshow_datashow packets datashow_data_hashshow packets data hashshow_errorshow probing errorshow_formatshow format/container infoshow_framesshow frames infoshow_entriesshow a set of specified entriesentry_listshow_logshow logshow_packetsshow packets infoshow_programsshow programs infoshow_stream_groupsshow stream groups infoshow_streamsshow streams infoshow_chaptersshow chapters infocount_framescount the number of frames per streamcount_packetscount the number of packets per streamshow_program_versionshow ffprobe versionshow_library_versionsshow library versionsshow_versionsshow program and library versionsshow_pixel_formatsshow pixel format descriptionsshow optional fieldsshow_private_datashow private datasame as show_private_databitexactforce bitexact outputread_intervalsset read intervalsiread specified fileinput_fileowrite to specified outputoutput_fileprint_filenameoverride the printed input filenameprint_filefind_stream_inforead and decode the streams to fill missing information with heuristics 5D
Source: ffprobe.exe	String found in binary or memory: overlap-add
Source: ffprobe.exe	String found in binary or memory: windowset window sizewoverlapset window overlapoarorderset autoregression orderathresholdset thresholdthsizeset histogram sizenmethodset overlap methodmaddoverlap-addsaveoverlap-saves
Source: ffprobe.exe	String found in binary or memory: Apply high order Butterworth band-stop filter.
Source: ffprobe.exe	String found in binary or memory: @asubcutasupercutasuperpassasuperstopApply high order Butterworth band-stop filter.
Source: ffprobe.exe	String found in binary or memory: #EXT-X-START:
Source: ffprobe.exe	String found in binary or memory: #EXT-X-START value isinvalid, it will be ignored
Source: ffprobe.exe	String found in binary or memory: #EXT-X-PLAYLIST-TYPE:EVENTVOD#EXT-X-MAP:data:#EXT-X-START:TIME-OFFSET=#EXT-X-START value isinvalid, it will be ignored#EXT-X-ENDLIST#EXTINF:#EXT-X-BYTERANGE:#Skip ('%s')
Source: ffprobe.exe	String found in binary or memory: prefer to use #EXT-X-START if it's in playlist instead of live_start_index
Source: ffprobe.exe	String found in binary or memory: ;live_start_indexsegment index to start live streams at (negative values are from the end)prefer_x_startprefer to use #EXT-X-START if it's in playlist instead of live_start_indexallowed_extensionsList of file extensions that hls is allowed to access3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wavmax_reloadMaximum number of times a insufficient list is attempted to be reloadedm3u8_hold_countersThe maximum number of times to load m3u8 when it refreshes without new segmentshttp_persistentUse persistent HTTP connectionshttp_multipleUse multiple HTTP connections for fetching segmentshttp_seekableUse HTTP partial requests, 0 = disable, 1 = enable, -1 = autoseg_format_optionsSet options for segment demuxerseg_max_retryMaximum number of times to reload a segment on error.
Source: ffprobe.exe	String found in binary or memory: start/stop audio
Source: ffprobe.exe	String found in binary or memory: start/stop audio

Source: unknown	Process created: C:\Users\user\Desktop\ffprobe.exe "C:\Users\user\Desktop\ffprobe.exe"
Source: C:\Users\user\Desktop\ffprobe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ffprobe.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: ffprobe.exe

Static PE information: More than 235 > 100 exports found

Source: ffprobe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ffprobe.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ffprobe.exe

Static file information: File size 85333504 > 1048576

Source: ffprobe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x421a000
Source: ffprobe.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12da00
Source: ffprobe.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb93800
Source: ffprobe.exe	Static PE information: Raw size of .xdata is bigger than: 0x100000 < 0x14ca00

Source: ffprobe.exe

Static PE information: More than 200 imports for msvcrt.dll

Source: ffprobe.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ffprobe.exe	Static PE information: section name: .rodata
Source: ffprobe.exe	Static PE information: section name: .xdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: ffprobe.exe, 00000000.00000002.1344065345.000001F23E0BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ffprobe.exe, 00000000.00000002.1344065345.000001F23E0BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA693000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware Video@
Source: ffprobe.exe	Binary or memory string: VMware Screen Codec / VMware Video

