ID: 205201 Sample Name: novaPDF8COM(x86).msi Cookbook: default.jbs Time: 11:37:00 Date: 03/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report novaPDF8COM(x86).msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "novaPDF8COM(x86).msi" 14 Indicators 14 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 22 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580 15 General 15 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992 16 General 16 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092 17 General 17 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42 17 General 17 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304 17 General 17 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 17 General 17 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24 17 General 17 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 18 General 18 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10 18 General 18 Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8 18 General 19 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30 19 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32 20 General 20 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36 20 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808 21 General 21 File Activities 22 Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560 22 General 22 File Activities 22 Registry Activities 22 Disassembly 22 Code Analysis 22
Copyright Joe Security LLC 2020 Page 3 of 22 Analysis Report novaPDF8COM(x86).msi
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205201 Start date: 03.02.2020 Start time: 11:37:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 33s Hypervisor based Inspection enabled: false Report type: light Sample file name: novaPDF8COM(x86).msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 2 0 - 100 false
Copyright Joe Security LLC 2020 Page 4 of 22 Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 2 0 - 5 true
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Copyright Joe Security LLC 2020 Page 5 of 22 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Windows Winlogon Process Process Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Remote Helper DLL Injection 1 Injection 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Management Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Service Port Accessibility DLL Side- Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Loading 1 Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization
Signature Overview
• Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection
Click to jump to signature section
Spreading:
Checks for available system drives (often done to infect USB drives)
Networking:
Urls found in memory or binary data
System Summary:
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Classification label
Reads software policies
Sample is a Windows installer
Spawns processes
Uses an in-process (OLE) Automation server
PE / OLE file has a valid certificate
Submission file is bigger than most known malware samples
Binary contains paths to debug symbols
Copyright Joe Security LLC 2020 Page 6 of 22 Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Checks the free space of harddrives
Language, Device and Operating System Detection:
Queries the volume information (name, serial number etc) of a device
Queries the cryptographic machine GUID
Malware Configuration
No configs have been found
Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 205201 Visual Basic Sample: novaPDF8COM(x86).msi Startdate: 03/02/2020 Delphi Architecture: WINDOWS Java Score: 2 .Net C# or VB.NET
C, C++ or other language
started started Is malicious
Internet msiexec.exe msiexec.exe
5 4
Simulations
Behavior and APIs
Copyright Joe Security LLC 2020 Page 7 of 22 No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link novaPDF8COM(x86).msi 0% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link tempuri.org/WAFServiceContract/GetAllChildren 0% Avira URL Cloud safe schemas.datacontract.org/2004/07/WAFServiceNamespace 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckForPublicParent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibility 0% Virustotal Browse tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibility 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetContextualPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemoveUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddTrialData 0% Avira URL Cloud safe tempuri.org/ 3% Virustotal Browse tempuri.org/ 0% URL Reputation safe tempuri.org/WAFServiceContract/GetAllPublicProfiles 0% Virustotal Browse tempuri.org/WAFServiceContract/GetAllPublicProfiles 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPresetsByComponent 0% Virustotal Browse tempuri.org/WAFServiceContract/GetPresetsByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 0% Virustotal Browse tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePresetLinksByContext 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddUser 0% Virustotal Browse tempuri.org/WAFServiceContract/AddUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrintersForActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddDefaultLicenseData 0% Virustotal Browse tempuri.org/WAFServiceContract/AddDefaultLicenseData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/IsManualActivationStarted 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetAdminPassword 0% Avira URL Cloud safe freeimage.sourceforge.netD 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPrinterActiveProfileData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckDefaultPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/LoadPresetTree 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/UpdatePrintersActiveProfile 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetUserData 0% Avira URL Cloud safe www.novapdf.comOur 0% Avira URL Cloud safe ocsp.verisign.co 1% Virustotal Browse ocsp.verisign.co 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetOEMArchiveCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/DeletePrinterActiveProfileData 0% Virustotal Browse
