ID: 205201 Sample Name: novaPDF8COM(x86).msi Cookbook: default.jbs Time: 11:37:00 Date: 03/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report novaPDF8COM(x86).msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "novaPDF8COM(x86).msi" 14 Indicators 14 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 22 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580 15 General 15 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992 16 General 16 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092 17 General 17 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42 17 General 17 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304 17 General 17 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 17 General 17 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24 17 General 17 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 18 General 18 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10 18 General 18 Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8 18 General 19 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30 19 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32 20 General 20 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36 20 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808 21 General 21 File Activities 22 Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560 22 General 22 File Activities 22 Registry Activities 22 Disassembly 22 Code Analysis 22

Copyright Joe Security LLC 2020 Page 3 of 22 Analysis Report novaPDF8COM(x86).msi

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205201 Start date: 03.02.2020 Start time: 11:37:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 33s Hypervisor based Inspection enabled: false Report type: light Sample file name: novaPDF8COM(x86).msi Cookbook file name: default.jbs Analysis system description: 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 false

Copyright Joe Security LLC 2020 Page 4 of 22 Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2020 Page 5 of 22 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Windows Winlogon Process Process Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Remote Helper DLL Injection 1 Injection 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Management Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Service Port Accessibility DLL Side- Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Loading 1 Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization

Signature Overview

• Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Networking:

Urls found in memory or binary data

System Summary:

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Reads software policies

Sample is a Windows installer

Spawns processes

Uses an in-process (OLE) Automation server

PE / OLE file has a valid certificate

Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Copyright Joe Security LLC 2020 Page 6 of 22 Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Checks the free space of harddrives

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 205201 Sample: novaPDF8COM(x86).msi Startdate: 03/02/2020 Architecture: WINDOWS Java Score: 2 .Net C# or VB.NET

C, C++ or other language

started started Is malicious

Internet msiexec.exe msiexec.exe

5 4

Simulations

Behavior and APIs

Copyright Joe Security LLC 2020 Page 7 of 22 No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link novaPDF8COM(x86).msi 0% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link tempuri.org/WAFServiceContract/GetAllChildren 0% Avira URL Cloud safe schemas.datacontract.org/2004/07/WAFServiceNamespace 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckForPublicParent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibility 0% Virustotal Browse tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibility 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetContextualPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemoveUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddTrialData 0% Avira URL Cloud safe tempuri.org/ 3% Virustotal Browse tempuri.org/ 0% URL Reputation safe tempuri.org/WAFServiceContract/GetAllPublicProfiles 0% Virustotal Browse tempuri.org/WAFServiceContract/GetAllPublicProfiles 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPresetsByComponent 0% Virustotal Browse tempuri.org/WAFServiceContract/GetPresetsByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 0% Virustotal Browse tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePresetLinksByContext 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddUser 0% Virustotal Browse tempuri.org/WAFServiceContract/AddUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrintersForActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddDefaultLicenseData 0% Virustotal Browse tempuri.org/WAFServiceContract/AddDefaultLicenseData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/IsManualActivationStarted 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetAdminPassword 0% Avira URL Cloud safe freeimage.sourceforge.netD 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPrinterActiveProfileData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckDefaultPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/LoadPresetTree 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/UpdatePrintersActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetUserData 0% Avira URL Cloud safe www.novapdf.comOur 0% Avira URL Cloud safe ocsp.verisign.co 1% Virustotal Browse ocsp.verisign.co 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetOEMArchiveCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/DeletePrinterActiveProfileData 0% Virustotal Browse

