ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

Transcription

1 ID: Sample Name: tesseract-ocrsetup exe Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Key, Mouse, Clipboard, Microphone and Screen Capturing: Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PE Info General Entrypoint Preview Data Directories Sections Resources Imports Possible Origin Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Network Behavior Code Manipulations Statistics System Behavior Analysis Process: tesseract-ocr-setup exe PID: 3272 Parent PID: 2956 General File Activities File Created File Deleted File Written Registry Activities Key Created Key Value Created Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 89

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 16:44:15 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 5m 8s light tesseract-ocr-setup exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean4.winexe@1/107@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 30.3% (good quality ratio 22.8%) Quality average: 42.7% Quality standard deviation: 37.8% Cookbook Comments: Warnings: Adjust boot time Found application associated with file extension:.exe Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 2018 Page 4 of 89

5 Strategy Score Range Further Analysis Required? Threshold true Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample searches for specific file, try point organization specific fake files to the analysis machine Copyright Joe Security LLC 2018 Page 5 of 89

6 Signature Overview Key, Mouse, Clipboard, Microphone and Screen Capturing Networking Boot Survival Persistence and Installation Behavior Data Obfuscation Spreading System Summary Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard Networking: Urls found in memory or binary data Boot Survival: Stores files to the Windows start menu directory Persistence and Installation Behavior: Drops PE files Data Obfuscation: Contains functionality to dynamically determine API calls PE file contains an invalid checksum Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Enumerates the file system System Summary: Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Found installer window with terms and condition text Creates a directory in C:\Program Files Creates a software uninstall entry Submission file is bigger than most known malware samples Binary contains paths to development resources Classification label Contains functionality to check free disk space Copyright Joe Security LLC 2018 Page 6 of 89

7 Contains functionality to instantiate COM classes Creates files inside the program directory Creates temporary files PE file has an executable.text section and no other executable section Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Uses an in-process (OLE) Automation server Contains functionality to shutdown / reboot the system Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Sample file is different than original file name gathered from version info Sample reads its own file content Anti Debugging: Contains functionality to register its own exception handler Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Malware Analysis System Evasion: Contains functionality to enumerate / list files inside a directory May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Checks the free space of harddrives Enumerates the file system Found dropped PE file which has not been started or loaded Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Queries the volume information (name, serial number etc) of a device Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 89

8 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped ID: Behavior Graph Is Windows Process Number of created Registry Values Number of created Files Sample: tesseract-ocr-setup exe Visual Basic Startdate: 12/02/2018 Architecture: WINDOWS Score: 4 Delphi Java.Net C# or VB.NET started tesseract-ocr-setup exe C, C++ or other language Is malicious dropped dropped dropped dropped C:\Users\HERBBL~1\AppData\...\nsDialogs.dll, PE32 C:\Users\HERBBL~1\AppData\...\UserInfo.dll, PE32 C:\Users\HERBBL~1\AppData\...\System.dll, PE32 50 other files ( is malicious) Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Detection Cloud Link tesseract-ocr-setup exe 3% virustotal Browse tesseract-ocr-setup exe 0% metadefender Browse Dropped Files Detection Cloud Link C:\Program Files\Tesseract-OCR\ambiguous_words.exe 1% virustotal Browse C:\Program Files\Tesseract-OCR\classifier_tester.exe 0% virustotal Browse C:\Program Files\Tesseract-OCR\cntraining.exe 0% virustotal Browse C:\Program Files\Tesseract-OCR\combine_tessdata.exe 1% virustotal Browse Copyright Joe Security LLC 2018 Page 8 of 89

9 Detection Cloud Link C:\Program Files\Tesseract-OCR\iconv.dll 0% metadefender Browse C:\Program Files\Tesseract-OCR\icui18n51.dll 0% metadefender Browse C:\Program Files\Tesseract-OCR\icuuc51.dll 0% metadefender Browse C:\Program Files\Tesseract-OCR\libbz2-1.dll 0% metadefender Browse Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2018 Page 9 of 89

10 Startup System is w7 cleanup tesseract-ocr-setup exe (PID: 3272 cmdline: 'C:\Users\user\Desktop\tesseract-ocr-setup exe' C0D03C9517E B4CF37C45A2F6C) Created / dropped Files C:\Program Files\Tesseract-OCR\ambiguous_words.exe Size (bytes): Entropy (8bit): Antivirus: PE32 executable (console) Intel 80386, for MS Windows ADE0AF47F6F75C1417B8BD2A4232FDA8 38E0DEC0F91E4AA3E8B9006A8042E6107C1343F7 05EB10F77C9438A F52BBC5C07AE D78E D504EAE0 D2F95441CCDC85676F435871ADD85A49EB1DAE8B B5301EBD90415DFDB1516A177F0ED0B7C9460C2DD A08C7F231AA6D3D386CA5FEC31F6583DA2 Antivirus: virustotal, Detection: 1%, Browse C:\Program Files\Tesseract-OCR\classifier_tester.exe Copyright Joe Security LLC 2018 Page 10 of 89

11 C:\Program Files\Tesseract-OCR\classifier_tester.exe Size (bytes): Entropy (8bit): Antivirus: PE32 executable (console) Intel 80386, for MS Windows E8CD27443A65D8C7C0BEBE4EE1016C04 17F05BB8BBFBBD7204BD241A68D4AB3CACCDC81E 5BDB9F7A995D4B226FBF3ECF45E87D61B3D04046B20A B86181B FA5DDBFFA0CB827FDD58D92BC757E00467FD06D067E AAD451CCEB69E183DFD8DB04878F396E0 E F34376E31A1460AD0F2B748A4408FC Antivirus: virustotal, Detection: 0%, Browse C:\Program Files\Tesseract-OCR\cntraining.exe Size (bytes): Entropy (8bit): Antivirus: PE32 executable (console) Intel 80386, for MS Windows 3D D4BBD3E98A256E83AE45D82 5EDB EA43C96E829A07AACE1C79305 F48ADF1A6F84D624E1427BCE536D12EC4CFB63A53E CFFBA3D0 6E6B35B24D1EC21BE8F378C02B54AC298D5F0B32A09778E7363ED37EA48F47AD069CF322A177D0ACBE9C2839C6 E214CA766473A7A6CA449A95C6EDC112D83710 Antivirus: virustotal, Detection: 0%, Browse C:\Program Files\Tesseract-OCR\combine_tessdata.exe Size (bytes): Entropy (8bit): Antivirus: PE32 executable (console) Intel 80386, for MS Windows AACD2C682A876EEED90731CCD85F86A2 67B D8E8FB9CF26DCB0C63ED5D9D A59E6BA0D9F16DF2682D63289D0FA8A2F90AB883FAD0E2BBBE65A3E588B432A 335B0C3178B31B8045C033B5EBFE546FD82A76E9E11C855876A7D442E34B6C3BE9F4C38A50085A7D2F06D270EF CDC1038D31AC6AB6E28E868E0CFB1D34D665F4 Antivirus: virustotal, Detection: 1%, Browse C:\Program Files\Tesseract-OCR\dawg2wordlist.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows 09047B20765E1E4F8EA31CE50F8593C4 17C A48926D3D775A5A F333EB DDA5D99FA8E9A3282E8693C2F7C292520DF42A89E9E6D657BA07E68EF3 CBEE5F13F93301DC337C3F B26FF36CA0ED18EAE1C8ED5F856C44D5C75FF BBAAE96AF992B651 D11D06A36141CA70BADDF7FBADCA836D5B04AEC C:\Program Files\Tesseract-OCR\doc\AUTHORS Size (bytes): 653 UTF-8 Unicode text Entropy (8bit): D1A4D85213CA EB2F67A6FA79E 7B79BEA9D ACFAEEA2B2C80117C5197D13 7C93BC75CF796C97EFD57FC731CCAFF15F D2A0AA3D96B2EA2518A04 B45060B3F89D8990AD36B4CC36AEE3C84BAC6F83B36EE0BEC CD81D89BBFACC9F32AE7036FA48C0038 CC6D64AAB8B57C8E71A1501A877DD012AEF67E3 Copyright Joe Security LLC 2018 Page 11 of 89

