Automated Malware Analysis Report For

Home , CineForm, Cinepak, FourCC, Matroska

ID: 286879 Sample Name: DirectoryListPrintPro.exe Cookbook: default.jbs Time: 11:44:39 Date: 17/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report DirectoryListPrintPro.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 5 Signature Overview 5 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 13 General Information 13 Simulations 14 Behavior and APIs 14 Joe Sandbox View / Context 14 IPs 14 Domains 14 ASN 14 JA3 Fingerprints 14 Dropped Files 14 Created / dropped Files 14 Static File Info 15 General 15 File Icon 16 Static PE Info 16 General 16 Authenticode Signature 16 Entrypoint Preview 16 Data Directories 17 Sections 17 Resources 18 Imports 18 Version Infos 19 Possible Origin 19 Network Behavior 19 Code Manipulations 19 Statistics 19 System Behavior 19 Analysis Process: DirectoryListPrintPro.exe PID: 5272 Parent PID: 6052 19 General 20 File Activities 20

Overview

General Information Detection Signatures Classification

Sample DirectoryListPrintPro.exe Name: CCoonntttaaiiinnss ccaappaabbiiillliiitttiiieess tttoo ddeettteeccttt vviiirrrtttuuaa…

Analysis ID: 286879 CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t foffoo rdrr errreeteaacddt dvdaiartttaua a fff… MD5: 27cb22b3e7bf9c7… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy ttftoo r c crhheeeaccdkk d iiiffaf ataa w wf… SHA1: 73ccdcf9341c906… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy… SHA256: f957879bc12d5f1… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym llloiocccaaallllyee… Most interesting Screenshot: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec ccalllilii…e

CCrroreenaattatteeinss s aa f uDDniiirrcreetcicotttInIInnappliuutyttt otoobb jjrjeeccattt d ((( oothffftttee nnc lffifoo…

DCDrrroeopapstse PsP EEa ffDfiiillleiersesctInput object (often fo

FDFoorouupnnsdd PppoEott tefeinlnetttisiiaalll sstttrrriiinngg ddeeccrrryypptttiiioonn /// aa…

PFPEoEu fffniiilllede cpcoontnetttanaiitininassl asantnr i iniinngvv adalleliiiddc rccyhhpeeticcokknss u/u ma Score: 3 Range: 0 - 100 PPEE fffiiilllee ccoonntttaaiiinnss sasenec cittntiiioovnanslsi d ww ciiittthhe nncokonsn-u--ssm…

Whitelisted: false PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s Confidence: 80% SPSaEam fiplpellle ec foffiiillnleet aiiissin ddsiii fffsfffeetrrrraeenngttt ettthh raaenns oourrriiriggciiiennsaalll …

USUsasemessp clceoo dfdielee o oisbb fffduuisfsfcceaartettiiionontn t thtteeaccnhh noniiriqqiguuienesas l(( (…

Uses code obfuscation techniques (

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 DirectoryListPrintPro.exe (PID: 5272 cmdline: 'C:\Users\user\Desktop\DirectoryListPrintPro.exe' MD5: 27CB22B3E7BF9C701769A71147D13424) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 5 of 22 • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Path Process Masquerading 1 Input System Time Remote Input Exfiltration Data Eavesdrop on Remotely Accounts and Scripting Interception Injection 1 Capture 1 Discovery 1 Services Capture 1 Over Other Obfuscation Insecure Track Device Interpreter 2 Network Network Without Medium Communication Authorization Default Native Boot or Boot or Virtualization/Sandbox LSASS Security Software Remote Clipboard Exfiltration Junk Data Exploit SS7 to Remotely Accounts API 1 Logon Logon Evasion 1 Memory Discovery 1 1 Desktop Data 2 Over Redirect Phone Wipe Data Initialization Initialization Protocol Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Process Injection 1 Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script Account Evasion 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Deobfuscate/Decode NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Files or Information 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Obfuscated Files or LSA Application Window SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Information 2 Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 2 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Compile After DCSync System Information Windows Web Exfiltration Commonly Rogue Wi-Fi Remote Task Items Items Delivery Discovery 1 3 Remote Portal Over Used Port Access Points Services Management Capture Alternative Protocol