Copyright Joe Security LLC 2020 Page 8 of 22 Source Detection Scanner Label Link tempuri.org/WAFServiceContract/DeletePrinterActiveProfileData 0% Avira URL Cloud safe www.softland.ro 0% Virustotal Browse www.softland.ro 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckAdminPassword 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetManualActivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInfo 0% Virustotal Browse tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInfo 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPresetLink 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePresetNoReplacement 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetLicensedMachines 0% Avira URL Cloud safe 0% Avira URL Cloud safe tempuri.org/wafhttp://schemas.datacontract.org/2004/07/WAFServiceNamespacecnthttp://schemas.m tempuri.org/WAFServiceContract/SetAdminPassword 0% Avira URL Cloud safe https://www.novapdf-sals.tst/ActivationAPI.wsdlactivate.novapdf-sals.tsthttp://www.novapdf-sa 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPresetLinksByChild 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterForms 0% Virustotal Browse tempuri.org/WAFServiceContract/GetPrinterForms 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe tempuri.org/WAFServiceContract/ExecuteSpecialOp 0% Virustotal Browse tempuri.org/WAFServiceContract/ExecuteSpecialOp 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterPublicProfilesInfo 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetReactivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetChildByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CompilePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddUserData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetGuiArchive 0% Virustotal Browse tempuri.org/WAFServiceContract/GetGuiArchive 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetOEMArchive 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetCustomProfilesByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterFormsCRC32 0% Avira URL Cloud safe www.softland.ro0 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ComputeCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ResetFactory 0% Virustotal Browse tempuri.org/WAFServiceContract/ResetFactory 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetDefaultPresetByTypeGuid 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/DeleteReactivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/IsTrialDataAdded 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPreset 0% Virustotal Browse tempuri.org/WAFServiceContract/AddPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SaveLicencesMachines 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/UpdatePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetDBVersion 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ResetDefaults 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SavePresetTree 0% Virustotal Browse tempuri.org/WAFServiceContract/SavePresetTree 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Copyright Joe Security LLC 2020 Page 9 of 22 Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2020 Page 10 of 22 Startup

System is w10x64 msiexec.exe (PID: 3628 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\novaPDF8COM(x86).msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 1148 cmdline: 'C:\Windows\syswow64\MsiExec.exe' /Y 'C:\Program Files (x86)\Softland\novaPDF 8\SDK\Lib\i386\novapi80.dll' MD5: 12C17B5A5C2A7B97342C362CA467E9A2) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Copyright Joe Security LLC 2020 Page 11 of 22 Name Source Malicious Antivirus Detection Reputation tempuri.org/WAFServiceContract/GetAllChildren WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low schemas.datacontract.org/2004/07/WAFServiceNamespace tempuri.org/WAFServiceContract/CheckForPublicParent WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibil Avira URL Cloud: safe ity tempuri.org/WAFServiceContract/GetContextualPreset WafClientFile_Id86 false Avira URL Cloud: safe low schemas.xmlsoap.org/soap/envelope/ WafClientFile_Id86 false high tempuri.org/WAFServiceContract/RemoveUser WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddTrialData WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/ WafClientFile_Id86 false 3%, Virustotal, Browse low URL Reputation: safe tempuri.org/WAFServiceContract/GetAllPublicProfiles WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/GetPresetsByComponent Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/RemovePreset WafClientFile_Id86 false Avira URL Cloud: safe low

WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/RemovePresetLinksByConte xt tempuri.org/WAFServiceContract/AddUser WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetPreset WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrintersForActiveProfile WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/AddDefaultLicenseData Avira URL Cloud: safe tempuri.org/WAFServiceContract/AddStartDate WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/IsManualActivationStarted tempuri.org/WAFServiceContract/GetAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low crl.thawte.com/ThawteTimestampingCA.crl0 novaPDF8COM(x86).msi false high freeimage.sourceforge.netD ImFile_Id64 false Avira URL Cloud: safe unknown WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddPrinterActiveProfileData tempuri.org/WAFServiceContract/CheckDefaultPreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetActiveProfile WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/LoadPresetTree WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/UpdatePrintersActiveProfile tempuri.org/WAFServiceContract/GetUserData WafClientFile_Id86 false Avira URL Cloud: safe low www.novapdf.comOur Id_NovapiLibx64 false Avira URL Cloud: safe unknown ocsp.verisign.co msiexec.exe, 00000000.00000003 false 1%, Virustotal, Browse unknown .1850037079.000002013DC23000.0 Avira URL Cloud: safe 0000004.00000001.sdmp WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetOEMArchiveCRC32 WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/DeletePrinterActiveProfileDa Avira URL Cloud: safe ta www.softland.ro msiexec.exe, 00000000.00000002 false 0%, Virustotal, Browse unknown .1852427272.00000201403D0000.0 Avira URL Cloud: safe 0000004.00000001.sdmp tempuri.org/WAFServiceContract/CheckAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetManualActivationStartDa te WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInf Avira URL Cloud: safe o tempuri.org/WAFServiceContract/AddPresetLink WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/RemovePresetNoReplacem ent tempuri.org/WAFServiceContract/GetLicensedMachines WafClientFile_Id86 false Avira URL Cloud: safe low freeimage.sourceforge.net ImFile_Id64 false high WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/wafhttp://schemas.datacontract.org/2004/07/WAF ServiceNamespacecnthttp://schemas.m