12 C:\Program Files\Tesseract-OCR\doc\COPYING Size (bytes): 1007 ASCII text Entropy (8bit): EA4F9A43ABA9D3C849FE5C203A0ED40 0A603F6FE8A97CA B0F48B3B5B09FEF8E D770C1AC1235BC DA1CE453367F7952A3075D12B9029F81A26C05F13 36D7E BC9BE2CE398C980E39A1DD69556A19F936D1F9C73CA30EED955FAE28E069183B0D7B6A456 0A3FFA4B67DA4A14B71EBE2C2D46F5345AA942 C:\Program Files\Tesseract-OCR\doc\README Size (bytes): 1687 ASCII text Entropy (8bit): C3F61B05B556B8EB78D6399D E342E D E9AADEC523F7FF D3C8E053CA5E26139AD7BABFFFB9CE325D73A9C03FF E23867CCDF5C3 9B00D DECBE3D1B6D0FAFB540E137B9A5807F2FA394D9C1A4A7584EC71FC8BD757D3E1757FE8E F B5E019576D97B39F50E505 C:\Program Files\Tesseract-OCR\doc\eurotext.tif Size (bytes): TIFF image data, little-endian Entropy (8bit): E2435CECC761B63FC94DAB83699D9 157C2015DA360518D8D458948B1B62C3ADF8FD2C 7B9BD14ABA7D5E30DF686FBB6F71782A97F48F81B32DC201A1B75AFE6DE747D6 C7EDACB6F24EFE0FB742F58663A DF D80CA5086D42DDA49B02D4D3BC6F6781EBD30D733AFD B5960FFC30A D6E1C8E6DBF2449B0EDC C:\Program Files\Tesseract-OCR\doc\phototest.tif Size (bytes): TIFF image data, little-endian Entropy (8bit): A0F BEB6C1AE107CE64F8BB3E CB51FC65D1C710035BEFDBAB5D4A6D05B8A116C6 D2241A1EB6D6CD2EB6544B8E228C2862C852B7467D16ED636CAA32179B B0BE5209BC B4A87CB8A3AED29D5D048E2A6C77649CD B A6D02B1132C17863D07A 9A404C4C02B90F2225ECD95C A1 C:\Program Files\Tesseract-OCR\iconv.dll Size (bytes): Entropy (8bit): Antivirus: PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 9F19F972F3923B00B8688A B9F5B590F96C133709FA9084DD9A10277BBFEB 5DCC30DE4372F91064E2FC81596BC22B511C490E8A5FA DFCFA3441BB1 1A3D8A96E450A C956F2016A72F6E4CB3EB C28F6A835FE53DE128D9B127F16A5EBB2FD3E3 4DA E1E99DD810AF107D85B694F33F7 Antivirus: metadefender, Detection: 0%, Browse Copyright Joe Security LLC 2018 Page 12 of 89

13 C:\Program Files\Tesseract-OCR\icudata51.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 4E35FFD80895C6EE38CF00CD345D58E6 A6E0E21374BFD12B4858D17E09A90C5DC7071E54 F14B8379A6E43950E0F75BEC517B18C4FBC68016A C607FFC8B3C1A0CF 9A7EDA2EDFDFEF86A605F058BD1E53D70E5E9A1C1A3E9BA282A2FAE0344C0F6C709C72C86642B7E51205FBBB1 1F1ED61D57D23CD08378CD044817D0D7567F864 C:\Program Files\Tesseract-OCR\icui18n51.dll Size (bytes): Entropy (8bit): Antivirus: PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows FBFDB861FEB9F3FF247272FBFA0FA368 9ACE638D045FBDA3C61A2133A0F2463A49D4E433 3FF8DDCBCBE77F7201C9DE1C7367A8F B1E4BE949DAFE150E9E59D104 F0A DE74DB431F FA93F00EE1AAA369F562CA6107E130037EE2E85649A6E6E6C39ED347C0CADD A0898BE86587E242EC652161CBA9ECB20C2215 Antivirus: metadefender, Detection: 0%, Browse C:\Program Files\Tesseract-OCR\icuuc51.dll Size (bytes): Entropy (8bit): Antivirus: PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 489ED FD AD9B0E879 2ACD5EE3647CAC6E0A3457BF12FCF0B07F3EFF BC8D2F6FE2019B32C113D4E8C342D5EF45D49A3DED7B3E013CB75B18 B9EB1342F19FDD4ADD079FE05AC546BBC0A4BE5F1C7FAF1EAF0BD403D13C2DD37524C6F031F30FD701D95C9F AF EDFD1C27A5605DFCDD D0 Antivirus: metadefender, Detection: 0%, Browse C:\Program Files\Tesseract-OCR\java\ScrollView.jar Size (bytes): Java Jar file data (zip) Entropy (8bit): D388E90BF CDD15B14 D9E599AA8C3B7F BD1BAAA3500DFD315C 1123ADF3C2A46E94B2C ED8032CFCFF449FE D7B8BBA ADDF78BA612A770FFF962E4D9C27A09792ADE156A3BF9EEF2FE712F F EC7A24B7EA01B8 C9B494C16D507ADF7BD11F500475A B C:\Program Files\Tesseract-OCR\java\piccolo2d-core-3.0.jar Size (bytes): Java Jar file data (zip) Entropy (8bit): FC25B038236BBDC74A7FE7BD732A72C 8F2DF2FA7B A92BE0A37718D2E4A4E BFD1FC5E3F4E2068F92077C125EF5D9E193F3866B413D4ABAFA9747BAE863BCA 6D9F1FC70F90652E3682BE5708EFFCD9CA5B909B3FB46BA46A983C6D092B4C411599F21A C341C5778AA0 4472B42E472C088D66D76DD1BA7CDF17AEFDE Copyright Joe Security LLC 2018 Page 13 of 89

14 C:\Program Files\Tesseract-OCR\java\piccolo2d-extras-3.0.jar Size (bytes): Java Jar file data (zip) Entropy (8bit): BF3DB7CB1F51C4CF97589D1EF FD05FBC3EBD7E5EC2B0DA83F89 B FAA2EF29D6BCF038EBE293217BB08104F0E18BC57DD154FA38 159EEEB45459C10B9EC1C27D2C D0C1B DEE0F6912D1099A8DAD2F7F09384F8E0B B054D CD677C1B83394FFAE9C4B57A0DDD798D0D1C0 C:\Program Files\Tesseract-OCR\libbz2-1.dll Size (bytes): Entropy (8bit): Antivirus: PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 0ABBDD DDBFCE08500FBD75326 B57A989923F729EDC0BBA A01F55F107 CBB800A2F7C1620E31AD5C4364F E51A64360A304ED854D46F0D05387D 4D DE5B56FB17D036C36D7658DAEC9F C4FFEFE7EB8D30BD27BAA39D4F072BBF5C5D564BBB0 D2D36C15AF630AE28D2015DFB5F5C3F5F Antivirus: metadefender, Detection: 0%, Browse C:\Program Files\Tesseract-OCR\libcairo-2.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 7FE7FE0EC354DB6208D0BF6B440FAF0E 5E6A3F15FA AE96B4FAF713DC184961E5 42F3E65C53BA15728B3FEBF7BC55E27672A7FAAB40E1A BA84BE3188C1 AB73224ACDF8B D8916E56DDC3BFE35AC572EBB8F54BB41F66FB4D10279A6D17E0CFCC271737FD7E8E CF6C51585C6F2185BBA532FB9D E3086 C:\Program Files\Tesseract-OCR\libexpat-1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 1B7BB E6E6997E3B3E013BE6 579FF9961D1FBEB061CB051F2003D328CFF67BBD 6CF68B0C5E9E1036C712C7A1D3DC122F1203B5AD3B11C6944FDF8A10C892BA77 E42D2CA7646C615BCAC107C5B0D600E315746F5832A4268B2BDA6D5EF23BEECE41F37CDDD129E61DAB4262E9C BCABCEDE4055E651B3AA4BA5DEE0B E C:\Program Files\Tesseract-OCR\libffi-6.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows FB F37C9F106A8F8FE7111E09 52FA4A8DC47A50AFF401ECC07A05F50A22ADCC E461C C485396B98A14F661A66C4173A26632D89DD28ABD73FEA 63B2A9232D40A7EC468EE0E7D1063D218CC72A0148EC207F2B63713C3CE409623A535CD09C B1C0500C 44203C9F6AE9906B6A9E2D4C30636BE44A10E Copyright Joe Security LLC 2018 Page 14 of 89

15 C:\Program Files\Tesseract-OCR\libfontconfig-1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 2208FE29B62EF89C5DD89CFA72E5763F 9F6328FCA1173ED0558D B62EB74552 D2648B5608CA7419C1A6B027E50FDB1B97F FC6F8237C75DB17B125F 44C3B9B4FB1E74CF4B05FB85926B8380E74F672E8C5FEA1F95A94C9097F CB79B41245D52EFBFEE8D0 F8482A39A22945FE7B0C5545F B764D0 C:\Program Files\Tesseract-OCR\libfreetype-6.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 010B385C2577C59BF499EE68A083B1BE 7DB4D0106CB00679B6FC F2CB69502CD6B BF930298D8B4A185DA4B20B93C77769CA93C15E8E7C4FA519FFB652BF172CCDE 6571B5F46723E29386FAD68ABDF6DED99E02E3B25067FC1ECC797B A078CD1D8F2D65537F1DB39FFECF 0F6F9C1274B0A F4834D5D7C44AFB9 C:\Program Files\Tesseract-OCR\libgcc_s_sjlj-1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel 80386, for MS Windows AB9740F3C260A92370DECAD2FF54902D 4A5D16B80645D570BCD CDAC A6 B3FB F4D358FB25A62D847ED1ACC8E7249C822BE80FADF985C8806EE C57F366C649C263F99797D1AA307C9A150B FBC3A40D75392BCB749CB1C10C01AD79BBE22F0A5D163CD 49973E40B2A0C5FEEDF315220E1272C4CA38E7 C:\Program Files\Tesseract-OCR\libgif-4.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows B75D30B827A44922ABDBC8E64B78848D A34360D57BB8C203DD31F0737C98072C CF906BAC4659ED8C7E7CAC775E0704D4C987F8EE43CE6E5A317DE5EAA BD59825C51DDBBD416C0CF233DE595744CFBDDD73AE3418C9C8CB6F38284B621B F800C45 F18C47A82E317046D211A1C7BFC801F41F355 C:\Program Files\Tesseract-OCR\libglib dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 9E385285DDC8E4E923FEE3691F9889E5 EBB13DF20789ADDA5B3D319D76C03F2BFB6777F7 EC60BBFD AD106DC5362CF962D75FEAF00511A407DAAE7534CD4D87D6 671ED0E9312BA83EE7B4716A1542FDF40B9810EE593D86BC449D7E8701E1FB8636C74CBCC10B078C2F4B0D6D C3E5B5874C89466E4D70BC A4F C:\Program Files\Tesseract-OCR\libgobject dll PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows Copyright Joe Security LLC 2018 Page 15 of 89