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ffprobe.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://dashif.org/guidelines/last-segment-number	0%	URL Reputation	safe
http://dashif.org/guidelines/trickmode	0%	URL Reputation	safe
http://relaxng.org/ns/structure/1.0	0%	URL Reputation	safe
http://schismtracker.org/	0%	Avira URL Cloud	safe
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	0%	Avira URL Cloud	safe
https://kode54.net/)	0%	Avira URL Cloud	safe
https://www.3eality.com/	0%	Avira URL Cloud	safe
https://joaobapt.com/)	0%	Avira URL Cloud	safe
http://lame.sf.net64bits	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	0%	Avira URL Cloud	safe
https://bel.fi/alankila/modguide/interpolate.txt	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	0%	Avira URL Cloud	safe
https://revenant1.net/)	0%	Avira URL Cloud	safe
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	0%	Avira URL Cloud	safe
http://xaimus.com/)	0%	Avira URL Cloud	safe
http://www.brynosaurus.com/cachedir/	0%	Avira URL Cloud	safe
https://coda.s3m.us/)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x265.org	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp	false		high
https://kode54.net/)	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/daniel_collin	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/nothings/stb/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/iamgreaser/it2everything/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://joaobapt.com/)	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schismtracker.org/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd	ffprobe.exe	false		high
http://lame.sf.net64bits	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://bel.fi/alankila/modguide/interpolate.txt	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.3eality.com/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/last-segment-number	ffprobe.exe	false	URL Reputation: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markersInvalid	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-3/2013#standard-markers	ffprobe.exe	false	Avira URL Cloud: safe	unknown
http://WWW-Authenticate:Proxy-Authenticate:Content-Encoding:gzip1.3.1Content-Length:	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://revenant1.net/)	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAD5E000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0datatypeLibrary:/#?includegrammardefinenamestartInternal	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/viiri/st2play	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://streams.videolan.org/upload/	ffprobe.exe	false		high
https://coda.s3m.us/)	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ryuhei-mori/tinyfft	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.videolan.org/x264.html	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AAE47000.00000002.00000001.01000000.00000003.sdmp	false		high
http://xaimus.com/)	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/trickmode	ffprobe.exe	false	URL Reputation: safe	unknown
http://www.brynosaurus.com/cachedir/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/lieff/minimp3/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://modplug-xmms.sourceforge.net/	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://relaxng.org/ns/structure/1.0	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://github.com/lclevy/unmo3	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/richgel999/miniz	ffprobe.exe, 00000000.00000000.1339260344.00007FF6AA9A9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.gnu.org/licenses/	ffprobe.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431132
Start date and time:	2024-04-24 16:08:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ffprobe.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, time.windows.com, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ffprobe.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://microloft.net/?r=8e28e856-be8d-4446-a396-cdcd78169ab8&rg=eu	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://gnoticiasimparciais.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://insidesales-email.com/l/1/17013047/Y/eus.p01-2019.10.02-460581/1/ab/4K6W-nzk0hr_GKydLIdUc0LK4HrUUeoMK4jMzee40WM?lnk=https://cd14fe4e.2690c0a545a7f22e8ae6844c.workers.dev/?qrc=barbara.rentler@ros.com	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://p.ksrndkehqnwntyxlhgto.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.serserijeans.com/kdy9bFe5glari2Px0qak17sdy9nFe5k17	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://ustteam.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://2h.ae/HWtB	Get hash	malicious	Unknown	Browse	192.229.211.108
bg.microsoft.map.fastly.net	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://gnoticiasimparciais.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://p.ksrndkehqnwntyxlhgto.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://ustteam.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.clinical-partners.co.uk	Get hash	malicious	Unknown	Browse	199.232.214.172
	EQxFL1u3m1.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	https://bafybeialjrwo2ct3n2glolpm3zfawtv73xej3opbbgjsfewkonoew4x5xe.ipfs.cf-ipfs.com/?sourceId=ukcompanyformations@vistra.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://stake.libertariancounterpoint.com	Get hash	malicious	Unknown	Browse	199.232.214.172