Copyright Joe Security LLC 2020 Page 12 of 22 Name Source Malicious Antivirus Detection Reputation tempuri.org/WAFServiceContract/SetAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low https://www.novapdf- Id_NovapiLibx64, Id_NovapiLibi386 false Avira URL Cloud: safe unknown sals.tst/ActivationAPI.wsdlactivate.novapdf- sals.tsthttp://www.novapdf-sa WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPresetLinksByChild schemas.xmlsoap.org/soap/encoding/ WafClientFile_Id86 false high tempuri.org/WAFServiceContract/GetPrinterForms WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe ocsp.thawte.com0 novaPDF8COM(x86).msi false URL Reputation: safe unknown tempuri.org/WAFServiceContract/ExecuteSpecialOp WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrinterPublicProfilesInfo WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetReactivationStartDate tempuri.org/WAFServiceContract/GetUser WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetChildByComponent tempuri.org/WAFServiceContract/CompilePreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddUserData WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetGuiArchive WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetOEMArchive WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetCustomProfilesByCompo nent WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrinterFormsCRC32 www.softland.ro0 msiexec.exe, 00000000.00000002 false Avira URL Cloud: safe unknown .1852427272.00000201403D0000.0 0000004.00000001.sdmp, novaPDF 8COM(x86).msi tempuri.org/WAFServiceContract/ComputeCRC32 WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/ResetFactory WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetDefaultPresetByTypeGui d WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/DeleteReactivationStartDate tempuri.org/WAFServiceContract/IsTrialDataAdded WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddPreset WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/SaveLicencesMachines tempuri.org/WAFServiceContract/UpdatePreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetDBVersion WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/ResetDefaults WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/SavePresetTree WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe schemas.xmlsoap.org/soap/actor/next WafClientFile_Id86 false high

Contacted IPs

No contacted IP infos

Static File Info

General

Copyright Joe Security LLC 2020 Page 13 of 22 General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Softland's novaPDF 8 SDK COM (x86) Installer, Author: Softland, Keywords: Installer, Comments: This installer database contains the logic and data required to install novaPDF 8 SDK COM (x86)., Template: Intel;1033, Revision Number: {FD05F66E-E077-4380-86A8-D023 E5A0462F}, Create Time/Date: Wed Nov 18 14:01:46 2 015, Last Saved Time/Date: Wed Nov 18 14:01:46 201 5, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.0.1403), Security: 2 Entropy (8bit): 7.8246354425565485 TrID: Installer (638509/1) 93.55% ClickyMouse macro set (36024/1) 5.28% Generic OLE2 / Multistream Compound File (8008/1) 1.17% File name: novaPDF8COM(x86).msi File size: 1187840 MD5: ddcb9b42dc48a4b6c5e9e690cfd44a2a SHA1: 3166723d159724623bd1952b5afc25567ebbf653 SHA256: 0563ee4a55c2e9d5ed924d7efe6fd35ffef2157ae4ac6990 cd732a19d27bb517 SHA512: e133f684bd48dadc51e2ff7d8b7c04b43aa540094ed892d 68bd55046cd18a153769f5e2aaec545602e4a077af259c0 4c6ddcd29e9a6617d3b9dd2cdc0fbb4124 SSDEEP: 24576:9jnmt5IKcuT8B+TVqQMRSj7b2WJFEy8rdpef:x8 5IKj0+5UwWWJFwuf File Content Preview: ...... >......

File Icon

Icon Hash: a2a0b496b2caca72

Static OLE Info

General Document Type: OLE Number of OLE Files: 1

Authenticode Signature

Signature Valid: true Signature Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 3/4/2014 4:00:00 PM 5/3/2017 4:59:59 PM Subject Chain CN=Softland S.R.L., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Softland S.R.L., L=Cluj-Napoca, S=Cluj, C=RO Version: 3 Thumbprint MD5: E0807C14373FDC3784DE9A4FB8665164 Thumbprint SHA-1: 0E155A75E1EDB37449D24734EA8BEE2342693016 Thumbprint SHA-256: C998250E82B9D851184E02B4BE1C91A3AE33160AEA6570B94BC8EA40B3EDD45C Serial: 27EFC97E2F12AD0725501066D4BA9242

OLE File "novaPDF8COM(x86).msi"

Indicators Has Summary Info: True Application Name: Windows Installer XML Toolset (3.10.0.1403) Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False

Copyright Joe Security LLC 2020 Page 14 of 22 Indicators Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False