Copyright Joe Security LLC 2020 Page 8 of 22 Source Detection Scanner Label Link tempuri.org/WAFServiceContract/DeletePrinterActiveProfileData 0% Avira URL Cloud safe www.softland.ro 0% Virustotal Browse www.softland.ro 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CheckAdminPassword 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetManualActivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInfo 0% Virustotal Browse tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInfo 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPresetLink 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/RemovePresetNoReplacement 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetLicensedMachines 0% Avira URL Cloud safe 0% Avira URL Cloud safe tempuri.org/wafhttp://schemas.datacontract.org/2004/07/WAFServiceNamespacecnthttp://schemas.m tempuri.org/WAFServiceContract/SetAdminPassword 0% Avira URL Cloud safe https://www.novapdf-sals.tst/ActivationAPI.wsdlactivate.novapdf-sals.tsthttp://www.novapdf-sa 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPresetLinksByChild 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterForms 0% Virustotal Browse tempuri.org/WAFServiceContract/GetPrinterForms 0% Avira URL Cloud safe ocsp.thawte.com0 0% URL Reputation safe tempuri.org/WAFServiceContract/ExecuteSpecialOp 0% Virustotal Browse tempuri.org/WAFServiceContract/ExecuteSpecialOp 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterPublicProfilesInfo 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetReactivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetUser 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetChildByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/CompilePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddUserData 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetGuiArchive 0% Virustotal Browse tempuri.org/WAFServiceContract/GetGuiArchive 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetOEMArchive 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetCustomProfilesByComponent 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetPrinterFormsCRC32 0% Avira URL Cloud safe www.softland.ro0 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ComputeCRC32 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ResetFactory 0% Virustotal Browse tempuri.org/WAFServiceContract/ResetFactory 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetDefaultPresetByTypeGuid 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/DeleteReactivationStartDate 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/IsTrialDataAdded 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/AddPreset 0% Virustotal Browse tempuri.org/WAFServiceContract/AddPreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SaveLicencesMachines 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/UpdatePreset 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/GetDBVersion 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/ResetDefaults 0% Avira URL Cloud safe tempuri.org/WAFServiceContract/SavePresetTree 0% Virustotal Browse tempuri.org/WAFServiceContract/SavePresetTree 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Copyright Joe Security LLC 2020 Page 9 of 22 Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2020 Page 10 of 22 Startup
System is w10x64 msiexec.exe (PID: 3628 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\novaPDF8COM(x86).msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 1148 cmdline: 'C:\Windows\syswow64\MsiExec.exe' /Y 'C:\Program Files (x86)\Softland\novaPDF 8\SDK\Lib\i386\novapi80.dll' MD5: 12C17B5A5C2A7B97342C362CA467E9A2) cleanup
Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Copyright Joe Security LLC 2020 Page 11 of 22 Name Source Malicious Antivirus Detection Reputation tempuri.org/WAFServiceContract/GetAllChildren WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low schemas.datacontract.org/2004/07/WAFServiceNamespace tempuri.org/WAFServiceContract/CheckForPublicParent WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/SetPrinterPublicProfileVisibil Avira URL Cloud: safe ity tempuri.org/WAFServiceContract/GetContextualPreset WafClientFile_Id86 false Avira URL Cloud: safe low schemas.xmlsoap.org/soap/envelope/ WafClientFile_Id86 false high tempuri.org/WAFServiceContract/RemoveUser WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddTrialData WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/ WafClientFile_Id86 false 3%, Virustotal, Browse low URL Reputation: safe tempuri.org/WAFServiceContract/GetAllPublicProfiles WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/GetPresetsByComponent Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetGUIArchiveCRC32 WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/RemovePreset WafClientFile_Id86 false Avira URL Cloud: safe low
WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/RemovePresetLinksByConte xt tempuri.org/WAFServiceContract/AddUser WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetPreset WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrintersForActiveProfile WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/AddDefaultLicenseData Avira URL Cloud: safe tempuri.org/WAFServiceContract/AddStartDate WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/IsManualActivationStarted tempuri.org/WAFServiceContract/GetAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low crl.thawte.com/ThawteTimestampingCA.crl0 novaPDF8COM(x86).msi false high freeimage.sourceforge.netD ImFile_Id64 false Avira URL Cloud: safe unknown WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddPrinterActiveProfileData tempuri.org/WAFServiceContract/CheckDefaultPreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetActiveProfile WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/LoadPresetTree WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/UpdatePrintersActiveProfile tempuri.org/WAFServiceContract/GetUserData WafClientFile_Id86 false Avira URL Cloud: safe low www.novapdf.comOur Id_NovapiLibx64 false Avira URL Cloud: safe unknown ocsp.verisign.co msiexec.exe, 00000000.00000003 false 1%, Virustotal, Browse unknown .1850037079.000002013DC23000.0 Avira URL Cloud: safe 0000004.00000001.sdmp WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetOEMArchiveCRC32 WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/DeletePrinterActiveProfileDa Avira URL Cloud: safe ta www.softland.ro msiexec.exe, 00000000.00000002 false 0%, Virustotal, Browse unknown .1852427272.00000201403D0000.0 Avira URL Cloud: safe 0000004.00000001.sdmp tempuri.org/WAFServiceContract/CheckAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetManualActivationStartDa te WafClientFile_Id86 false 0%, Virustotal, Browse low tempuri.org/WAFServiceContract/SavePrinterPublicProfilesInf Avira URL Cloud: safe o tempuri.org/WAFServiceContract/AddPresetLink WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/RemovePresetNoReplacem ent tempuri.org/WAFServiceContract/GetLicensedMachines WafClientFile_Id86 false Avira URL Cloud: safe low freeimage.sourceforge.net ImFile_Id64 false high WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/wafhttp://schemas.datacontract.org/2004/07/WAF ServiceNamespacecnthttp://schemas.m
Copyright Joe Security LLC 2020 Page 12 of 22 Name Source Malicious Antivirus Detection Reputation tempuri.org/WAFServiceContract/SetAdminPassword WafClientFile_Id86 false Avira URL Cloud: safe low https://www.novapdf- Id_NovapiLibx64, Id_NovapiLibi386 false Avira URL Cloud: safe unknown sals.tst/ActivationAPI.wsdlactivate.novapdf- sals.tsthttp://www.novapdf-sa WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPresetLinksByChild schemas.xmlsoap.org/soap/encoding/ WafClientFile_Id86 false high tempuri.org/WAFServiceContract/GetPrinterForms WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe ocsp.thawte.com0 novaPDF8COM(x86).msi false URL Reputation: safe unknown tempuri.org/WAFServiceContract/ExecuteSpecialOp WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrinterPublicProfilesInfo WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetReactivationStartDate tempuri.org/WAFServiceContract/GetUser WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetChildByComponent tempuri.org/WAFServiceContract/CompilePreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddUserData WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetGuiArchive WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe tempuri.org/WAFServiceContract/GetOEMArchive WafClientFile_Id86 false Avira URL Cloud: safe low WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetCustomProfilesByCompo nent WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetPrinterFormsCRC32 www.softland.ro0 msiexec.exe, 00000000.00000002 false Avira URL Cloud: safe unknown .1852427272.00000201403D0000.0 0000004.00000001.sdmp, novaPDF 8COM(x86).msi tempuri.org/WAFServiceContract/ComputeCRC32 WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/ResetFactory WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetDefaultPresetByTypeGui d WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/DeleteReactivationStartDate tempuri.org/WAFServiceContract/IsTrialDataAdded WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/AddPreset WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/SaveLicencesMachines tempuri.org/WAFServiceContract/UpdatePreset WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/GetDBVersion WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/ResetDefaults WafClientFile_Id86 false Avira URL Cloud: safe low tempuri.org/WAFServiceContract/SavePresetTree WafClientFile_Id86 false 0%, Virustotal, Browse low Avira URL Cloud: safe schemas.xmlsoap.org/soap/actor/next WafClientFile_Id86 false high
Contacted IPs
No contacted IP infos
Static File Info
General
Copyright Joe Security LLC 2020 Page 13 of 22 General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Softland's novaPDF 8 SDK COM (x86) Installer, Author: Softland, Keywords: Installer, Comments: This installer database contains the logic and data required to install novaPDF 8 SDK COM (x86)., Template: Intel;1033, Revision Number: {FD05F66E-E077-4380-86A8-D023 E5A0462F}, Create Time/Date: Wed Nov 18 14:01:46 2 015, Last Saved Time/Date: Wed Nov 18 14:01:46 201 5, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.0.1403), Security: 2 Entropy (8bit): 7.8246354425565485 TrID: Microsoft Windows Installer (638509/1) 93.55% ClickyMouse macro set (36024/1) 5.28% Generic OLE2 / Multistream Compound File (8008/1) 1.17% File name: novaPDF8COM(x86).msi File size: 1187840 MD5: ddcb9b42dc48a4b6c5e9e690cfd44a2a SHA1: 3166723d159724623bd1952b5afc25567ebbf653 SHA256: 0563ee4a55c2e9d5ed924d7efe6fd35ffef2157ae4ac6990 cd732a19d27bb517 SHA512: e133f684bd48dadc51e2ff7d8b7c04b43aa540094ed892d 68bd55046cd18a153769f5e2aaec545602e4a077af259c0 4c6ddcd29e9a6617d3b9dd2cdc0fbb4124 SSDEEP: 24576:9jnmt5IKcuT8B+TVqQMRSj7b2WJFEy8rdpef:x8 5IKj0+5UwWWJFwuf File Content Preview: ...... >......