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.764206294678089
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ffprobe.exe
File size:	85'333'504 bytes
MD5:	f541b1e02ad904057651a9457b7bc199
SHA1:	91feeb7b66e537f054d6b6b58aac2b3d046875a4
SHA256:	72c01f83221e3da073ab2659416c59f96266679044f39b7a58cfa783731efaf2
SHA512:	e1b1be2ef915d421fc74ccd7d542e9b5ae95cc31bfcd62dc2c832a335093dc40dfcc80f7769514ba6f61ab2258d579cf68c9da878f3f94acadfe0e9d02e01c47
SSDEEP:	1572864:+KHRgX1rOArdwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFht:3H
TLSH:	2C189E9EE2D350DCD12BD4F043AAF773BA34787D11206A7A26D99A306E22F80575EF14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...{..f...............*..!......p.............@....................................9.....`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x660FA07B [Fri Apr 5 06:55:55 2024 UTC]
TLS Callbacks:	0x41a51440, 0x1, 0x410dd0b0, 0x1, 0x410dd080, 0x1, 0x4144e5e0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8466d902df9051ea3276b5545e11dcc8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [04DFD8E5h]
mov dword ptr [eax], 00000000h
call 00007F67255CBF3Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F6729548DA4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F67255CC199h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push esi
push ebx
dec eax
sub esp, 38h
dec eax
lea esi, dword ptr [esp+58h]
dec eax
mov dword ptr [esp+58h], edx
dec eax
mov ebx, ecx
mov ecx, 00000001h
dec esp
mov dword ptr [esp+60h], eax
dec esp
mov dword ptr [esp+68h], ecx
dec eax
mov dword ptr [esp+28h], esi
call dword ptr [04344283h]
dec ecx
mov eax, esi
dec eax
mov edx, ebx
dec eax
mov ecx, eax
call 00007F672701EA5Ah
dec eax
add esp, 38h
pop ebx
pop esi
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 38h
dec esp
mov dword ptr [esp+50h], eax
dec esp
lea eax, dword ptr [esp+50h]
dec esp
mov dword ptr [esp+58h], ecx
dec esp
mov dword ptr [esp+28h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6921000	0x1a20	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6923000	0x6f70	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x692c000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4ee1000	0xeb0f8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x692d000	0x41140	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x48348e0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x69249c8	0x1838	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4219e70	0x421a000	58e91fbe50b7fc63c3878021942afca5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x421b000	0x12d9c0	0x12da00	005691ea396f18cd6fa5e056f21e7b1e	False	0.14995030175093244	firmware c037 v3544 (revision 16777216) 0 (region 402653184), 16777216 bytes or less, UNKNOWN1 0x18000000, UNKNOWN2 0x1000000, UNKNOWN3 0xe08e0040, at 0 0 bytes , at 0x40950040 16777216 bytes , at 0x2000000	4.837258769237468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rodata	0x4349000	0x39cc	0x3a00	a64f76b5697ad7b396a3eb484e6a487a	False	0.26589439655172414	data	5.855705171693117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x434d000	0xb93740	0xb93800	ce52d3c3546a73ace793529eccddae45	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x4ee1000	0xeb0f8	0xeb200	d2a8fe7bab130d7956c60f82a5137945	False	0.5455749933545986	data	7.021606465327417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x4fcd000	0x14c93c	0x14ca00	43638bb34655fadb48577fdea647d31e	False	0.1795774027621195	data	5.2027746423956405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x511a000	0x1806f30	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x6921000	0x1a20	0x1c00	3018f0d3f116ef801f96ba8076b45ecf	False	0.4320591517857143	data	5.70057387689163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x6923000	0x6f70	0x7000	c96febdff662d022444bf4a2a2ab3bcd	False	0.2777622767857143	data	5.018355100343392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x692a000	0x70	0x200	eb0e193e47d07bcf354cd282929bcc91	False	0.091796875	data	0.5019639270558709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x692b000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x692c000	0x730	0x800	d2653991b4d76dcf5542bff56e2f56cb	False	0.14794921875	data	2.114214149621193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x692d000	0x41140	0x41200	1f2113a68cb7c08d571cb7b9025d3d42	False	0.21512491002879078	data	5.484715084382057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x692c058	0x1ef	XML 1.0 document, ASCII text	English	United States	0.498989898989899