Summary Code Page: 1252 Title: Installation Database Subject: Softland's novaPDF 8 SDK COM (x86) Installer Author: Softland Keywords: Installer Comments: This installer database contains the logic and data required to install novaPDF 8 SDK COM (x86). Template: Intel;1033 Revion Number: {FD05F66E-E077-4380-86A8-D023E5A0462F} Create Time: 2015-11-18 14:01:46 Last Saved Time: 2015-11-18 14:01:46 Number of Pages: 200 Number of Words: 2 Creating Application: Windows Installer XML Toolset (3.10.0.1403) Security: 2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451

General Stream Path: \x5DigitalSignature File Type: data Stream Size: 6451 Entropy: 7.31617827888 Base64 Encoded: True Data ASCII: 0 . . / . . * . H ...... 0 ...... 1 . 0 . . . + ...... 0 g . . + . . . . . 7 . . . . Y 0 W 0 2 . . + . . . . . 7 . . . 0 $ ...... F ...... 0 ! 0 . . . + ...... : B ...... , . . . . s . . . . 0 . . . 0 . . W ...... ~ . . . | . N Y . K . w . . . ; 0 . . . * . H ...... 0 . . 1 . 0 . . . U . . . . Z A 1 . 0 . . . U . . . . W e s t e r n C a p e 1 . 0 . . . U . . . . D u r b a n v i l l e 1 Data Raw: 30 82 19 2f 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 19 20 30 82 19 1c 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 67 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 59 30 57 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 3a 42 dc e2

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20

General Stream Path: \x5MsiDigitalSignatureEx File Type: data Stream Size: 20 Entropy: 4.22192809489 Base64 Encoded: False Data ASCII: . . m . . Y . . . . T . 6 ! . . q . G v Data Raw: c4 95 6d 1e 06 59 9f d1 f0 df 54 dd 36 21 95 da 71 e9 47 76

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580

General Stream Path: \x5SummaryInformation File Type: data Stream Size: 580 Entropy: 4.72126060219 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... x ...... l ...... I n s t a l l a t i o n D a t a b a s e ...... - . . . S o f t l a n d ' s n o v a P D F 8 S D K C O M ( x 8 6 ) I n s t a Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 14 02 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 d8 00 00 00 05 00 00 00 ec 00 00 00 06 00 00 00 00 01 00 00 07 00 00 00 6c 01 00 00 09 00 00 00 80 01 00 00 0c 00 00 00 b0 01 00 00

Copyright Joe Security LLC 2020 Page 15 of 22 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265

General Stream Path: \x16944\x17191\x14436\x16830\x16740 File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files Stream Size: 922265 Entropy: 7.99970637823 Base64 Encoded: True Data ASCII: M S C F ...... < ...... & . . . . Q . . # ...... r G . ~ . I d _ N o v a p i L i b i 3 8 6 ...... r G . ~ . I d _ N o v a p i L i b x 6 4 ...... L G D s ! . I m F i l e _ I d 6 4 ...... L G D s ! . I m F i l e _ I d 8 6 ...... r G d . . W a f C l i e n t F i l e _ I d 6 4 ...... r G d . . W a f C l i e n t F i l e _ I d 8 6 . . . d q n Data Raw: 4d 53 43 46 00 00 00 00 99 12 0e 00 00 00 00 00 3c 00 00 00 00 00 00 00 03 01 03 00 06 00 00 00 00 00 00 00 fb 00 00 00 26 00 03 15 01 51 05 00 23 00 03 15 b9 1f 0c 00 10 00 03 15 00 a4 08 00 00 00 00 00 00 00 72 47 13 7e 20 00 49 64 5f 4e 6f 76 61 70 69 4c 69 62 69 33 38 36 00 00 16 0a 00 00 a4 08 00 00 00 72 47 16 7e 20 00 49 64 5f 4e 6f 76 61 70 69 4c 69 62 78 36 34 00 00 02 11

Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992

General Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 212992 Entropy: 6.54635453743 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... d . w . d . w . d . w . . . s . B . w . . . t . } . w . . . r . . . w . m . . . g . w . m . . . u . w . d . v . . . w . B . r . B . w . B . w . e . w . B . . . e . w . d . . . e . w . B . u . e . w . R i c h d . w ...... P E . . L . . . Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752