File Icon
Icon Hash: a2a0b496b2caca72
Static OLE Info
General Document Type: OLE Number of OLE Files: 1
Authenticode Signature
Signature Valid: true Signature Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 3/4/2014 4:00:00 PM 5/3/2017 4:59:59 PM Subject Chain CN=Softland S.R.L., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Softland S.R.L., L=Cluj-Napoca, S=Cluj, C=RO Version: 3 Thumbprint MD5: E0807C14373FDC3784DE9A4FB8665164 Thumbprint SHA-1: 0E155A75E1EDB37449D24734EA8BEE2342693016 Thumbprint SHA-256: C998250E82B9D851184E02B4BE1C91A3AE33160AEA6570B94BC8EA40B3EDD45C Serial: 27EFC97E2F12AD0725501066D4BA9242
OLE File "novaPDF8COM(x86).msi"
Indicators Has Summary Info: True Application Name: Windows Installer XML Toolset (3.10.0.1403) Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False
Copyright Joe Security LLC 2020 Page 14 of 22 Indicators Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: False
Summary Code Page: 1252 Title: Installation Database Subject: Softland's novaPDF 8 SDK COM (x86) Installer Author: Softland Keywords: Installer Comments: This installer database contains the logic and data required to install novaPDF 8 SDK COM (x86). Template: Intel;1033 Revion Number: {FD05F66E-E077-4380-86A8-D023E5A0462F} Create Time: 2015-11-18 14:01:46 Last Saved Time: 2015-11-18 14:01:46 Number of Pages: 200 Number of Words: 2 Creating Application: Windows Installer XML Toolset (3.10.0.1403) Security: 2
Streams
Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451
General Stream Path: \x5DigitalSignature File Type: data Stream Size: 6451 Entropy: 7.31617827888 Base64 Encoded: True Data ASCII: 0 . . / . . * . H ...... 0 ...... 1 . 0 . . . + ...... 0 g . . + . . . . . 7 . . . . Y 0 W 0 2 . . + . . . . . 7 . . . 0 $ ...... F ...... 0 ! 0 . . . + ...... : B ...... , . . . . s . . . . 0 . . . 0 . . W ...... ~ . . . | . N Y . K . w . . . ; 0 . . . * . H ...... 0 . . 1 . 0 . . . U . . . . Z A 1 . 0 . . . U . . . . W e s t e r n C a p e 1 . 0 . . . U . . . . D u r b a n v i l l e 1 Data Raw: 30 82 19 2f 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 19 20 30 82 19 1c 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 67 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 59 30 57 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 3a 42 dc e2
Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20
General Stream Path: \x5MsiDigitalSignatureEx File Type: data Stream Size: 20 Entropy: 4.22192809489 Base64 Encoded: False Data ASCII: . . m . . Y . . . . T . 6 ! . . q . G v Data Raw: c4 95 6d 1e 06 59 9f d1 f0 df 54 dd 36 21 95 da 71 e9 47 76
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580
General Stream Path: \x5SummaryInformation File Type: data Stream Size: 580 Entropy: 4.72126060219 Base64 Encoded: True Data ASCII: ...... O h . . . . . + ' . . 0 ...... x ...... l ...... I n s t a l l a t i o n D a t a b a s e ...... - . . . S o f t l a n d ' s n o v a P D F 8 S D K C O M ( x 8 6 ) I n s t a Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 14 02 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 d8 00 00 00 05 00 00 00 ec 00 00 00 06 00 00 00 00 01 00 00 07 00 00 00 6c 01 00 00 09 00 00 00 80 01 00 00 0c 00 00 00 b0 01 00 00
Copyright Joe Security LLC 2020 Page 15 of 22 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265
General Stream Path: \x16944\x17191\x14436\x16830\x16740 File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files Stream Size: 922265 Entropy: 7.99970637823 Base64 Encoded: True Data ASCII: M S C F ...... < ...... & . . . . Q . . # ...... r G . ~ . I d _ N o v a p i L i b i 3 8 6 ...... r G . ~ . I d _ N o v a p i L i b x 6 4 ...... L G D s ! . I m F i l e _ I d 6 4 ...... L G D s ! . I m F i l e _ I d 8 6 ...... r G d . . W a f C l i e n t F i l e _ I d 6 4 ...... r G d . . W a f C l i e n t F i l e _ I d 8 6 . . . d q n Data Raw: 4d 53 43 46 00 00 00 00 99 12 0e 00 00 00 00 00 3c 00 00 00 00 00 00 00 03 01 03 00 06 00 00 00 00 00 00 00 fb 00 00 00 26 00 03 15 01 51 05 00 23 00 03 15 b9 1f 0c 00 10 00 03 15 00 a4 08 00 00 00 00 00 00 00 72 47 13 7e 20 00 49 64 5f 4e 6f 76 61 70 69 4c 69 62 69 33 38 36 00 00 16 0a 00 00 a4 08 00 00 00 72 47 16 7e 20 00 49 64 5f 4e 6f 76 61 70 69 4c 69 62 78 36 34 00 00 02 11
Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992
General Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988 File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Stream Size: 212992 Entropy: 6.54635453743 Base64 Encoded: True Data ASCII: M Z ...... @ ...... ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ ...... d . w . d . w . d . w . . . s . B . w . . . t . } . w . . . r . . . w . m . . . g . w . m . . . u . w . d . v . . . w . B . r . B . w . B . w . e . w . B . . . e . w . d . . . e . w . B . u . e . w . R i c h d . w ...... P E . . L . . . Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752
General Stream Path: \x18496\x15167\x17394\x17464\x17841 File Type: data Stream Size: 752 Entropy: 4.82520054349 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 5 . 5 . 5 . 5 . ; . ; . ; . C . C . G . G . G . G . G . W . W . W . W . W . W . W . W . f . f . j . j . j . j . j . j . j . j . x . x . x . y . y . y . z . z . z . z . z . z ...... Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 35 00 35 00 35 00 35 00 3b 00 3b 00 3b 00 43 00 43 00 47 00 47 00 47 00 47 00 47 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 66 00 66 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 78 00 78 00 78 00 79 00 79 00
Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784
General Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 File Type: ASCII text, with very long lines, with no line terminators Stream Size: 8784 Entropy: 5.00174370468 Base64 Encoded: True Data ASCII: N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Copyright Joe Security LLC 2020 Page 16 of 22 General Data Raw: 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 56 61 6c 75 65 5f 56 61 6c 69 64 61 74 69 6f 6e 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65
Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092
General Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 File Type: data Stream Size: 1092 Entropy: 3.32240816232 Base64 Encoded: False Data ASCII: ...... 2 ...... 6 . . . $ ...... B ...... o ...... ( ...... 5 ...... ' ...... ; ...... > ...... ' ...... Data Raw: e4 04 00 00 04 00 04 00 05 00 02 00 00 00 00 00 04 00 04 00 06 00 02 00 05 00 03 00 0b 00 15 00 01 00 2e 00 0a 00 01 00 13 00 02 00 0b 00 04 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 1d 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 32 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 0c 00
Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42
General Stream Path: \x18496\x16255\x16740\x16943\x18486 File Type: data Stream Size: 42 Entropy: 3.19615871139 Base64 Encoded: False Data ASCII: . . " . ) . * . + . , . 1 . 5 . ; . C . G . W . f . j . x . y . z ...... Data Raw: 07 00 22 00 29 00 2a 00 2b 00 2c 00 31 00 35 00 3b 00 43 00 47 00 57 00 66 00 6a 00 78 00 79 00 7a 00 88 00 91 00 96 00 a7 00
Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304
General Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481 File Type: data Stream Size: 2304 Entropy: 2.44019705434 Base64 Encoded: False Data ASCII: ...... " . " . " . ) . ) . ) . * . * . * . + . + . , . , . 1 . 1 . 5 . 5 . 5 . 5 . 5 . 5 . ; . ; . ; . C . C . G . G . G . G . G . W . W . W . W . W . W . W . W . f . f . j . j . j . j . j . j . j . j . x . x . x . y . y . y . z . z . z . z . z . z ...... # . % . ' . # . % . ' . # . % . ' . , . . . . . , . . . 3 . % . 5 . 7 . : . = . Data Raw: 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2c 00 2c 00 31 00 31 00 35 00 35 00 35 00 35 00 35 00 35 00 3b 00 3b 00 3b 00 43 00 43 00 47 00 47 00 47 00 47 00 47 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 57 00 66 00 66 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 78 00 78 00 78 00
Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48
General Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 File Type: data Stream Size: 48 Entropy: 3.11008776073 Base64 Encoded: False Data ASCII: ...... x . . . < . . . . . Data Raw: b4 00 b5 00 b6 00 b7 00 b8 00 b9 00 ba 00 bb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99
Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24
General Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 File Type: data
Copyright Joe Security LLC 2020 Page 17 of 22 General Stream Size: 24 Entropy: 2.59436093777 Base64 Encoded: False Data ASCII: ...... Data Raw: b4 00 b5 00 b6 00 bc 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85
Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42
General Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 File Type: data Stream Size: 42 Entropy: 2.9135675273 Base64 Encoded: False Data ASCII: ...... x ...... Data Raw: b4 00 b6 00 b7 00 b8 00 bb 00 bd 00 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99
Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12
General Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 File Type: data Stream Size: 12 Entropy: 1.89624062518 Base64 Encoded: False Data ASCII: ...... Data Raw: db 00 db 00 db 00 c2 00 c5 00 ca 00
Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32
General Stream Path: \x18496\x16911\x17892\x17784\x18472 File Type: data Stream Size: 32 Entropy: 2.8348683589 Base64 Encoded: False Data ASCII: ...... Data Raw: db 00 dc 00 dc 00 00 00 dd 00 de 00 dd 00 de 00 02 80 01 80 01 80 01 80 00 00 d1 00 1a 80 18 80
Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14
General Stream Path: \x18496\x16918\x17191\x18468 File Type: MIPSEB Ucode Stream Size: 14 Entropy: 1.6266888497 Base64 Encoded: False Data ASCII: ...... Data Raw: 01 80 06 00 00 80 00 00 fb 00 00 00 00 00
Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10
General Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778 File Type: data Stream Size: 10 Entropy: 2.92192809489 Base64 Encoded: False Data ASCII: ...... Data Raw: c0 00 02 80 0c 01 0d 01 12 80
Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8
Copyright Joe Security LLC 2020 Page 18 of 22 General Stream Path: \x18496\x16924\x17007\x16923\x18474 File Type: data Stream Size: 8 Entropy: 2.25 Base64 Encoded: False Data ASCII: ...... Data Raw: c9 00 ce 00 01 80 01 80
Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4
General Stream Path: \x18496\x17163\x16689\x18229 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: c1 00 01 00
Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30
General Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492 File Type: data Stream Size: 30 Entropy: 2.48172767887 Base64 Encoded: False Data ASCII: ...... Data Raw: c4 00 c7 00 cc 00 d1 00 d8 00 d1 00 c4 00 c4 00 d8 00 00 00 d7 00 d5 00 d6 00 d9 00 da 00
Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120
General Stream Path: \x18496\x17167\x16943 File Type: data Stream Size: 120 Entropy: 3.50083536338 Base64 Encoded: False Data ASCII: ...... Data Raw: c9 00 ce 00 e2 00 e4 00 e7 00 e8 00 c5 00 ca 00 c5 00 c5 00 ca 00 ca 00 df 00 df 00 e3 00 e5 00 e3 00 e5 00 00 a4 08 80 00 16 0a 80 20 ef 07 80 00 02 11 80 20 ef 07 80 00 02 11 80 e0 00 e0 00 e0 00 e6 00 e0 00 e6 00 e1 00 e1 00 e1 00 e1 00 e1 00 e1 00 00 82 00 82 00 82 00 82 00 82 00 82 01 00 00 80 02 00 00 80 06 00 00 80 04 00 00 80 05 00 00 80 03 00 00 80
Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156
General Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x169 34 File Type: data Stream Size: 156 Entropy: 4.17415852923 Base64 Encoded: False Data ASCII: + ...... 2 ...... x ...... 4 ...... @ ...... t . . . p . . . 3 . . . . . Data Raw: 2b 00 b4 00 b5 00 b6 00 b7 00 b8 00 ba 00 bb 00 bd 00 be 00 cf 00 d0 00 d3 00 e9 00 ea 00 eb 00 ec 00 ee 00 ef 00 f0 00 f2 00 f3 00 f4 00 f5 00 f9 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 00 00 00 00 00 00 00 f6 00 f8 00 f7 00 00 00 00 00 00 00 ed 00 ed 00 ed 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 9c 98 00 99 34 80 ea 83
Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42
General Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 File Type: data Copyright Joe Security LLC 2020 Page 19 of 22 General Stream Size: 42 Entropy: 2.98770900896 Base64 Encoded: False Data ASCII: + ...... 2 ...... Data Raw: 2b 00 b4 00 b5 00 b6 00 bc 00 e9 00 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 80 20 83 84 83 e8 83 14 85 bc 82 19 80
Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36
General Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487 File Type: data Stream Size: 36 Entropy: 2.63677362922 Base64 Encoded: False Data ASCII: ...... Data Raw: c2 00 c5 00 ca 00 c3 00 c6 00 cb 00 c4 00 c7 00 cc 00 00 80 00 80 00 80 00 00 c8 00 cd 00 00 00 c9 00 ce 00
Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4
General Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475 File Type: data Stream Size: 4 Entropy: 1.5 Base64 Encoded: False Data ASCII: . . . . Data Raw: bf 00 c0 00
Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32
General Stream Path: \x18496\x17630\x17770\x16868\x18472 File Type: PDP-11 separate I&D executable Stream Size: 32 Entropy: 2.3967822216 Base64 Encoded: False Data ASCII: ...... Data Raw: 09 01 09 01 08 01 0e 01 00 00 08 01 00 00 00 00 02 00 00 80 00 01 00 80 00 00 00 00 10 01 0f 01
Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12
General Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768 File Type: data Stream Size: 12 Entropy: 2.29248125036 Base64 Encoded: False Data ASCII: ...... Data Raw: c4 00 c7 00 cc 00 c2 00 c5 00 ca 00
Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36
General Stream Path: \x18496\x17753\x17650\x17768\x18231 File Type: data Stream Size: 36 Entropy: 3.28778053505 Base64 Encoded: False Data ASCII: ...... Data Raw: a8 00 fc 00 fe 00 00 01 02 01 04 01 05 01 07 01 0a 01 09 01 fd 00 ff 00 01 01 03 01 e1 00 06 01 08 01 0b 01
Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36
Copyright Joe Security LLC 2020 Page 20 of 22 General Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522 File Type: data Stream Size: 36 Entropy: 2.30899296309 Base64 Encoded: False Data ASCII: ...... # . # ...... Data Raw: cf 00 d0 00 d3 00 01 80 23 80 23 80 c1 00 d1 00 d1 00 cf 00 d2 00 d4 00 00 00 00 00 00 00 00 00 00 00 00 00
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• msiexec.exe • msiexec.exe
Click to jump to process
System Behavior
Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808
General
Start time: 11:38:33 Start date: 03/02/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\novaPDF8COM(x86).msi' Imagebase: 0x7ff6a1240000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: false Programmed in: C, C++ or other language Copyright Joe Security LLC 2020 Page 21 of 22 Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560
General
Start time: 11:38:35 Start date: 03/02/2020 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: 'C:\Windows\syswow64\MsiExec.exe' /Y 'C:\Program Files (x86)\Softland\novaPDF 8\ SDK\Lib\i386\novapi80.dll' Imagebase: 0xc90000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2020 Page 22 of 22