Behavior Graph

Copyright null 2020 Page 6 of 22 Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph Is Dropped

ID: 286879 Is Windows Process

Sample: DirectoryListPrintPro.exe Number of created Registry Values Startdate: 17/09/2020 Number of created Files Architecture: WINDOWS Visual Basic

Score: 3 Delphi

Java started .Net C# or VB.NET

C, C++ or other language

DirectoryListPrintPro.exe Is malicious

Internet

dropped dropped

C:\Users\user\AppData\Local\...\MediaInfo.dll, PE32 C:\Users\user\AppData\Local\...\FreeImage.dll, PE32

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link DirectoryListPrintPro.exe 0% Virustotal Browse DirectoryListPrintPro.exe 7% ReversingLabs

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\DLPtemp\FreeImage.dll 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\DLPtemp\FreeImage.dll 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\DLPtemp\FreeImage.dll 0% ReversingLabs C:\Users\user\AppData\Local\Temp\DLPtemp\MediaInfo.dll 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\DLPtemp\MediaInfo.dll 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\DLPtemp\MediaInfo.dll 0% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Source Detection Scanner Label Link mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe 3% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe 0% Avira URL Cloud safe www.fourcc.org/indexyuv.htm;;;YUV; 0% Avira URL Cloud safe www.isky.co.kr/html/cs/download.jsp 0% Virustotal Browse www.isky.co.kr/html/cs/download.jsp 0% Avira URL Cloud safe wvware.sourceforge.netDVarFileInfo$ 0% Avira URL Cloud safe www.divx.com;;;YUV;4:2:0 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe 0% Avira URL Cloud safe base.fims.tv 0% Virustotal Browse base.fims.tv 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe 0% Avira URL Cloud safe www.speex.org/ 1% Virustotal Browse www.speex.org/ 0% Avira URL Cloud safe www.lucasarts.com/ 0% Virustotal Browse www.lucasarts.com/ 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;; 0% Avira URL Cloud safe ffdshow-tryout.sourceforge.net;; 0% Avira URL Cloud safe mediaxw.sourceforge.net;;;YUV 0% Avira URL Cloud safe eMajix.com 0% Virustotal Browse eMajix.com 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV 0% Avira URL Cloud safe www.streambox.com/products/act-L2_codec.htm 0% Virustotal Browse www.streambox.com/products/act-L2_codec.htm 0% Avira URL Cloud safe www.real.com;;; 0% Avira URL Cloud safe eMajix.com;;; 0% Avira URL Cloud safe www.vorbis.com;;Mode 0% Avira URL Cloud safe www.real.com;LC 0% Avira URL Cloud safe description.fims.tv 0% Virustotal Browse description.fims.tv 0% Avira URL Cloud safe www.cinepak.com/text.html;;; 0% Avira URL Cloud safe www.fourcc.org/indexyuv.htm;;;YUV;4:1:1 0% Virustotal Browse www.fourcc.org/indexyuv.htm;;;YUV;4:1:1 0% Avira URL Cloud safe www.theora.com 0% Virustotal Browse www.theora.com 0% Avira URL Cloud safe www.on2.com/vp7.php3;;; 0% Virustotal Browse www.on2.com/vp7.php3;;; 0% Avira URL Cloud safe www.digicine.com/PROTO-ASDCP-AM-20040311# 0% Virustotal Browse www.digicine.com/PROTO-ASDCP-AM-20040311# 0% Avira URL Cloud safe www.vorbis.com/;Lossy 0% Virustotal Browse www.vorbis.com/;Lossy 0% Avira URL Cloud safe mysif.ru/SIF1_dd_Eng.htm;;; 0% Avira URL Cloud safe www.infonautics.chD 0% Avira URL Cloud safe www.musepack.net;Lossy 0% Avira URL Cloud safe www.adobe.fr/products/encore/;Lossless 0% Virustotal Browse www.adobe.fr/products/encore/;Lossless 0% Avira URL Cloud safe www.digicine.com/PROTO-ASDCP-PKL-20040311#http://www.smpte-ra.org/schemas/429- 0% Virustotal Browse 8/2007/PKLDCP www.digicine.com/PROTO-ASDCP-PKL-20040311#http://www.smpte-ra.org/schemas/429- 0% Avira URL Cloud safe 8/2007/PKLDCP www.array.com 1% Virustotal Browse www.array.com 0% Avira URL Cloud safe winace.com 0% Virustotal Browse winace.com 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe 0% Avira URL Cloud safe www.nerodigital.com 0% Virustotal Browse www.nerodigital.com 0% Avira URL Cloud safe www.real.com;;;;;;Lossless 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV 0% Virustotal Browse