16 C:\Program Files\Tesseract-OCR\libgobject dll Size (bytes): Entropy (8bit): EEF1EC23AEB55D7C047769A D76098E3DC82201B C8EBAE9226E 6D CA68E EC0E150AB2FCFAD52E41FADFE71603E7A43A5137 D8D109EB4BF36D454C75C3A5C4762B22E72A056BD4CB07A4ADABA2DBF60A012E25E57DB11E5B9EB39A8FB9B0 4E1AE329C6F37D913F57D4CEB46DB3C2841C0F36 C:\Program Files\Tesseract-OCR\libgomp-1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel 80386, for MS Windows CBE94627BD71FF1CA6A9B158C09DD5F4 A FDC1834F0F5D47FBCA35E67EB3CAC 2F01E6DAA76B33BB608037ACEE9DE5CEAC3FE273CD9810F732CA0DCBD9AF6BF3 F79FCCDC2BB F9439D2C960901A7AF217ED984899B94C6FE52702B5AE1A8C A86C4A7F0AE572E7 B3F8EFEDCCD49DD2DB69858EC90EE39132FEB C:\Program Files\Tesseract-OCR\libharfbuzz-0.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 95B33F46E89D88C37B BBB 29EF7B2A43FBAE83069A55D29B50101D64A9ABDC F6B0FEEAD38F2B356A34E054C7248B6D76A7D2B5A775CAA88E38AFBC0CF5A22D 62FDE5884D5DB3CAA1F624B3785CDD9226A7B6B18FF37252F925AC0199A9F04861A763FDA9645FBCE95C72EC12 EFB34EE94B7EFE6BE529058C7EE4A23BB1AE38 C:\Program Files\Tesseract-OCR\libintl-8.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows D81774A6915D71E08DBCDDFF6D C5B0A04D94491FF05CDD5885BD336D849D4A05A0 E7106B82BC669E8AA8C39113B BE40975E1FE4CE228B553CC89 8D3AC9C8529F0DD7F D74D8D8E FA0B9F679B20C87C90D9B808B2211FF9DE4563A3C76ACBDDC A5560D2A8F47B54C37ACA6E F C:\Program Files\Tesseract-OCR\libjbig-2.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 8D537CF58DD3BF BC7EC9334 0E0F4AB78E4E2933CC0B FA1CF639E6B2 9406B044B33A88489F60BF54101FB830F7DC961394C742D87106A61032BC5CE5 40E0047F1A7FAB2D52F64558B4145BBFD5D923E941332C20259E222AA86AE0799C035160DE389E12EECF31C4122 FD34FFF45F8E53F03A36B32EC1F7983DFCDB6 C:\Program Files\Tesseract-OCR\libjpeg-8.dll PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows Size (bytes): Copyright Joe Security LLC 2018 Page 16 of 89

17 C:\Program Files\Tesseract-OCR\libjpeg-8.dll Entropy (8bit): D8B9C42B0973ED99DBCDC64FB1BC01 C E371B11C925182A11FCCAF55F99DC2 9CE052ED1B8DCB5041CE D47D7F162C2AA1FF89A1966B DB8E 0C8DB8C9B00D0A9AE5D662A1B FF622D8BC6CDD086A74F4FC1CC8EA90C7B201D31766DC5263CF6AE E101A5FB0C282F2C9359F42D4D681D461C C:\Program Files\Tesseract-OCR\liblept-5.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel 80386, for MS Windows 64F46B F23DDAEA5744BB0300 B3BC9C7E84D29FC8703DDF64D143DAB03480C F8A0851C6221DE89DEAD3E271BAA03E60FAE03F38E42AEDACF6CDC 5D351BC14D6EEDE5DA40DABC5D1AE07150ED01381E4A6185F A5F6F0A9AD40D784B1E9E3B61DAEAE4 02A3CD1F8C119FBCF358BA4E3D21F9324CD7EC1 C:\Program Files\Tesseract-OCR\liblzma-5.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 0C877B03D677A8B4F581294A15A3AB8D C4181B647E079FC42BFFD02F378DA7EA710C39C1 4CC800CAC61ED5DC015F58726D84EB6F8FBE A7886CAF765B50B6562BE 8D640D62A9116EBFC2763D26618DF8E49442ED707359BC3C9694FA8DDC CBD0E99347E328728E416F9274 F4090A4FC0DD2BDDAEC92F63FE22157D2BD91 C:\Program Files\Tesseract-OCR\libopenjp2.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 6738CAD506680FFFA59C338EF762D9F3 740CDAEEDFF04F9F5788A93C7458C6D4A11D87C2 BA927294D60253DAA247306D985B6886F8D278037B6F79874D1F45CD53DB2FE2 B5BDC9E6DD23F1ABF199F997CE565FE297168A5B1D91A1B61F5A50C FECAB3572C421FBD EFDC97C2B0CF53095F5439B9AF03D3CBCFCB C:\Program Files\Tesseract-OCR\libpango dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows CE7D5AD13E59FC7A5BCCA2A8235A5386 A504BEFBAC8AA AC53F230DA730CE 831A870DE0CA96FAEB4951DD1895A2545D021CF91E4CD99B9487B0424FB0AFBC B4206BA6A3EE74DA928A694C7FC32FCAE334AC68320E1B807FFE0BDEFE4B88C1D2009F138AF522E95B0B5B76F 9F33534E950C83D95A970FCAD1D6526F846A625 C:\Program Files\Tesseract-OCR\libpangocairo dll PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows Size (bytes): Entropy (8bit): Copyright Joe Security LLC 2018 Page 17 of 89

18 C:\Program Files\Tesseract-OCR\libpangocairo dll F2D769DE8DE8DC B33E A5D2AE8737E74C588706DACEEF3538CEFE3DB D1D3621E0E3E75FE2537A9C E2968A9B920B83DC370F440C F12A74ECF4B07F99AC230CFA0AC46357A58AEE4CD2F2063DCD4AA7E950E4BA16B21750FCB9F0B776443C7 CD4AE22E36BBAD B7CDF3171A2C1C738 C:\Program Files\Tesseract-OCR\libpangoft dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 3078C0D D5CE7A53BE6D5A8 A798EF3988F F521C31813AEC6E4E59CE AA74CF6C3B6875D0A EC6575EC356B4F9810A831F514CD158D91A4204 0A2C031DCA2000A09AA7829E4911E93FA2786B26917D42E8FC ECE C5DA809BF17E53D AB7BCE0E6FD452DA4747C221F4EF53 C:\Program Files\Tesseract-OCR\libpangowin dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 251C1BCAECA C8E2E2AABCAE3 DD603E E FFA354A5F32FC963F9 A410F AB630F39AA1358D378220E3317BA4CFF6DD7D07DE23CFE A2120F29E0D080F1E4FB B3757FA91625A2D40D C070E104DD6C654EB84CEE 3B78F5DD6534C07443D45C C56BB C:\Program Files\Tesseract-OCR\libpixman-1-0.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 1CC5D09EF B900E65A99BEFEDD E20D34D2075EC7415D1C0549AD1ED1FADB97727F 6EBF960B103B57A7F9577BBC EAEE0790D60FCBD7CC05B8C83F B5E0E588493AC08DFA1C403E ABF154396A30872A1786C8B89AADAEDE6371A31AC7EFF811432CF356AA D785D58543F9B4B28E1E34B56256B34F6330FB C:\Program Files\Tesseract-OCR\libpng16-16.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows 7DE3AA49A8D731F099D2E2B9809DFA6E D99BFA3DA01A2455A4DC2B17BB6640 F0D6C3C70FAC04ED8C08BCCDDC64AACBF58BAE3164E46CC9B9351BD54A D6AEF34DCF2028CAAB34D129C5B5FD290ED8CE690B115D58F23F012BEF4CAFBB751AE684795B5E2F FD BADFDF15F04829B3E51653DC949 C:\Program Files\Tesseract-OCR\libstdc++-6.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): Entropy (8bit): Copyright Joe Security LLC 2018 Page 18 of 89