General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 752 Entropy: 4.82520054349 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 5 . 5 . 5 . 5 . ; . ; . ; . C . C . G . G . G . G . G . W . W . W . W . W . W . W . W . f . f . j . j . j . j . j . j . j . j . x . x . x . y . y . y . z . z . z . z . z . z ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 35 00 35 00 35 00 35 00 3b 00 3b 00 3b 00 43 00 43 00 47 00 47 00 47 00 47 00 47 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 66 00 66 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 78 00 78 00 78 00 79 00 79 00

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784

General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ASCII text, with very long lines, with no line terminators Stream Size: 8784 Entropy: 5.00174370468 Base64 Encoded: True Data ASCII: N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y

Copyright Joe Security LLC 2020 Page 16 of 22 General Data Raw: 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 56 61 6c 75 65 5f 56 61 6c 69 64 61 74 69 6f 6e 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092

General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 1092 Entropy: 3.32240816232 Base64 Encoded: False Data ASCII: ...... 2 ...... 6 . . . $ ...... B ...... o ...... ( ...... 5 ...... ' ...... ; ...... > ...... ' ...... Data Raw: e4 04 00 00 04 00 04 00 05 00 02 00 00 00 00 00 04 00 04 00 06 00 02 00 05 00 03 00 0b 00 15 00 01 00 2e 00 0a 00 01 00 13 00 02 00 0b 00 04 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 1d 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 32 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 0c 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42

General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 42 Entropy: 3.19615871139 Base64 Encoded: False Data ASCII: . . " . ) . * . + . , . 1 . 5 . ; . C . G . W . f . j . x . y . z ...... Data Raw: 07 00 22 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 3b 00 43 00 47 00 57 00 66 00 6a 00 78 00 79 00 7a 00 88 00 91 00 96 00 a7 00

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304

General Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481 File Type: data Stream Size: 2304 Entropy: 2.44019705434 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 5 . 5 . 5 . 5 . ; . ; . ; . C . C . G . G . G . G . G . W . W . W . W . W . W . W . W . f . f . j . j . j . j . j . j . j . j . x . x . x . y . y . y . z . z . z . z . z . z ...... # . % . ' . # . % . ' . # . % . ' . , . . . . . , . . . 3 . % . 5 . 7 . : . = . Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 35 00 35 00 35 00 35 00 3b 00 3b 00 3b 00 43 00 43 00 47 00 47 00 47 00 47 00 47 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 66 00 66 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 78 00 78 00 78 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 File Type: data Stream Size: 48 Entropy: 3.11008776073 Base64 Encoded: False Data ASCII: ...... x . . . < . . . . . Data Raw: b4 00 b5 00 b6 00 b7 00 b8 00 b9 00 ba 00 bb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24

General Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 File Type: data

Copyright Joe Security LLC 2020 Page 17 of 22 General Stream Size: 24 Entropy: 2.59436093777 Base64 Encoded: False Data ASCII: ...... Data Raw: b4 00 b5 00 b6 00 bc 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42

General Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 File Type: data Stream Size: 42 Entropy: 2.9135675273 Base64 Encoded: False Data ASCII: ...... x ...... Data Raw: b4 00 b6 00 b7 00 b8 00 bb 00 bd 00 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12

General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 12 Entropy: 1.89624062518 Base64 Encoded: False Data ASCII: ...... Data Raw: db 00 db 00 db 00 c2 00 c5 00 ca 00

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32

General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 32 Entropy: 2.8348683589 Base64 Encoded: False Data ASCII: ...... Data Raw: db 00 dc 00 dc 00 00 00 dd 00 de 00 dd 00 de 00 02 80 01 80 01 80 01 80 00 00 d1 00 1a 80 18 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 14 Entropy: 1.6266888497 Base64 Encoded: False Data ASCII: ...... Data Raw: 01 80 06 00 00 80 00 00 fb 00 00 00 00 00

Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10

General Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778 File Type: data Stream Size: 10 Entropy: 2.92192809489 Base64 Encoded: False Data ASCII: ...... Data Raw: c0 00 02 80 0c 01 0d 01 12 80

Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8

Copyright Joe Security LLC 2020 Page 18 of 22 General Stream Path: \x18496\x16924\x17007\x16923\x18474 File Type: data Stream Size: 8 Entropy: 2.25 Base64 Encoded: False Data ASCII: ...... Data Raw: c9 00 ce 00 01 80 01 80

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4

General Stream Path: \x18496\x17163\x16689\x18229 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: c1 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30