Copyright null 2020 Page 9 of 22 Source Detection Scanner Label Link mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV 0% Avira URL Cloud safe www.digitalvoodoo.net/;;; 0% Avira URL Cloud safe www.q-team.de;;; 0% Avira URL Cloud safe www.cineform.com/products/ConnectHD.htm 0% Virustotal Browse www.cineform.com/products/ConnectHD.htm 0% Avira URL Cloud safe amamaman.hp.infoseek.co.jp/english/amv2_e.html;;; 0% Avira URL Cloud safe www.fourcc.org/indexrgb.htm;;;RGB 0% Virustotal Browse www.fourcc.org/indexrgb.htm;;;RGB 0% Avira URL Cloud safe diracvideo.org/ 0% Virustotal Browse diracvideo.org/ 0% Avira URL Cloud safe www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless 0% Virustotal Browse www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless 0% Avira URL Cloud safe www.webmproject.org;;;YUV;4:2:0 0% Avira URL Cloud safe eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf 0% Virustotal Browse eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf 0% Avira URL Cloud safe www.cyberlink.com;;; 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV 0% Avira URL Cloud safe www.cinepak.com/text.html 0% Virustotal Browse www.cinepak.com/text.html 0% Avira URL Cloud safe www.fourcc.org/indexrgb.htm;;;RGB;;8 0% Virustotal Browse www.fourcc.org/indexrgb.htm;;;RGB;;8 0% Avira URL Cloud safe www.fourcc.org/indexrgb.htm;;;RGB;;4 0% Virustotal Browse www.fourcc.org/indexrgb.htm;;;RGB;;4 0% Avira URL Cloud safe www.bbc.co.uk/rd/projects/dirac/index.shtml;;; 0% Avira URL Cloud safe www.fourcc.org/indexrgb.htm;;;; 0% Avira URL Cloud safe www.voxware.com/ 0% Virustotal Browse www.voxware.com/ 0% Avira URL Cloud safe freeimage.sourceforge.netD 0% Avira URL Cloud safe mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV 0% Virustotal Browse mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV 0% Avira URL Cloud safe www.vorbis.com 0% Virustotal Browse www.vorbis.com 0% Avira URL Cloud safe www.on2.com/vp7.php3 0% Virustotal Browse www.on2.com/vp7.php3 0% Avira URL Cloud safe www.morgan-multimedia.com/JPEG 0% Virustotal Browse www.morgan-multimedia.com/JPEG 0% Avira URL Cloud safe www.digicine.com/PROTO-ASDCP-CPL-20040511# 0% Virustotal Browse www.digicine.com/PROTO-ASDCP-CPL-20040511# 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP- DirectoryListPrintPro.exe false 3%, Virustotal, Browse unknown JPEG.v1.016.codec.exe Avira URL Cloud: safe www.fourcc.org/indexyuv.htm;;;YUV; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown www.infonautics.ch/directorylistprint/buy DirectoryListPrintPro.exe, 000 false high 00000.00000002.638202398.00000 00001C10000.00000002.00000001. sdmp www.isky.co.kr/html/cs/download.jsp DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe wvware.sourceforge.netDVarFileInfo$ DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.w3schools.com/css DirectoryListPrintPro.exe, DirectoryList false high PrintPro.exe, 00000000.0000000 2.647506647.00000000058E0000.0 0000004.00000001.sdmp, Directo ryListPrintPro.css.0.dr