19 C:\Program Files\Tesseract-OCR\libstdc++-6.dll 34D4111BA35B2BF605C1E E3DF 480B4B70092DD9AC23D6DDC45EFF852E A DAC9D908873AE C406BE53A2620E61742E3B85410A29AB9582AFAF9D C1791C0AAF8E DDEE5E37A7968E2DE7E0E57FF4CE579C43B970FC65EB56D0B497DB94E0FA4ECA4258 E122C517B9A43DF96C2101B68F29DA55ED4679D C:\Program Files\Tesseract-OCR\libtesseract-3.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel 80386, for MS Windows 5E4A8B0CECCCE7D1B A7BABBFE 1E35F651B8CEB459D709F869DFB9E6BA5EC2060D D99C877A5AE43E7BE2686AD9A9440B8454C D9DEE5405BB8B225178F7A ECBEB51362B6A6FFE8E8A494DD8320C876E50E7E2C1762A E9139E504349D9E8811A1B991115C5B C8F081E7FA9ABA7AAC6B006C23BA870F C:\Program Files\Tesseract-OCR\libtiff-5.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows E0DF63C4A5B3E7AB12C2A3340BD C471B2DB55CD67C773E7B054ED014695F00E1 0A1262D9E9D49649C018DDF3CF3C371D7BE46D649E3D704F59695BE1DC73D5E3 C3122F804C2BBDCBB32B42224CF2D0506CC7CF20F190B9C5FA8772ADF005430DE4191CE3B78F2EAB01E581401A 50538F3F98EC1076C AF290641BD C:\Program Files\Tesseract-OCR\libwebp-5.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows F51BA2A669564A0ABA635B07D4B397A5 2F411A7CB9ED9BF3CA1164C3FB42BF19F347EDC2 3F CCC5DDCD56F5D3F8D31F5EAE688957E2E2099EE517243E78201CEE9 DCACA71CB7EAC3E9417B0E8CFA730EDC63CB83EBA085700AA9EB78FA3F0E886024BE5F4337E82F3E992F5F876 74CAFD65661B91CFD5311A69A790BDB0D804D96 C:\Program Files\Tesseract-OCR\libwinpthread-1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel 80386, for MS Windows 0E03DFA B13091CBE A 21C65F72A731FC EE17DCFEA9726B4B32 F87E432B08CEA6A6AC8670D8CD6E BA191B7F6A27429CB8EB11936B4F6 9F8DAB9B646C0C57AC2B47C53C706DC03ACCD71F688F836A52D4DB35D4D1E99B6CF956F65466FBAEAE153D4C 20307DF27D9648D2D450CAD5698AD60ED2891CD C:\Program Files\Tesseract-OCR\mftraining.exe PE32 executable (console) Intel 80386, for MS Windows Size (bytes): Entropy (8bit): EDF49F7B5DDC7436EE25CBA8040E61FB Copyright Joe Security LLC 2018 Page 19 of 89

20 C:\Program Files\Tesseract-OCR\mftraining.exe 3F348FB5AC98934E B018C53B6F1D3 B1DC1C3B D E732A FB2C8320AE147C8DE D5962AAF9E8B4885C4920ACED688BFE6737A5AFCE63A A15531A05A76C325BE9CB10603D8F45E072A7B A7C2D019678F03345FA402715DA0AC0DEB6BB0 C:\Program Files\Tesseract-OCR\set_unicharset_properties.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows 8BB6B322C9B4DA6B CF29BFBC4 66AADBABF266DE0442E8358E908FFED981AE F4341E9D3747C3D06CDE2388BBFD13B6591EF17906F87F8F228A8161EE62A8 13C858C32E09C519DF8540C4638DFFD6BDF7D47B8FE0C5464EB BE219EBD234B9CF3E17E74EDA 2A5F3944DC0252FB92CE5843DB5423EE8B4A3B C:\Program Files\Tesseract-OCR\shapeclustering.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows B085F59CDEF66FB130E838AD241C F23DB52BFBB0F226CE5F23945D C979 28D7B0627C69EF1952B882A46FB96D7F4B3FBA27DC181DF30EC40772C4E DFE98B1EA9E52223BA17CAE9A7F3F9A7F9AC154A22C889F3500B6752F2E1F32129C F31E D0959BDFEABC80257DFAE5C3F0D5053B27A8 C:\Program Files\Tesseract-OCR\tar.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows 46B3C995A373BF2A17D0ADC66BDEEEE3 0A257F1BA6D8C4F7A66525BBE08D744D02396F0C A4F36EA3584D1DCE91AB7998A84D BF8B6C8E2FD1A903B6E46C40AB24 9DBB9CD806FF36F32AD573E4F76130FB78FAF1DD799DCAE7D3114CFCB9C882664C1D6B031A34DBF9CE3A7EA0 E39E1D796BFAC3D32EACD090AF67F D5 C:\Program Files\Tesseract-OCR\tessdata\configs\ambigs.train Size (bytes): 146 ASCII text Entropy (8bit): DE42C1F24F8DB2FF88A6D0A415DDD2 003AE8BD2986AD454748B609C666A7F550017B24 717E534FD4330ED3F9BDB006F0465AA2633CCA866786A8F8D469DBD4B01C10C2 38F87DD908D203776AB7E C9EF84EF0716B984CAF18E2CC800C81663E4A26E5013B07E64AC86E2278E 9500C66C501078E243C4B6F9659C74A50C038 C:\Program Files\Tesseract-OCR\tessdata\configs\api_config ASCII text Size (bytes): 26 Entropy (8bit): EC384B51ED951A537C7FD768CD6A7897 CD2C358B6B256AF0E4A71AA08B1D1B41F45AE225 Copyright Joe Security LLC 2018 Page 20 of 89

21 C:\Program Files\Tesseract-OCR\tessdata\configs\api_config 2929BC0F1D2BA77F28CFC230F7B835B2B54038C0F9D2E8E4C5ADA43803C999FD B2E6EE480A645FA5AA00B322E3EB038ECEF0565B7BF0805F907B548028E0DF20A2183EACE009861C0D8EBBE52 80D543CEB1C AE9C248170F739691C868 C:\Program Files\Tesseract-OCR\tessdata\configs\bigram Size (bytes): 129 ASCII text Entropy (8bit): A0CE237FE4E973A9E010A484EEFE027 4DF4919A FF1FFEE8848D456964E15D3 65E6583ABC617A34D F2493D312C296A85629AC3C092D3B93B6E554 E91B14B5F379A878A1BE44CE48395B3C818BC9DABB48054B74B242B AA8802EB7EDC2F82E77B0D7FB 2F0C0E511A38305A45D18273EB7920CA3CEA6F C:\Program Files\Tesseract-OCR\tessdata\configs\box.train Size (bytes): 355 ASCII text Entropy (8bit): A85EC3D54A3671BA2C3BD7682D0621 D48CE8F8F75008FCD2FFDBCC159FA579338C31CC B08CBCF4D04F8D2E6E486A BC3C309F689F6BAF55C3668ADB35FE9 57A26F4CD256C CE6ECA4D2FF CD97DCEAB5F73BD515A4E34CDA97521DDCC0650D94C DEF64E756860D3C15A57F0C6BE941AED32D4 C:\Program Files\Tesseract-OCR\tessdata\configs\box.train.stderr Size (bytes): 355 ASCII text Entropy (8bit): E30B0C56B8494E649BA608D51E0E9F B091EC4D345F97E771550AC48B90FF8520DA 6D2D6D0A5CB07D55E560C5CE0F82188EEE29EA2E0FBF3F9043F864AB6C8302DB E670A4F078DC ED5AE60673AF6F4A7B5E0CDD07D2CDAED672BD70D0B04D4C9608A7FBE46E6D19 B893DC701F0640EB986F C95D5180A7B C:\Program Files\Tesseract-OCR\tessdata\configs\digits Size (bytes): 37 ASCII text Entropy (8bit): E182014BF964779EE99A31DF92D443 BED100F55AC5D79EF7F42828D373ACC25DAE6368 E757D95BB1E EA10D7F2C8BB8A0C9C4CCC58A0E8C67E8DC2933A56E2E D2125BFD020B33C AFE3DFA F91BB39A25F734C473CBFC68B39240A3A1DC382F4F94F 88DEFBEAB CBBF0A9B6600C62F4C28 C:\Program Files\Tesseract-OCR\tessdata\configs\hocr ASCII text Size (bytes): 64 Entropy (8bit): A6A14D2C531FE561965C E709665E ED9B78DD63A336D6B D09A96B25028CAAB960802E00E0FB CAE1F58B669B03F5DC4A03CE80A Copyright Joe Security LLC 2018 Page 21 of 89