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptReleaseContext, CryptSetHashParam, CryptSetProvParam, CryptSignHashA, DeregisterEventSource, GetUserNameA, InitializeSecurityDescriptor, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetSecurityDescriptorDacl, SystemFunction036
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
CRYPT32.dll	CertCloseStore, CertDeleteCertificateFromStore, CertEnumCRLsInStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore, CertOpenSystemStoreW, PFXImportCertStore
GDI32.dll	BitBlt, ChoosePixelFormat, CombineRgn, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateFontIndirectW, CreateFontW, CreatePen, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, DescribePixelFormat, EnumFontFamiliesW, ExtTextOutW, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetDeviceGammaRamp, GetICMProfileW, GetObjectA, GetPixelFormat, GetStockObject, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextFaceW, GetTextMetricsW, Rectangle, SelectObject, SetBkMode, SetDeviceGammaRamp, SetPixelFormat, SetTextColor, SwapBuffers
IMM32.dll	ImmAssociateContext, ImmGetCandidateListW, ImmGetCompositionStringW, ImmGetContext, ImmGetIMEFileNameA, ImmNotifyIME, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionStringW, ImmSetCompositionWindow
IPHLPAPI.DLL	GetAdaptersAddresses, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AreFileApisANSI, CancelIo, CancelIoEx, CloseHandle, CompareStringA, ConvertFiberToThread, ConvertThreadToFiberEx, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileW, CreateMutexA, CreateSemaphoreA, CreateSemaphoreW, CreateThread, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileExW, FindFirstFileW, FindNextFileW, FormatMessageA, FormatMessageW, FreeLibrary, GetACP, GetCommandLineW, GetComputerNameA, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFinalPathNameByHandleA, GetFullPathNameA, GetFullPathNameW, GetHandleInformation, GetLastError, GetLocaleInfoA, GetLongPathNameA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNumaHighestNodeNumber, GetNumaNodeProcessorMaskEx, GetOverlappedResult, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessTimes, GetStdHandle, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathA, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTimeZoneInformation, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalLock, GlobalMemoryStatusEx, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, MapViewOfFile, MoveFileExA, MoveFileExW, MulDiv, MultiByteToWideChar, OpenFileMappingA, OpenProcess, OutputDebugStringA, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleMode, SetConsoleTextAttribute, SetDllDirectoryA, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFilePointer, SetFilePointerEx, SetHandleInformation, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadErrorMode, SetThreadExecutionState, SetThreadGroupAffinity, SetThreadPriority, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, VirtualUnlock, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler, lstrcmpiW
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argv, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _access, _access, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _assert, _beginthreadex, _cexit, _chmod, _close, _commode, _close, _dup, _dup2, _endthreadex, _environ, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _ftime64, _fullpath, _get_osfhandle, _getcwd, _getmaxstdio, _getpid, _gmtime64, _hypot, _i64toa, _initterm, _isatty, _isctype, _itoa, _localtime64, _lock, _locking, _lseeki64, _ltoa, _mbsrchr, _mkdir, _mkdir, _mktime64, _onexit, _open, _open, _open_osfhandle, _read, _rmdir, _rmdir, _nextafter, _setjmp, _setmaxstdio, _setmode, _setmode, _sopen, _stat64, _strdup, _strdup, _stricmp, _strlwr, _strnicmp, _strrev, _strtoi64, _strtoui64, _strtoui64, _strupr, _time64, _timezone, _ui64toa, _ultoa, _unlink, _unlink, _unlock, _vscprintf, _vsnprintf, _vsnwprintf, _waccess, _wassert, _wcsdup, _wcsicmp, _wcsnicmp, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wgetenv, _wmkdir, _wopen, _wrename, _write, _wrmdir, _wsopen, _wstat64, _wunlink, abort, acos, asin, atan, atof, atoi, bsearch, calloc, clock, cosh, div, exit, fclose, feof, ferror, fflush, fgetc, fgetpos, fgets, fopen, fopen_s, fprintf, fputc, fputs, fread, free, fsetpos, fseek, ftell, fwrite, getc, getchar, getenv, getwc, isalnum, isalpha, iscntrl, isgraph, islower, isprint, ispunct, isspace, isupper, iswctype, isxdigit, localeconv, log10, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, perror, printf, putc, putwc, qsort, raise, rand, realloc, rename, rewind, setlocale, setvbuf, signal, sinh, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcpy_s, strcspn, strerror, strftime, strlen, strncat, strncmp, strncpy, strncpy_s, strpbrk, strrchr, strspn, strstr, strtok, strtok_s, strtol, strtoul, strxfrm, tan, tanh, tolower, toupper, towlower, towupper, ungetwc, ungetc, vfprintf, wcscat, wcscmp, wcscoll, wcscpy, wcscpy_s, wcsftime, wcslen, wcsncmp, wcsrchr, wcsstr, wcstombs, wcstombs_s, wcstoul, wcsxfrm
ncrypt.dll	NCryptDecrypt, NCryptDeleteKey, NCryptFreeObject, NCryptGetProperty, NCryptOpenKey, NCryptOpenStorageProvider, NCryptSignHash
ole32.dll	CLSIDFromString, CoCreateInstance, CoGetMalloc, CoInitialize, CoInitializeEx, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CreateBindCtx, OleLoadFromStream, OleSaveToStream, PropVariantClear, StringFromGUID2
OLEAUT32.dll	OleCreatePropertyFrame, SysFreeString
SETUPAPI.dll	CM_Get_Device_IDA, CM_Get_Parent, CM_Locate_DevNodeA, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiGetClassDevsA, SetupDiGetDeviceInterfaceDetailA, SetupDiGetDeviceRegistryPropertyA
SHELL32.dll	CommandLineToArgvW, DragAcceptFiles, DragFinish, DragQueryFileW, ExtractIconExW, SHGetFolderPathW, SHGetSpecialFolderPathA, ShellExecuteW
SHLWAPI.dll	SHCreateStreamOnFileA
USER32.dll	AdjustWindowRectEx, AttachThreadInput, BeginPaint, CallNextHookEx, CallWindowProcW, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CopyIcon, CopyImage, CreateIconFromResource, CreateIconIndirect, CreateWindowExA, CreateWindowExW, DefWindowProcA, DefWindowProcW, DestroyCursor, DestroyIcon, DestroyWindow, DialogBoxIndirectParamW, DispatchMessageA, DispatchMessageW, DrawIcon, DrawTextW, EmptyClipboard, EndDialog, EndPaint, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsW, FillRect, FindWindowW, FlashWindowEx, FrameRect, GetAsyncKeyState, GetClassInfoExW, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardSequenceNumber, GetCursorInfo, GetCursorPos, GetDC, GetDesktopWindow, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetMenu, GetMessageExtraInfo, GetMessageW, GetMonitorInfoW, GetParent, GetProcessWindowStation, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetUpdateRect, GetUserObjectInformationW, GetWindowLongPtrA, GetWindowLongPtrW, GetWindowLongW, GetWindowRect, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, IntersectRect, InvalidateRect, IsClipboardFormatAvailable, IsIconic, KillTimer, LoadCursorA, LoadCursorW, LoadIconW, MapVirtualKeyW, MessageBoxA, MessageBoxW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MsgWaitForMultipleObjects, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostThreadMessageW, PtInRect, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterDeviceNotificationW, RegisterRawInputDevices, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetTimer, SetWindowLongPtrA, SetWindowLongPtrW, SetWindowLongW, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowWindow, SystemParametersInfoA, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, ValidateRect
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
AVICAP32.dll	capCreateCaptureWindowA, capGetDriverDescriptionA
WINMM.dll	timeBeginPeriod, timeEndPeriod, waveInAddBuffer, waveInClose, waveInGetDevCapsW, waveInGetNumDevs, waveInOpen, waveInPrepareHeader, waveInReset, waveInStart, waveInUnprepareHeader, waveOutClose, waveOutGetDevCapsW, waveOutGetErrorTextW, waveOutGetNumDevs, waveOutOpen, waveOutPrepareHeader, waveOutReset, waveOutUnprepareHeader, waveOutWrite
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecvFrom, WSAResetEvent, WSASendTo, WSASetLastError, WSASocketA, WSAStartup, WSAStringToAddressA, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, inet_ntop, inet_pton, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Exports

Name	Ordinal	Address
FT_Activate_Size	1	0x141290df0
FT_Add_Default_Modules	2	0x141299950
FT_Add_Module	3	0x141295a20
FT_Angle_Diff	4	0x141295180
FT_Atan2	5	0x141294c70
FT_Attach_File	6	0x1412954f0
FT_Attach_Stream	7	0x141295400
FT_Bitmap_Blend	8	0x1412f78d0
FT_Bitmap_Convert	9	0x1412f6c70
FT_Bitmap_Copy	10	0x1412f6a80
FT_Bitmap_Done	11	0x1412f8120
FT_Bitmap_Embolden	12	0x1412f71e0
FT_Bitmap_Init	13	0x1412f6a40
FT_Bitmap_New	14	0x1412f6a60
FT_CeilFix	15	0x14128dc40
FT_Cos	16	0x141294af0
FT_DivFix	17	0x14128dd80
FT_Done_Face	18	0x14128f560
FT_Done_FreeType	19	0x141299be0
FT_Done_Glyph	20	0x1412f8f20
FT_Done_Library	21	0x1412914d0
FT_Done_MM_Var	22	0x1412f9290
FT_Done_Size	23	0x14128f620
FT_Error_String	24	0x14128e880
FT_Face_GetCharVariantIndex	25	0x141290d80
FT_Face_GetCharVariantIsDefault	26	0x141290d30
FT_Face_GetCharsOfVariant	27	0x141290c40
FT_Face_GetVariantSelectors	28	0x141290ce0
FT_Face_GetVariantsOfChar	29	0x141290c90
FT_Face_Properties	30	0x1412905a0
FT_FloorFix	31	0x14128dc50
FT_Get_Advance	32	0x141296c50
FT_Get_Advances	33	0x1412969f0
FT_Get_BDF_Charset_ID	34	0x1413cd9d0
FT_Get_BDF_Property	35	0x1413cda90
FT_Get_CMap_Format	36	0x141290ad0
FT_Get_CMap_Language_ID	37	0x141290a50
FT_Get_Char_Index	38	0x141290440
FT_Get_Charmap_Index	39	0x141290400
FT_Get_Color_Glyph_ClipBox	40	0x1412917c0
FT_Get_Color_Glyph_Layer	41	0x141291730
FT_Get_Color_Glyph_Paint	42	0x141291780
FT_Get_Colorline_Stops	43	0x141291890
FT_Get_Default_Named_Instance	44	0x1412f9be0
FT_Get_First_Char	45	0x141290510
FT_Get_Font_Format	46	0x14128e890
FT_Get_Glyph	47	0x1412f8a00
FT_Get_Glyph_Name	48	0x141290720
FT_Get_Kerning	49	0x141290120
FT_Get_MM_Blend_Coordinates	50	0x1412f98d0
FT_Get_MM_Var	51	0x1412f91b0
FT_Get_MM_WeightVector	52	0x1412f9440
FT_Get_Module	53	0x141291000
FT_Get_Multi_Master	54	0x1412f90d0
FT_Get_Name_Index	55	0x141290670
FT_Get_Next_Char	56	0x141290470
FT_Get_PS_Font_Info	57	0x1413cdb10
FT_Get_PS_Font_Private	58	0x1413cdbd0
FT_Get_PS_Font_Value	59	0x1413cdc40
FT_Get_Paint	60	0x141291840
FT_Get_Paint_Layers	61	0x141291800
FT_Get_Postscript_Name	62	0x141290830
FT_Get_Renderer	63	0x141290e90
FT_Get_Sfnt_LangTag	64	0x141293620
FT_Get_Sfnt_Name	65	0x141293500
FT_Get_Sfnt_Name_Count	66	0x1412932f0
FT_Get_Sfnt_Table	67	0x1412908d0
FT_Get_SubGlyph_Info	68	0x1412916a0
FT_Get_Track_Kerning	69	0x1412902e0
FT_Get_Transform	70	0x14128f510
FT_Get_TrueType_Engine_Type	71	0x141291650
FT_Get_Var_Axis_Flags	72	0x1412f9a90
FT_Get_Var_Blend_Coordinates	73	0x1412f99b0
FT_Get_Var_Design_Coordinates	74	0x1412f9680
FT_Get_X11_Font_Format	75	0x14128e8c0
FT_GlyphSlot_Own_Bitmap	76	0x1412f8070
FT_Glyph_Copy	77	0x1412f8800
FT_Glyph_Get_CBox	78	0x1412f8b70
FT_Glyph_Stroke	79	0x1412fc5a0
FT_Glyph_StrokeBorder	80	0x1412fc6f0
FT_Glyph_To_Bitmap	81	0x1412f8c20
FT_Glyph_Transform	82	0x1412f8b10
FT_Has_PS_Glyph_Names	83	0x1413cdb80
FT_Init_FreeType	84	0x141299b50
FT_Library_SetLcdFilter	85	0x14128ef70
FT_Library_SetLcdFilterWeights	86	0x14128ef60
FT_Library_SetLcdGeometry	87	0x14128ef80
FT_Library_Version	88	0x141291490
FT_List_Add	89	0x141299790
FT_List_Finalize	90	0x1412998e0
FT_List_Find	91	0x141299760
FT_List_Insert	92	0x1412997d0
FT_List_Iterate	93	0x141299890
FT_List_Remove	94	0x141299800
FT_List_Up	95	0x141299840
FT_Load_Char	96	0x141296db0
FT_Load_Glyph	97	0x1412961f0
FT_Load_Sfnt_Table	98	0x141290930
FT_Matrix_Invert	99	0x14128df30
FT_Matrix_Multiply	100	0x14128ddf0
FT_MulDiv	101	0x14128dc60
FT_MulFix	102	0x14128dd60
FT_New_Face	103	0x141297930
FT_New_Glyph	104	0x1412f8910
FT_New_Library	105	0x1412913f0
FT_New_Memory_Face	106	0x1412987e0
FT_New_Size	107	0x141295860
FT_Open_Face	108	0x141298860
FT_Outline_Check	109	0x141291d60
FT_Outline_Copy	110	0x141291de0
FT_Outline_Decompose	111	0x1412918d0
FT_Outline_Done	112	0x141291e90
FT_Outline_Embolden	113	0x141292eb0
FT_Outline_EmboldenXY	114	0x1412929a0
FT_Outline_GetInsideBorder	115	0x1412fb8d0
FT_Outline_GetOutsideBorder	116	0x1412fb8f0
FT_Outline_Get_Bitmap	117	0x1412925e0
FT_Outline_Get_CBox	118	0x141291f50
FT_Outline_Get_Orientation	119	0x1412927c0
FT_Outline_New	120	0x141299300
FT_Outline_Render	121	0x141292460
FT_Outline_Reverse	122	0x1412923b0
FT_Outline_Transform	123	0x1412926f0
FT_Outline_Translate	124	0x141292360
FT_Palette_Data_Get	125	0x14128e760
FT_Palette_Select	126	0x14128e7e0
FT_Palette_Set_Foreground_Color	127	0x14128e850
FT_Property_Get	128	0x141291390
FT_Property_Set	129	0x141291370
FT_Reference_Face	130	0x14128f540
FT_Reference_Library	131	0x1412913d0
FT_Remove_Module	132	0x141291130
FT_Render_Glyph	133	0x1412961b0
FT_Request_Size	134	0x14128fea0
FT_RoundFix	135	0x14128dc20
FT_Select_Charmap	136	0x141290370
FT_Select_Size	137	0x14128fe30
FT_Set_Char_Size	138	0x14128ffd0
FT_Set_Charmap	139	0x141290b50
FT_Set_Debug_Hook	140	0x141291620
FT_Set_Default_Log_Handler	141	0x1412fccd0
FT_Set_Default_Properties	142	0x141299990
FT_Set_Log_Handler	143	0x1412fccc0
FT_Set_MM_Blend_Coordinates	144	0x1412f9760
FT_Set_MM_Design_Coordinates	145	0x1412f92c0
FT_Set_MM_WeightVector	146	0x1412f9380
FT_Set_Named_Instance	147	0x1412f9ab0
FT_Set_Pixel_Sizes	148	0x141290080
FT_Set_Renderer	149	0x141290ed0
FT_Set_Transform	150	0x14128f480
FT_Set_Var_Blend_Coordinates	151	0x1412f98c0
FT_Set_Var_Design_Coordinates	152	0x1412f9520
FT_Sfnt_Table_Info	153	0x1412909c0
FT_Sin	154	0x141294b40
FT_Stream_OpenLZW	155	0x1412e97d0
FT_Stroker_BeginSubPath	156	0x1412fbd20
FT_Stroker_ConicTo	157	0x1412fbcc0
FT_Stroker_CubicTo	158	0x1412fbcf0
FT_Stroker_Done	159	0x1412fba70
FT_Stroker_EndSubPath	160	0x1412fbd80
FT_Stroker_Export	161	0x1412fc140
FT_Stroker_ExportBorder	162	0x1412fc110
FT_Stroker_GetBorderCounts	163	0x1412fbfd0
FT_Stroker_GetCounts	164	0x1412fc060
FT_Stroker_LineTo	165	0x1412fbb50
FT_Stroker_New	166	0x1412fb910
FT_Stroker_ParseOutline	167	0x1412fc190
FT_Stroker_Rewind	168	0x1412fba40
FT_Stroker_Set	169	0x1412fb9f0
FT_Tan	170	0x141294b90
FT_Trace_Set_Default_Level	171	0x1412fccb0
FT_Trace_Set_Level	172	0x1412fcca0
FT_Vector_From_Polar	173	0x141295150
FT_Vector_Length	174	0x141294ec0
FT_Vector_Polarize	175	0x141295040