Copyright null 2020 Page 10 of 22 Name Source Malicious Antivirus Detection Reputation www.dolby.com/consumer/technology/trueHD.html DirectoryListPrintPro.exe false high ffdshow-tryout.sourceforge.net/;;; DirectoryListPrintPro.exe false high www.divx.com;;;YUV;4:2:0 DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.winnov.com/ DirectoryListPrintPro.exe false high DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2. Avira URL Cloud: safe 10.27.codec.exe base.fims.tv DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO- DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown XL.codec.v2.2.exe Avira URL Cloud: safe www.infonautics.ch/directorylistprint/version.cgia DirectoryListPrintPro.exe, 000 false high 00000.00000002.639035892.00000 000033C0000.00000004.00000040. sdmp www.speex.org/ DirectoryListPrintPro.exe false 1%, Virustotal, Browse unknown Avira URL Cloud: safe www.iis.fraunhofer.de/amm/index.html; DirectoryListPrintPro.exe false high www.lucasarts.com/ DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v 1.11.Codec.exe;;; sourceforge.net/project/showfiles.php? DirectoryListPrintPro.exe false high group_id=82303&package_id=84358 ffdshow-tryout.sourceforge.net;; DirectoryListPrintPro.exe false Avira URL Cloud: safe low world.casio.com/;Casio DirectoryListPrintPro.exe false high www.free- DirectoryListPrintPro.exe false high codecs.com/download/Alparysoft_Lossless_Video_Codec.htm ;;; mediaxw.sourceforge.net;;;YUV DirectoryListPrintPro.exe false Avira URL Cloud: safe low eMajix.com DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0 Avira URL Cloud: safe d2.exe;;;YUV www.streambox.com/products/act-L2_codec.htm DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.real.com;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe low eMajix.com;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.iso.org/;JPEG DirectoryListPrintPro.exe false high www.real.com DirectoryListPrintPro.exe false high www.vorbis.com;;Mode DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.real.com;LC DirectoryListPrintPro.exe false Avira URL Cloud: safe low packs.matroska.org/ DirectoryListPrintPro.exe false high description.fims.tv DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe mediaarea.net/XVID;;;YUV;4:2:0 DirectoryListPrintPro.exe false high www.cinepak.com/text.html;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown freeimage.sourceforge.net FreeImage.dll.0.dr false high DirectoryListPrintPro.exe false high www.ebu.ch/metadata/cs/ebu_AudioCompressionCodeCS.xml #AudioTrackLayout www.fourcc.org/indexyuv.htm;;;YUV;4:1:1 DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

www.smpte.org/;;;YUV DirectoryListPrintPro.exe false high www.theora.com DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.on2.com/vp7.php3;;; DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe DirectoryListPrintPro.exe, 000 false high www.infonautics.ch/directorylistprint/DirectoryListPrintUpdateE 00000.00000002.639035892.00000 N.zipc 000033C0000.00000004.00000040. sdmp gnuwin32.sourceforge.net DirectoryListPrintPro.exe false high dividix.host.sk DirectoryListPrintPro.exe false high www.cyberlink.com DirectoryListPrintPro.exe false high www.digicine.com/PROTO-ASDCP-AM-20040311# DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.vorbis.com/;Lossy DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