22 C:\Program Files\Tesseract-OCR\tessdata\configs\hocr B461D0F2B8B7E E7AB9B6FDC7DEB16D936AB B1D6AA80D378EBE21041DBE85B21D1A8A5D5 E25E7A72A663FAEAB97E2C304A20F47A C:\Program Files\Tesseract-OCR\tessdata\configs\inter Size (bytes): 59 ASCII text Entropy (8bit): DF90BFAD4C60700AC3B1E392935AD6D7 6915D ADCF4DD1CBEB50CD4E4390EF87F BF83668E446F4966D1EBF7418AD9F0C5E08836BC59D98CAE3BBFC3AEE9D E0383E1B0AC777300A04370A22DD114CD87344D6DADD106FACAF4CC6F04A76432ACB CFC0573C63DB4 E14C DECAE52D56F64F34CC2DA7F4BD C:\Program Files\Tesseract-OCR\tessdata\configs\kannada Size (bytes): 101 ASCII text Entropy (8bit): ECD65AEC452A1C666CAF2CAEA921 2F F06A3D064E9E80499EB6A9181FC121 7D34FEC A3A22D157DC5CC8824B93EE923E576E6BFD1B026039C2E8F0 40EB5732C2AEBABDEBD BCC22BCC9EF051284C457D4668E44611B6AB69823EDD2AF11DB2DFC4493F09F 1A957C90428A719820FFF084A7909D4D1631FBE C:\Program Files\Tesseract-OCR\tessdata\configs\linebox Size (bytes): 70 ASCII text Entropy (8bit): D963106C7ABCDD1BDF982BDC78ADB301 9F370BC547BAC7ABF1CA0F4E059E79068AB1C019 EB B009A53432A9E1DDE85BF BC365BB61837F83355C9 421C5FA423ACF977D6420E5E06C575032A28131C803EA7FA3A25D8AE1E19DF70E7768BA3A2B0FBD4AE0F85F9A5 369B42E B88E32D4B55B1B9AA95 C:\Program Files\Tesseract-OCR\tessdata\configs\logfile Size (bytes): 25 ASCII text Entropy (8bit): D3605CF62A18D9FC3D0BF9C46A52E4A 61C4BD39C173F8C20DCDA218DE2B F359 5EED5E41E5FBBF C0E4CDA7821F8E EC6821AB41D926E F908AA1167EBB2EA F62D27E2D3AF C46F830AE7AD6EE D8547AB49255AB EA489DD2777E7AA249C505BECF17DE9A4F C:\Program Files\Tesseract-OCR\tessdata\configs\makebox ASCII text Size (bytes): 26 Entropy (8bit): A0B5BB7FC40BF D2B42668BB94 A D6F9417D05DEA28A95A B A8FE20A2BC9FF1E9E8ED06D C978627B8E965600ABD63F1F412C18FFE Copyright Joe Security LLC 2018 Page 22 of 89

23 C:\Program Files\Tesseract-OCR\tessdata\configs\makebox B04B7C32D96A69999C0CD13B269F72B7ABB520AB4DF73D7113C75F B7AF8FB6B09B562CFF9EEAC60D E386E26060F2CCFD15FF88FEC8E363DB1805FC9 C:\Program Files\Tesseract-OCR\tessdata\configs\pdf Size (bytes): 46 ASCII text Entropy (8bit): F6D8AAE7C5472E5472D79A3F0B75 351E688A5B4F04F222EC6DD8A75CF05C73A A77D61AE1A9A5B97CD2EAA007B2297DB9CB8F92C3507F397FEAF86E097E2 17A4723E2BEF FA C82CF967C2163C8F8693A0F08A66E26B8D884B56E764BDEC496D625BACB3A3 A12F6E0704B286C88338AACB084C43CBC7007 C:\Program Files\Tesseract-OCR\tessdata\configs\quiet Size (bytes): 21 ASCII text Entropy (8bit): B33F054D AA1F8163A3D0E2 96AEA94C9D4B36EC427C9792B5F1136A9FDD1FFB 8A93FAD8251F61B5F17B A0E068C71E0907CD63012AB22AFB7B560FCE3 86FFA9634C2508F4C1CC62EEB65F4832C3D F77ABEAE5C95AD2862B D78B2339AA3C E72BD4E C4DA6FD990ED88E264930C C:\Program Files\Tesseract-OCR\tessdata\configs\rebox Size (bytes): 65 ASCII text Entropy (8bit): CCB5D9C3E73552D9B2B32A66C7E8B2 D330E08005A97B173BF18E70899DBF3D918CC262 73CA35D7D71084FB88E2EB9A5C53AD B3AECB918DECE7591EC22A0B26 C372D5DF03755EA860D5A5C85E9F D7512B37BEF77FCC DEEDB1FEF69C883FBCBB8E95E8D2 C6F53D686CBC F8C74A70A843B4 C:\Program Files\Tesseract-OCR\tessdata\configs\strokewidth Size (bytes): 377 ASCII text Entropy (8bit): B447530FE7A6EFD0A5298CEC707C64C4 8E665B6CA8BEC74B172AFD519A45FBB CF FFB140AADD3E26D0D9B3B355D592B50CFF8B2C3CE0394B4A6DE4FABC1C0942C9 A91640D722C9A8DA6A56C7FFC6DA223B031EC91F63EBFF40B52C913A411573D654A314BD9FDCA51C6C8CAD786 FCC2354C06796AB D5705C45BF1B92 C:\Program Files\Tesseract-OCR\tessdata\configs\tsv Size (bytes): 46 ASCII text Entropy (8bit): DED597B738DF6DCD2C9336F461C7F46A 8E32AB52C66102C53CD2303AEC4CB52E9FBCB8BE 1D935D0F2BD88F0C9174A7E4D7FF E50C6091EBD711E1FFCA44FA3E018 7C01DE3D6DC7A7DD50F261C64341B64A8FD7EF66C6F0F13F2B2F9E906CFE993CF3E8FF9E4D9731C0B44987F199 A280C3A2F912B2793A A D02 C:\Program Files\Tesseract-OCR\tessdata\configs\txt ASCII text Copyright Joe Security LLC 2018 Page 23 of 89

24 C:\Program Files\Tesseract-OCR\tessdata\configs\txt Size (bytes): 166 Entropy (8bit): C2A38E5F4E1C4762DCC4B224DFE0FDB D4E1B33225D530C0EC99164DE8247CBE92FCCF FB4951FD F ADB9D498332B96928AFD72A650 8F59E4DB4DAFFFCA34366C931CCE0979AFD97C5CAB6EABFD59C456F9F01A69278CDA56408E B32D7097 7F6388EAB B1263B6D0A543C15663BDA C:\Program Files\Tesseract-OCR\tessdata\configs\unlv Size (bytes): 46 ASCII text Entropy (8bit): B95859E00F59A22B4B24E194AF17C9 D11D880CA279B19BD0C CF18A91D C93F9C92AF124CCDECA010730A46DF377F5B16A617C1F1B41CBB57C83755A C792D509E32347A6D4D0C6FB263A828B3CEC84BF9B86AF9D3A936E57B16B920E082FFD F36E6 FC2CBA7B6E93E683D74B972A6AA E C:\Program Files\Tesseract-OCR\tessdata\eng.cube.bigrams ASCII text Size (bytes): Entropy (8bit): F5C0F117A7BD7A60A76E4B4DA9F9AE40 B8A2F C4F8B2573AC877C8C483DF 64ADF2CC0B2A AA357224D1A D5FE892CD0CC457016DF5B4280F E43E3A13CEB262EB3BD52DF7DE95213BE5DAC54FE3343E3603AA5327EF9698FADA3048A55C6F7BC B2E F94C8A34D6F7B3FA5C0682DE38121E02C C:\Program Files\Tesseract-OCR\tessdata\eng.cube.fold Size (bytes): 38 ASCII text Entropy (8bit): BB00E0F5D6EDCC D1472ABF BFA9AADF9E41B30253E70609B941F9ECB5B3800F 2B B493FE69C51FCC387295D91AF8B4E43CC51748B3D269A95EED 2B75E4EC063453DEF9DAEAC8BD27E4D5C22390DD20718EF903805E536E9023F9A65F79A961ED1FFE77C1FD B054D312A2C20802EA80EF42732FCB29 C:\Program Files\Tesseract-OCR\tessdata\eng.cube.lm Size (bytes): 181 ASCII text Entropy (8bit): F AB B A40BC59413D64B5EC16680DF602E20FCA9D007F A6F769245B0A55F42A3CE157CD19D C3384C ED83579EA16E36 BF329DEAC44CB6730EF7F0BA2DFBAE5414BB75AEEA24BDD3C9F74C1A09E F4A00562F DF14951 A491392B363B8DD288ACAB42627D58FDD132B8 C:\Program Files\Tesseract-OCR\tessdata\eng.cube.nn data Size (bytes): Entropy (8bit): D4A551F859E37B4825F8C50CC5E1C28 1D28E2C1BE809C607C38A2C3C43AE030A698D109 8F345F1C19772DD71A5214BC94175CCF647C003AB77E4143FDE48F11BF3CB0EF Copyright Joe Security LLC 2018 Page 24 of 89

25 C:\Program Files\Tesseract-OCR\tessdata\eng.cube.nn B6F14AB607B03C686AB03F8F3B93D74A36B292A4FE38847B35235B7A9326FE F60A47A513188F1 BBE1DDDB A1364FE1918F1D890 C:\Program Files\Tesseract-OCR\tessdata\eng.cube.params Size (bytes): 254 ASCII text Entropy (8bit): B2F4D8AA264D923A88D1A384B1B54C1 E52BD3781E94F27A686A EAB413957ECFF C2AA BD823D89CC86D53A6D9712A6A885DE6FBAF650FF3DF48BFED85D7 FED B53EE416BC05ED81EFA838D8BE5D2BE0539C4B1FF589EF CAF629A8D F23EF4A A5FC65B8C39C0CC57AF0A B62FABAF C:\Program Files\Tesseract-OCR\tessdata\eng.cube.size UTF-8 Unicode text Size (bytes): Entropy (8bit): AF8E662C49078A1E3B8A607EB3A 604BDEE78BF1BD6E3DF5B2FACE5E90E00DB4FFDA E5F95DE7E2754EB2DF CA4573B AE2E2F09D1F EF5E2D5110ADA5B5EE2A3B78C3827ECB6348D12DE9DA3A1F4FFB056C4DBD45A65DB52328C591427B1136B70 BBEC EB48BE3CE23D3E130B511BE8CCC5 C:\Program Files\Tesseract-OCR\tessdata\eng.cube.word-freq Size (bytes): UTF-8 Unicode text Entropy (8bit): A9D657B040DB4366E1FBB6C75BB5AE8B CFF080B1FBC38DA0093D0E4FEDAE2F2A16CB8954 8D612BEF20AE3052FCE0B A80D87C94D772EC6D1F0C6A1AD591586EA44 D0CE46DE65A0D053619BD DFFBCCCF B136F1B09D20B93F89DED5EFEAB7E2F4BC F29FF1C430E3EDB2B709E006A4B4E4 C:\Program Files\Tesseract-OCR\tessdata\eng.tesseract_cube.nn data Size (bytes): 996 Entropy (8bit): A24B4909E1582F30AAE24064F933FF20 FB0CC394BDA68FEC84CF6473B86B45B8C BEDC8A5BC8C30361C2C9518F648B45B498759CB FF6FBFB8DA2A8D A980569E153BB71DB3EB621390E38CE6A34F7A0DC9EFAD374BDE36987EF6E6E0E2EF81EB385E363F712 77F58EE03A6FC79EFDF4C271204CB8A95980F1 C:\Program Files\Tesseract-OCR\tessdata\eng.traineddata data Size (bytes): Entropy (8bit): A99C829AA385AE8CDE35775E32E57F 98E95F F9796BFC9F1E7CB6158E9DB4FCB C0515C9F1E0C79E1069FCC05C2B2F6A6841FB5E1082D695DB160333C1154F06D E03D205900E3F6B866B2342EB8F32FB35DAD28C7F58B7BDC3C0BEC0DE570F D8D64B1F0BEDAC7BBCF4 62DD949B A55BA3F42842AD1629E230A C:\Program Files\Tesseract-OCR\tessdata\eng.user-patterns ASCII text Size (bytes): 33 Copyright Joe Security LLC 2018 Page 25 of 89

26 C:\Program Files\Tesseract-OCR\tessdata\eng.user-patterns Entropy (8bit): EE1118C FFA9FAB3269 ACA69CC9CE496170F5926E757C3D0723C18B2D D87625C9C7C0924F97181A7F349FF E3BDB5BB6305C28A3AF9824B B8D5F83CE3DAC62487B26908A1FA6E41AE4AB033CCC9FEE8BBEE79DA66CE3CC6086B5F7B1B6E DC8E2C8C6D3086E596F948167E45489FF9E5C C:\Program Files\Tesseract-OCR\tessdata\eng.user-words Size (bytes): 27 ASCII text Entropy (8bit): BA3D467CEDBBA4E60327E2BCA42B7B DAA3EA28175BA6E77705A317FCAFE0D CDACE728EB209DD926A35AFE012469C88C8621A57ED CA4E2B D659E5A9C7CBDB63EB9F204A362C2F4FF4C1F58AE8DDBFBDCCC192CA355A0B02763E270EFDCB4DFBA430DBE 89A00CBF0BB8CC690704E95087BA40C871EB7E0DB C:\Program Files\Tesseract-OCR\tessdata\osd.traineddata AIX core file 32-bit, \340\245\210 [92e 948 ]x 64-bit, \256 [92e ]x Size (bytes): Entropy (8bit): D7C06843A771F30FB64B4109A1B059F9 B095CB28B6C868B99D19E1C64B48A626BC4CB944 9CF5D576FCC47564F E5CA839001E7E6F38FF7F7AACF46D15A96B00FF C54F BED19CF14C69B24C44044B540F50814DE66DFF8D35E6987EEA71EF A8FAE9242FCB22CCC BE59E009F3A4DAB6C36AD63F78C52EBE9628F C:\Program Files\Tesseract-OCR\tessdata\pdf.ttf Size (bytes): 572 TrueType font data Entropy (8bit): D6FCD462E96E4AE60B99F64FF51A4C5 C2E508CD476783F3F5AEF2BF15AC001E8D22354D C A23D88ED830A63957B8AF85A66A8DAF8D9FC90E843673B2EF1A59 24E1B0BCF357B8E9600E2C58B E8E520AA635AE7669B27891F1C124D47B867D5F2D2974D4D66E16D864D C18B99D5FD3E3D569243C488210E85203DF43 C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\batch Size (bytes): 50 ASCII text Entropy (8bit): D D E E593E9 F19D9FC3B49DC237FBFD26F240ED337DEBE677D AA26B B A67EE FFE82C5CDC8629E6A DD64E C94480B7277D19C98E27289CF8B7F10CD522EF98D014CD5E A7EA06AEE76357 E41C3013BD6A0240C2B AFE0BB C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\batch.nochop ASCII text Size (bytes): 37 Entropy (8bit): C5A939F822B7FA8FEAF669534CC92 E2F2C282B834F02B549027EB B05C ACABB534CFD4FD8FE111C854955E1FFA EF43775B1A5FBAF5283F68BB Copyright Joe Security LLC 2018 Page 26 of 89

27 C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\batch.nochop 77D96BD99152E BEA9067C9EF25B7D514E4FDACB87406A4F4DA4DE B760716AD2BE D0D47406D845C8A8EA297FF3F7EA27A7 C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\matdemo Size (bytes): 243 C++ source, ASCII text Entropy (8bit): E491CC7782D847830F3B1D9033A 07A25B5E4A7E3A9BF5EAB83F4D48CF688A474DC6 D098CDF6FFE691CCC9DFA F6AE33CDD313010CEDFA50007EBDE3DDD2D0 5F2CA00461E95FF8FCAC12AB CD E6E8B418DBBF7130D50BD3ABE56BB0C239727ADCF6E94F C4DF74CFDD0555BA54A71AB692A6A65B C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\msdemo Size (bytes): 402 C++ source, ASCII text Entropy (8bit): D0D20B924DFDFF4661C6C8F774D022CD A87C077C2E46CFE582F7173EBF82010B83 26B7D8C2439BF8E B5FA88F996E75EBAC6D34833A2DAE076EAE09355 A2B6A886F8916FD9BD75C7B03277D8D0FA68FAECAB1810F BDDA999455AD77A2C E11D5ABC 31CA992A9EF E7C1EA31D9AFF929F17 C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\nobatch Size (bytes): 1 Entropy (8bit): 0.0 very short file (no magic) 68B329DA9893E34099C7D8AD5CB9C940 ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC 01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B 4E AA97C3F7A339A8ED03577CF74BE09 C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\segdemo Size (bytes): 329 C++ source, ASCII text Entropy (8bit): F56DA480F3D8A5204CBD D93 4DC993E17A5E3F464696AB36EBE45417EEDF2B74 DE81B52C11A4FF7FDE1960D7C CE97DC1950FD ED9383C2A358B DF543638C5978B2B829AE6D2ACC0CE81B51376FE9C4E137A8C762773A084FB1C15327C60F0C4DD333EABCC3B5F FA4F220F4A DA8A023CBDBDF6AF09A7E C:\Program Files\Tesseract-OCR\tesseract-uninstall.exe Size (bytes): Entropy (8bit): PE32 executable (GUI) Intel (stripped to external PDB), for MS Windows B4E5A1F92F0A75A8E94B740417FC7ABE 283C4A FAF F796E2381C3FA DF653A7C2D93E919A7F0934D1294E09C C15EA7EC16AE E0139 C7E7068CDD9F131DBD5C8F0B36E82A8282C1EA4D7A65696D7A07CCF51BF6C478E86E2A B8E72BB44F 99008E9D7B0BD6D2391B4C1BA4FA783D C:\Program Files\Tesseract-OCR\tesseract.exe PE32 executable (console) Intel 80386, for MS Windows Size (bytes): Copyright Joe Security LLC 2018 Page 27 of 89

28 C:\Program Files\Tesseract-OCR\tesseract.exe Entropy (8bit): E7FFFBA7A920FB3FFFFC5F164E10CE 716B7E9147D3463E74F4BBAD40BD660EBE51C E6489D80F1111DD67507ACF6CD19A1CB0A056EA5CB34A62E1F2BD4534BC 481B51567EFD8D3A43460E B82F9C8DA99EB26808FB567B3A7E0085BD8444CCEC746C05920F5BE95E2C D4BCD3A8B0B0DBE8965F57D24047AE1 C:\Program Files\Tesseract-OCR\text2image.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows C48BAD8531EEC9DDB55FC12BFE628D FBAA24E1E3EA3070ACFA7CE19FE0635C F934C DB4DC5AF441400D33B962636FF92496EBDB4F8E6871F9 4D7FBACA15B4BF60858BEBABAA A5212F5029C91FF93649EEAA85D54E832CE1425DAE0D211CC0DDD ACA35641CC0BCF5C342967FD8B0FB76E0D0C C:\Program Files\Tesseract-OCR\unicharset_extractor.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows ACDDCE5A0B010C50C63379E3D70B1F7A A B7F034FECA414BFB2423F58FC5629F 264C87BC17FF E882776A833BFD72EB2900F8BFE8AF38D7F6CA9B B5655EA8B96685B3557F F98F09C36E55AF37FA74E55A538F031FAE3D6D95F21C24EFE2BDC5E06B0 8BA1EAE94ABF810D29664A94C35DCDF0C07DC C:\Program Files\Tesseract-OCR\wordlist2dawg.exe Size (bytes): Entropy (8bit): PE32 executable (console) Intel 80386, for MS Windows CBD74C0F9583ADD16BE35E78F8D0AA86 0F34EEE7FC0340DFD31D35EEB25A9BEA2499C3F3 D084EA31F9E43FDA3F8EC5B95488F1ECA CB7EC4DFD7E280A29FE636B 988A577110EA24B8F28FCA14DDF1244BED111F BE261E9FDEB1FD6FC3CE41769C21AE1E5B86703DE39A D08F120A49AE FE C:\Program Files\Tesseract-OCR\zlib1.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel (stripped to external PDB), for MS Windows DD351BF0834C7732E087E1879A492D51 341B2AE59D911770C44A94BFB8CB71627EB97C6A 7689E52FE6B0C7FEA8E6CCDAA68012DFA8BF7D9CF42E3E364AA78F935DD32D7E C3A4A54AE344D640ACEC2F8FA9F86E08D2AEA93CE2285CA4FDF84DBCDFAA308937A1E20CE7F EA9A84048D6D081AFD777A2A ECF6E8 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\Console.lnk Size (bytes): 890 Entropy (8bit): MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=sat Nov 20 21:29: , mtime=sat Nov 20 21:29: , atime=sat Nov 20 21:29: , length=302592, window=hide BB04F71A99DD1B6ECFA1CD2CBDF23E0C BE22215C6D19B423F8CDDF7D62CF906B9080BB7E 9180DE2E05649E441D2CAB83AC8BBC706D24E21D89A1F98666A E781E2 Copyright Joe Security LLC 2018 Page 28 of 89

29 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\Console.lnk 7341B139EC285D0C5F56DF86064E46B6A91BAAEA5C8B8DA5455E22B6A4D8D522C8AFCF937B2D0907DBC9C45AE 9BE9FF BCDD2195DA3CAE8CC0E09B041D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\FAQ.lnk MS Windows shortcut, Item id list present, Has Working directory, ctime=mon Jan 1 00:06: , mtime=mon Jan 1 00:06: , atime=mon Jan 1 00:06: , length=0, window=hide Size (bytes): 320 Entropy (8bit): ED9329EFDC15FE81B9840F1D472BDD7B EE7C9A3A3628F1AD CEE8E9B81BD4094 F316B555324CC010703C6CFB70AAED E4293A9D85008C579FB4C6F4 C83819EA3B283B14C0CAE2B03775FCD8E98F2A06F88C8CB7F2A1C796A5948EFAC822350D0D5487BD4182A7884C 2F94A55B0CC19DE33923DBB2D1487CD13AFDEC C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\Homepage.lnk MS Windows shortcut, Item id list present, Has Working directory, ctime=mon Jan 1 00:06: , mtime=mon Jan 1 00:06: , atime=mon Jan 1 00:06: , length=0, window=hide Size (bytes): 302 Entropy (8bit): D EF3DDEECBAC6488EF431AF 6510E1A40108D158CF1659F56B1EAE46DF4AFDE9 8C8DAC7AAEE3895F4C437185C5CC8ED8CCFED13812F2D F581FB4E6849 2BEFAE28CC57511AFE468D35AB66394F18DABAA0BD6C4FDC1022EFE3268D5AE00374E0A27E5ABF0514DC2B42 E DD2B5A598EB7F DE3888CFF864 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\ReadMe.lnk MS Windows shortcut, Item id list present, Has Working directory, ctime=mon Jan 1 00:06: , mtime=mon Jan 1 00:06: , atime=mon Jan 1 00:06: , length=0, window=hide Size (bytes): 326 Entropy (8bit): BD6C F052AEB6C3FCDC972DE46 843BE646230FB0D0CB155302A106C4DB549F4D56 D941A8ED9B562F5B0234C2D5D7F1AE20765FCB5F52C6E23F A34CB6C67 BE A1D01F34922DEAF819BAA1205C29A FE6C6F3BE7AB AD7A3F0A3897DC894E16127 EF640644BEBD457A24F8C0AF1EF0A8F23CC05 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tesseract-OCR\Uninstall.lnk Size (bytes): 1971 Entropy (8bit): MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=mon Feb 12 15:45: , mtime=mon Feb 12 15:45: , atime=mon Feb 12 15:45: , length=127122, window=hide 7C F7C03FD512256EABCE58F F1D BEE1915E5D006C935DC CFE 223AAC38BB75955F478A127A328F0FE8AB31A921A5A3148C04C FBCC59 4FAA4B8F853BFC651C9C660F621BA47EF0D6C41B55154C35024BC222DBBE210ADBE463ECF8AE9246E5BA358EC ACB2EA945D5A9558ACDB4D9B35AAA27DC C:\Users\HERBBL~1\AppData\Local\Temp\nse9F9B.tmp data Size (bytes): Entropy (8bit): AADE5FE4BBAE31C5FF17ED8BEEE76E DACDF DEF6F4AB567CC3DAA5D94DB 308ABC615AB CE60300A67D AC3A3D596701EC7AFB793B6 9A047E54454EE3982C24AC6D36F34A0915EAE388C8CBD6080CD3EC6A75FD0D5A3C902A6DE996F807C91AAA24F BFC3660E2C8CF993C258716E937FC6F F Copyright Joe Security LLC 2018 Page 29 of 89

30 C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\LangDLL.dll Size (bytes): 7168 Entropy (8bit): PE32 executable (DLL) (GUI) Intel (stripped to external PDB), for MS Windows 4D5BBCC34E70C0DC7ECDCC51E180009D 0A81FF8095E43CFF5E5A6EEA70E643F088DAC DD02AB368AA02177B2BDA47FA42896C65A31B1C169168D8D02302BD0115 A7ECCB1523B685EF9692A972A89856CDDBB2E1ABC5CE0E8C8DC088B63E9D6C397F07786CDA393A2C309EA0B9 D1349E011E0DF7CF3D6FADE78AF4FB0CA13D0E5F C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\StartMenu.dll Size (bytes): 9728 Entropy (8bit): PE32 executable (DLL) (GUI) Intel (stripped to external PDB), for MS Windows 5CBC1EB4DA50072B5E65F2AA0AD E637C04473A42EBB8ED37F63A1DD4F F8423C4AD382F99B8C18B A8E5B1E34E6BE4BA424A638D895BDC47AD BD7A A120029D0C16813A485C3E0E915E5EEC524C1C8B247BEE256B011A8114FB28F195853FC784CE60 8B1B14AFA6F C003B35E511F432A103 C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\System.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (GUI) Intel (stripped to external PDB), for MS Windows 8E050192B6B98D8ADFFFC297E7D6ECAA BD1F7591C36A172CAAD81EF1B3EA51E998E1CCE4 4177E765EED3BBA3794CD21B50779C097E8A943BC92C3621F2F51A85CEF46DEF 12D FBB6AEA59102A EA0F8E44AC57AD2AC B8CB3C373B5FDEECC0E09F971DB63F 543BBB2809D24BE29A0C03DEAF4DFD5E463F33 C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\UserInfo.dll Size (bytes): 6144 Entropy (8bit): PE32 executable (DLL) (GUI) Intel (stripped to external PDB), for MS Windows DEDBEF495A5B C6B39DE6295DA 09D372BB07B671C6F0CCC92DDB242471CCB2C0C9 CBB1C1F1FB B927DAE336031A0EE5F9543E8C E9E621C6 F31E F107BF3DE8BD4D4142E7F7B45AF949E6AA1C28140FAA8186BA505D1F71DF2D388E8AF244EA5E5D B CD5C12043E188B33CFFFFCAF3752 C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\modern-header.bmp PC bitmap, Windows 3.x format, 150 x 57 x 8 Size (bytes): 9744 Entropy (8bit): C56737BF9BB69CE7A31C623D4E87A F2F3B4E7B9C28DF6687CEEAED300A793E3BAC A893FE962AEFD27C574CB05F25CF895D3FC70A00DB5A6FA73D573F571AEFC 81C D7EB826B8DA997C227C4F7077CC754CAA15DF6E0E7AE0E BC2A27A7E295998F15E33A17B3 D80E492D7CC09FD70DC43DAF1CFE86B8746FF C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\modern-wizard.bmp PC bitmap, Windows 3.x format, 164 x 314 x 4 Size (bytes): Entropy (8bit): E39731A71ED38499AC6B8E51E8E58E34 F2820C783906CD4F06040B D426519CE15 Copyright Joe Security LLC 2018 Page 30 of 89

31 C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\modern-wizard.bmp A94EF9A36E53192F26D5118F0232B6D7F70943B3CF5A7DF6340A139A226D207B F807ED5BE A82B79D1AAC35CB4FF5FA54DE4D446050A8BB A982BFF5A900823C C05EF29B3EEB6ABCD17171C0EF7C C:\Users\HERBBL~1\AppData\Local\Temp\nsi9FBA.tmp\nsDialogs.dll Size (bytes): Entropy (8bit): PE32 executable (DLL) (GUI) Intel (stripped to external PDB), for MS Windows D31868C506B9D69865BD104F10F703C7 FFAFB4FBCB820A73614D8003F874A7C17C8D38F4 25C05F0B C6C9617BE8170F15E48C4AE8DDAECB0297BC90A18F9B5F72 A69C1DD91C2317A5E2BBE6E F68D4E87982CAEDE4C14DB1068AF9CC5BB29B0B8BF6FE9C1D18E4C91D1 21F34EC365DC0C4A5058D91095C5F74C0C47C67 Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info General File type: Entropy (8bit): PE32 executable (GUI) Intel (stripped to external PDB), for MS Windows TrID: Win32 Executable (generic) a ( /4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: SHA256: SHA512: File Content Preview: tesseract-ocr-setup exe c0d03c9517e b4cf37c45a2f6c eb3a6b49f7dce70e02943fe3903c3b38d032ddc1 d4c9d3613ee9531cd b58bc87f87a29a dbeb03b127e66fa6ba d8fb1f8f2b4d d6e7eae ed3534a56e df87f690c698e36d00443b67b7d84505ed152d710 29d2235d2975a8e26abcd41bdda7ec0e44...!..L.!Th is program File Icon Static PE Info Copyright Joe Security LLC 2018 Page 31 of 89

32 General Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 0x text 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED TERMINAL_SERVER_AWARE 0x5707BA21 [Fri Apr 8 14:03: UTC] 187b3ae62ff818788b8c779ef7bc3d1c Entrypoint Preview Instruction push ebp mov ebp, esp push edi push esi push ebx sub esp, ACh mov dword ptr [esp], h call dword ptr [0042D434h] push ecx call dword ptr [0042D3FCh] cmp ax, 0006h je 00007FBCA0F98E9Dh mov dword ptr [esp], h call 00007FBCA0F9CD77h test eax, eax push edx je 00007FBCA0F98E8Ch mov dword ptr [esp], 00000C00h call eax push edi mov ebx, 0040B360h cmp byte ptr [ebx], h je 00007FBCA0F98E9Bh mov dword ptr [esp], ebx call 00007FBCA0F9CCCBh push ecx mov dword ptr [esp], ebx call dword ptr [0042D464h] lea ebx, dword ptr [ebx+eax+01h] push esi jmp 00007FBCA0F98E64h mov dword ptr [esp], Dh call 00007FBCA0F9CD39h push ebx mov dword ptr [esp], Bh call 00007FBCA0F9CD2Ch push esi mov dword ptr [0042BCA0h], eax call dword ptr [0042D354h] mov dword ptr [esp], h call dword ptr [0042D474h] mov dword ptr [0042BC18h], eax push edi Copyright Joe Security LLC 2018 Page 32 of 89

33 Instruction lea eax, dword ptr [ebp h] mov dword ptr [esp+10h], h mov dword ptr [esp+0ch], h mov dword ptr [esp+08h], eax mov dword ptr [esp+04h], h Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2d000 0x127c.idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x4b000 0x7928.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0x8b24 0x8c00 False data IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ.data 0xa000 0xe0 0x200 False data IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ.rdata 0xb000 0x6a38 0x6c00 False data IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ Copyright Joe Security LLC 2018 Page 33 of 89

34 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.bss 0x x1ad00 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ.idata 0x2d000 0x127c 0x1400 False data IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ.ndata 0x2f000 0x1c000 0x400 False data 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ.rsrc 0x4b000 0x7928 0x7a00 False data IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_BITMAP 0x4b418 0x666 data English United States RT_ICON 0x4ba80 0x25a8 data English United States RT_ICON 0x4e028 0x10a8 data English United States RT_ICON 0x4f0d0 0xea8 data English United States RT_ICON 0x4ff78 0x8a8 data English United States RT_ICON 0x x668 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x50e88 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x513f0 0x468 data English United States RT_ICON 0x x2e8 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x51b40 0x128 data English United States RT_DIALOG 0x51c68 0x144 data English United States RT_DIALOG 0x51db0 0x164 data English United States RT_DIALOG 0x51f18 0x246 data English United States Copyright Joe Security LLC 2018 Page 34 of 89

35 Name RVA Size Type Language Country RT_DIALOG 0x x104 data English United States RT_DIALOG 0x xa0 data English United States RT_DIALOG 0x xde data English United States RT_DIALOG 0x523e8 0xee data English United States RT_GROUP_ICON 0x524d8 0x84 MS Windows icon resource - 8 icons, 16x16, 16-colors English United States RT_MANIFEST 0x x3c3 XML document text English United States Imports DLL ADVAPI32.dll COMCTL32.DLL GDI32.dll KERNEL32.dll ole32.dll SHELL32.dll USER32.dll Import RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, SetFileSecurityA ImageList_AddMasked, ImageList_Create, ImageList_Destroy, InitCommonControls CreateBrushIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SelectObject, SetBkColor, SetBkMode, SetTextColor CloseHandle, CompareFileTime, CopyFileA, CreateDirectoryA, CreateFileA, CreateProcessA, CreateThread, DeleteFileA, ExitProcess, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentProcess, GetDiskFreeSpaceA, GetExitCodeProcess, GetFileAttributesA, GetFileSize, GetFullPathNameA, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress, GetShortPathNameA, GetSystemDirectoryA, GetTempFileNameA, GetTempPathA, GetTickCount, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, LoadLibraryExA, MoveFileA, MulDiv, MultiByteToWideChar, ReadFile, RemoveDirectoryA, SearchPathA, SetCurrentDirectoryA, SetErrorMode, SetFileAttributesA, SetFilePointer, SetFileTime, Sleep, WaitForSingleObject, WriteFile, WritePrivateProfileStringA, lstrcata, lstrcmpa, lstrcmpia, lstrcpyna, lstrlena CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize SHBrowseForFolderA, SHFileOperationA, SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA AppendMenuA, BeginPaint, CallWindowProcA, CharNextA, CharPrevA, CheckDlgButton, CloseClipboard, CreateDialogParamA, CreatePopupMenu, CreateWindowExA, DefWindowProcA, DestroyWindow, DialogBoxParamA, DispatchMessageA, DrawTextA, EmptyClipboard, EnableMenuItem, EnableWindow, EndDialog, EndPaint, ExitWindowsEx, FillRect, FindWindowExA, GetClassInfoA, GetClientRect, GetDC, GetDlgItem, GetDlgItemTextA, GetMessagePos, GetSysColor, GetSystemMenu, GetSystemMetrics, GetWindowLongA, GetWindowRect, InvalidateRect, IsWindow, IsWindowEnabled, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadImageA, MessageBoxIndirectA, OpenClipboard, PeekMessageA, PostQuitMessage, RegisterClassA, ScreenToClient, SendMessageA, SendMessageTimeoutA, SetClassLongA, SetClipboardData, SetCursor, SetDlgItemTextA, SetForegroundWindow, SetTimer, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, SystemParametersInfoA, TrackPopupMenu, wsprintfa Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior No network behavior found Code Manipulations Statistics System Behavior Analysis Process: tesseract-ocr-setup exe PID: 3272 Parent PID: 2956 Analysis Process: tesseract-ocr-setup exe PID: 3272 Parent PID: 2956 Copyright Joe Security LLC 2018 Page 35 of 89