FT_Vector_Rotate	176	0x141294d30
FT_Vector_Transform	177	0x141292650
FT_Vector_Unit	178	0x141294cf0
TT_New_Context	179	0x1412a8300
TT_RunIns	180	0x1412a5240
gme_ay_type	181	0x144a35be0
gme_clear_playlist	182	0x141673de0
gme_delete	183	0x141673a80
gme_enable_accuracy	184	0x141673db0
gme_equalizer	185	0x141673e80
gme_free_info	186	0x141673c70
gme_gbs_type	187	0x144a35d78
gme_gym_type	188	0x144a35ef0
gme_hes_type	189	0x144a36120
gme_identify_extension	190	0x141673510
gme_identify_file	191	0x141673ec0
gme_identify_header	192	0x141673410
gme_ignore_silence	193	0x141673d70
gme_kss_type	194	0x144a36298
gme_load_custom	195	0x141673a50
gme_load_data	196	0x1416740f0
gme_load_file	197	0x141673a40
gme_multi_channel	198	0x141673e00
gme_mute_voice	199	0x141673d90
gme_mute_voices	200	0x141673da0
gme_new_emu	201	0x141673790
gme_new_emu_multi_channel	202	0x1416738e0
gme_nsf_type	203	0x144a36728
gme_nsfe_type	204	0x144a36840
gme_open_data	205	0x141674140
gme_open_file	206	0x141673f90
gme_play	207	0x141673cf0
gme_sap_type	208	0x144a369d0
gme_seek	209	0x141673d40
gme_seek_samples	210	0x141673d50
gme_set_autoload_playback_limit	211	0x141673600
gme_set_equalizer	212	0x141673e20
gme_set_fade	213	0x141673d00
gme_set_stereo_depth	214	0x141673c90
gme_set_tempo	215	0x141673d80
gme_set_user_cleanup	216	0x141673cd0
gme_set_user_data	217	0x141673cc0
gme_spc_type	218	0x144a36ba0
gme_start_track	219	0x141673ce0
gme_tell	220	0x141673d20
gme_tell_samples	221	0x141673d30
gme_track_count	222	0x141673ac0
gme_track_ended	223	0x141673d10
gme_track_info	224	0x141673ad0
gme_type	225	0x141673aa0
gme_type_extension	226	0x1416735e0
gme_type_list	227	0x141673300
gme_type_multitrack	228	0x141673df0
gme_type_system	229	0x141673eb0
gme_user_data	230	0x141673cb0
gme_vgm_type	231	0x144a36e70
gme_vgz_type	232	0x144a36e20
gme_voice_count	233	0x141673d60
gme_voice_name	234	0x141673ea0
gme_warning	235	0x141673ab0
gme_wrong_file_type	236	0x144a35a30

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 16:09:32.075695038 CEST	1.1.1.1	192.168.2.7	0xe8c5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 16:09:32.075695038 CEST	1.1.1.1	192.168.2.7	0xe8c5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 16:09:33.044040918 CEST	1.1.1.1	192.168.2.7	0x3715	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 24, 2024 16:09:33.044040918 CEST	1.1.1.1	192.168.2.7	0x3715	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:09:21
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\ffprobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ffprobe.exe"
Imagebase:	0x7ff6a60e0000
File size:	85'333'504 bytes
MD5 hash:	F541B1E02AD904057651A9457B7BC199
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:09:22
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ffprobe.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ffprobe.exePID: 7284, Parent PID: 4056

General

Chronological Activities

Analysis Process: conhost.exePID: 7336, Parent PID: 7284

General

Chronological Activities

Disassembly

Windows Analysis Report
ffprobe.exe