Copyright null 2020 Page 11 of 22 Name Source Malicious Antivirus Detection Reputation mysif.ru/SIF1_dd_Eng.htm;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown ffdshow.sourceforge.net/tikiwiki/tiki-index.php? DirectoryListPrintPro.exe false high page=Getting www.infonautics.chD DirectoryListPrintPro.exe, 000 false Avira URL Cloud: safe unknown 00000.00000002.637176227.00000 000011BA000.00000002.00020000. sdmp www.musepack.net;Lossy DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.adobe.fr/products/encore/;Lossless DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe ffdshow-tryout.sourceforge.net/;;;YUV;4:2:0 DirectoryListPrintPro.exe false high https://mediaarea.net/mediainfo DirectoryListPrintPro.exe false high www.macromedia.com/go/getflashplayer DirectoryListPrintPro.exe false high www.iis.fraunhofer.de/amm/index.html;;Version DirectoryListPrintPro.exe false high www.digicine.com/PROTO-ASDCP-PKL- DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown 20040311#http://www.smpte-ra.org/schemas/429- Avira URL Cloud: safe 8/2007/PKLDCP www.winnov.com/;;; DirectoryListPrintPro.exe false high www.array.com DirectoryListPrintPro.exe false 1%, Virustotal, Browse unknown Avira URL Cloud: safe www.nero.com DirectoryListPrintPro.exe false high winace.com DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.infonautics.ch/tools-engCY DirectoryListPrintPro.exe, 000 false high 00000.00000002.639049450.00000 000033C3000.00000004.00000040. sdmp DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CO Avira URL Cloud: safe DEC.v1.17.exe www.nerodigital.com DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.real.com;;;;;;Lossless DirectoryListPrintPro.exe false Avira URL Cloud: safe low https://mediaarea.net/mediaarea DirectoryListPrintPro.exe false high DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.J Avira URL Cloud: safe PEG.codec.v2.10.27.exe;;;YUV www.digitalvoodoo.net/;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown mediaxw.sourceforge.net DirectoryListPrintPro.exe false high www.playon.tv/playlater DirectoryListPrintPro.exe false high www.q-team.de;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.cineform.com/products/ConnectHD.htm DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe amamaman.hp.infoseek.co.jp/english/amv2_e.html;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown sourceforge.net/project/showfiles.php? DirectoryListPrintPro.exe false high group_id=82303&package_id=84358;;;YUV www.fourcc.org/indexrgb.htm;;;RGB DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe diracvideo.org/ DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe ffdshow-tryout.sourceforge.net/ DirectoryListPrintPro.exe false high www.chiariglione.org/mpeg/technologies/mp04- DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown sls/index.htm;Lossless Avira URL Cloud: safe www.webmproject.org;;;YUV;4:2:0 DirectoryListPrintPro.exe false Avira URL Cloud: safe low eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97- DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown js.pdf Avira URL Cloud: safe www.cyberlink.com;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe low www.nue.tu- DirectoryListPrintPro.exe false high berlin.de/forschung/projekte/lossless/mp4als.html#downloads www.gnu.org/software/libiconvDVarFileInfo$ DirectoryListPrintPro.exe false high DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v Avira URL Cloud: safe 2.5.software.only.codec.exe;;;YUV www.cinepak.com/text.html DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.fourcc.org/indexrgb.htm;;;RGB;;8 DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe flac.sourceforge.net/ DirectoryListPrintPro.exe false high www.fourcc.org/indexrgb.htm;;;RGB;;4 DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.bbc.co.uk/rd/projects/dirac/index.shtml;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown www.fourcc.org/indexrgb.htm;;;; DirectoryListPrintPro.exe false Avira URL Cloud: safe unknown