General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: data Stream Size: 30 Entropy: 2.48172767887 Base64 Encoded: False Data ASCII: ...... Data Raw: c4 00 c7 00 cc 00 d1 00 d8 00 d1 00 c4 00 c4 00 d8 00 00 00 d7 00 d5 00 d6 00 d9 00 da 00

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120

General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 120 Entropy: 3.50083536338 Base64 Encoded: False Data ASCII: ...... Data Raw: c9 00 ce 00 e2 00 e4 00 e7 00 e8 00 c5 00 ca 00 c5 00 c5 00 ca 00 ca 00 df 00 df 00 e3 00 e5 00 e3 00 e5 00 00 a4 08 80 00 16 0a 80 20 ef 07 80 00 02 11 80 20 ef 07 80 00 02 11 80 e0 00 e0 00 e0 00 e6 00 e0 00 e6 00 e1 00 e1 00 e1 00 e1 00 e1 00 e1 00 00 82 00 82 00 82 00 82 00 82 00 82 01 00 00 80 02 00 00 80 06 00 00 80 04 00 00 80 05 00 00 80 03 00 00 80

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156

General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 156 Entropy: 4.17415852923 Base64 Encoded: False Data ASCII: + ...... 2 ...... x ...... 4 ...... @ ...... t . . . p . . . 3 . . . . . Data Raw: 2b 00 b4 00 b5 00 b6 00 b7 00 b8 00 ba 00 bb 00 bd 00 be 00 cf 00 d0 00 d3 00 e9 00 ea 00 eb 00 ec 00 ee 00 ef 00 f0 00 f2 00 f3 00 f4 00 f5 00 f9 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 00 00 00 00 00 00 00 f6 00 f8 00 f7 00 00 00 00 00 00 00 ed 00 ed 00 ed 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 9c 98 00 99 34 80 ea 83

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42

General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Copyright Joe Security LLC 2020 Page 19 of 22 General Stream Size: 42 Entropy: 2.98770900896 Base64 Encoded: False Data ASCII: + ...... 2 ...... Data Raw: 2b 00 b4 00 b5 00 b6 00 bc 00 e9 00 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 14 85 bc 82 19 80

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36

General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: data Stream Size: 36 Entropy: 2.63677362922 Base64 Encoded: False Data ASCII: ...... Data Raw: c2 00 c5 00 ca 00 c3 00 c6 00 cb 00 c4 00 c7 00 cc 00 00 80 00 80 00 80 00 00 c8 00 cd 00 00 00 c9 00 ce 00

Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4

General Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: bf 00 c0 00

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32

General Stream Path: \x18496\x17630\x17770\x16868\x18472 File Type: PDP-11 separate I&D executable Stream Size: 32 Entropy: 2.3967822216 Base64 Encoded: False Data ASCII: ...... Data Raw: 09 01 09 01 08 01 0e 01 00 00 08 01 00 00 00 00 02 00 00 80 00 01 00 80 00 00 00 00 10 01 0f 01

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12

General Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768 File Type: data Stream Size: 12 Entropy: 2.29248125036 Base64 Encoded: False Data ASCII: ...... Data Raw: c4 00 c7 00 cc 00 c2 00 c5 00 ca 00

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36

General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 36 Entropy: 3.28778053505 Base64 Encoded: False Data ASCII: ...... Data Raw: a8 00 fc 00 fe 00 00 01 02 01 04 01 05 01 07 01 0a 01 09 01 fd 00 ff 00 01 01 03 01 e1 00 06 01 08 01 0b 01

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36

Copyright Joe Security LLC 2020 Page 20 of 22 General Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 36 Entropy: 2.30899296309 Base64 Encoded: False Data ASCII: ...... # . # ...... Data Raw: cf 00 d0 00 d3 00 01 80 23 80 23 80 c1 00 d1 00 d1 00 cf 00 d2 00 d4 00 00 00 00 00 00 00 00 00 00 00 00 00

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• msiexec.exe • msiexec.exe

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808

General

Start time: 11:38:33 Start date: 03/02/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\novaPDF8COM(x86).msi' Imagebase: 0x7ff6a1240000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: false Programmed in: C, C++ or other language Copyright Joe Security LLC 2020 Page 21 of 22 Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560

General

Start time: 11:38:35 Start date: 03/02/2020 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: 'C:\Windows\syswow64\MsiExec.exe' /Y 'C:\Program Files (x86)\Softland\novaPDF 8\ SDK\Lib\i386\novapi80.dll' Imagebase: 0xc90000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Disassembly

Code Analysis

Copyright Joe Security LLC 2020 Page 22 of 22