Copyright null 2020 Page 12 of 22 Name Source Malicious Antivirus Detection Reputation www.voxware.com/ DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe crl.thawte.com/ThawteTimestampingCA.crl0 DirectoryListPrintPro.exe, 000 false high 00000.00000002.633864939.00000 00000610000.00000008.00020000. sdmp, MediaInfo.dll.0.dr freeimage.sourceforge.netD DirectoryListPrintPro.exe, 000 false Avira URL Cloud: safe unknown 00000.00000002.650225171.00000 00010554000.00000002.00020000. sdmp, FreeImage.dll.0.dr mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO- DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown XL.codec.v2.2.exe;;;YUV Avira URL Cloud: safe www.wavpack.com/ DirectoryListPrintPro.exe false high www.vorbis.com DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.on2.com/vp7.php3 DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.morgan-multimedia.com/JPEG DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.digicine.com/PROTO-ASDCP-CPL-20040511# DirectoryListPrintPro.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 286879 Start date: 17.09.2020 Start time: 11:44:39 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: DirectoryListPrintPro.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 18 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean3.winEXE@1/3@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Copyright null 2020 Page 13 of 22 Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DLPtemp\FreeImage.dll

Process: C:\Users\user\Desktop\DirectoryListPrintPro.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 5647872 Entropy (8bit): 6.343940760128406 Encrypted: false MD5: BE2B6E27423C65995A8CC8E857F73443 SHA1: 1FC316E86EA7B1395AA764988D3424CF5C9F9206 SHA-256: 89FD43DE843308A6F8B89573467F8FACD65960E9D3FE57C536760059A1D4E0D4 SHA-512: 97089423625B1A234E55BB73A0F573FB423468A2A86293FCE92A6F88C48856FAB3A217CC07306B3C176F8DD849412828C1C54B2441CBC8985D2C22154AEAF9EC Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ;.m...... z.z...... %.|...9..8...9..0...9..w...r..0...r.....r.....r..~ ...r..~...r..~...Rich...... PE..L...... U...... !...... $...1.....[...... $...... V...... ;..%....;.<....@U...... PU.XM...... `:.@...... $...... text.....$...... $...... `.rdata...... $...... $...... @[email protected]?....;...... ;...... @..._RDATA...... 0U...... T...... @[email protected]...... @U...... T...... @[email protected]...... @..B......

C:\Users\user\AppData\Local\Temp\DLPtemp\MediaInfo.dll

Process: C:\Users\user\Desktop\DirectoryListPrintPro.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 4586832 Entropy (8bit): 6.597250076988712 Encrypted: false MD5: 9F70577CD4D5BFCF3F3FCB0F52B1833D SHA1: 5B51E4675BB415069D85D701C983A5653A4958FC SHA-256: 81F7D860CD79E0442576DFDFEAF6DBC5473674782F30B656E2FAC4F3AE81899A SHA-512: 95A51D8E81E7DC77B68ACB3D03062B886EE094A3ED9A4776155C969D53A438C1F42422A6B0795B4BDFE4DED6FB7F8F7EA67578597272E0F771C0BD23BBB48E6 B Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... nn9...... !...... #.....m...... "...... %...... i...... Rich...... PE..L....]7V...... !.....~4...... <./...... 4...... @F...... F...@...... p.B.....0.B.(.....C...... E.P.....C...... ?.@...... 4.`...... text...,|4...... ~4...... `.rdata...v....4..x....4...... @[email protected]...,.....C..d....B...... @....rsrc...... C...... ^C...... @[email protected]...... C...... dC...... @..B......

C:\Users\user\AppData\Roaming\DirectoryListPrintPro\DirectoryListPrintPro.css Process: C:\Users\user\Desktop\DirectoryListPrintPro.exe File Type: HTML document, ASCII text, with CRLF line terminators Size (bytes): 2837 Entropy (8bit): 4.490601059575083 Encrypted: false MD5: C64728F83FA1C25B9ADDF8DFC11EF90A SHA1: 9D23993E57E79011506894884D97C513A6CD39B7 SHA-256: 714464002F5333AA9977F248A2C90D65B09D8565773FDBEC59888A8658FC8394 SHA-512: B348D54D26FA4BA499D0457A357B643F7CE51E648AF49919E2FAAD590386419E871E43D6199F181059991E6471B914C76236B0204A9D831DA8C750D00E8832DE Malicious: false Reputation: low Preview: