ID: Sample Name: paint.net install.exe Cookbook: default.jbs Time: 00:46:01 Date: 01/12/2017 Version:

Size: px

Start display at page:

Download "ID: Sample Name: paint.net install.exe Cookbook: default.jbs Time: 00:46:01 Date: 01/12/2017 Version:"

Mariah Taylor
5 years ago
Views:

ID: 38812 Sample Name: paint.net.4.0.19.install.

1 ID: Sample Name: paint.net install.exe Cookbook: default.jbs Time: 00:46:01 Date: 01/12/2017 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Key, Mouse, Clipboard, Microphone and Screen Capturing: E-Banking Fraud: Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Lowering of HIPS / PFW / Operating System Security Settings: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PE Info General Authenticode Signature Entrypoint Preview Data Directories Table of Contents Copyright Joe Security LLC 2017 Page 2 of

3 Sections Resources Imports Version Infos Possible Origin Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTPS Packets Code Manipulations Statistics Behavior System Behavior Analysis Process: paint.net install.exe PID: 3132 Parent PID: 2864 General File Activities File Created File Deleted File Written Analysis Process: SetupShim.exe PID: 3232 Parent PID: 3132 General File Activities File Created File Written Analysis Process: SetupFrontEnd.exe PID: 3252 Parent PID: 3232 General File Activities File Created Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 143

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 00:46:01 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 5m 58s light paint.net install.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean6.evad.winexe@5/171@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 75.3% (good quality ratio 72.7%) Quality average: 85% Quality standard deviation: 25.2% Cookbook Comments: Warnings: Found application associated with file extension:.exe Show All Exclude process from analysis (whitelisted): svchost.exe, VSSVC.exe, WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: SetupFrontEnd.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2017 Page 4 of 143

Strategy Score Range Reporting Detection Threshold 6

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2017 Page 5 of 143

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean

dropped PE samples for a secondary analysis to Joe Sandbox Sample may be VM or Sandbox-aware, try analysis on a native

further analysis Signature Overview Mouse, Clipboard, Microphone and Screen Capturing Key, Fraud E-Banking Networking

Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may be VM or Sandbox-aware, try analysis on a native machine Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Mouse, Clipboard, Microphone and Screen Capturing Key, Fraud E-Banking Networking Survival Boot and Installation Behavior Persistence Obfuscation Data Spreading Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking of HIPS / PFW / Operating System Security Settings Lowering Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 143

7 Click to jump to signature section Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard E-Banking Fraud: Drops certificate files (DER) Networking: Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Boot Survival: Creates or modifies windows services Modifies existing windows services Persistence and Installation Behavior: Creates install or setup log file Creates license or readme file Drops PE files Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory System Summary: Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Creates a directory in C:\Program Files Submission file is bigger than most known malware samples Copyright Joe Security LLC 2017 Page 7 of 143

8 Binary contains paths to debug symbols Classification label Contains functionality to check free disk space Contains functionality to instantiate COM classes Contains functionality to modify services (start/stop/modify) Creates files inside the program directory Creates files inside the user directory Creates temporary files PE file has an executable.text section and no other executable section Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Contains functionality to shutdown / reboot the system Found potential string decryption / allocating functions PE file contains strange resources Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Contains functionality to register its own exception handler Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Contains functionality to read the PEB Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Malware Analysis System Evasion: Contains functionality to enumerate / list files inside a directory Contains functionality to query system information May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Program exit points Checks the free space of harddrives Contains long sleeps (>= 3 min) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Monitors certain registry keys / values for changes (often done to protect autostart functionality) Stores large binary data to the registry Lowering of HIPS / PFW / Operating System Security Settings: Copyright Joe Security LLC 2017 Page 8 of 143

Adds / modifies Windows certificates Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Queries the

9 Adds / modifies Windows certificates Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Queries the cryptographic machine GUID Contains functionality to query CPU information (cpuid) Queries the volume information (name, serial number etc) of a device Behavior Graph Behavior Graph ID: Sample: paint.net in... Startdate: 01/12/2017 Architecture: WINDOWS Score: 6 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend started Is Windows Process Number of created Registry Values paint.net in... Number of created Files Visual Basic 200 Delphi dropped dropped dropped dropped Java Dropped files exeeded maximum capacity for this level. 99 dropped files have been hidden. System.dll, PE32 System.dll, PE32 api-ms-win-core-console..., PE32+ started.net C# or VB.NET C, C++ or other language Is malicious SetupShim.exe 1 started SetupFrontEnd.exe , 443 LNH-INC-HostMySiteUS United States Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2017 Page 9 of 143

10 Antivirus Detection Initial Sample Detection Cloud Link paint.net install.exe 0% virustotal Browse Dropped Files Detection Cloud Link l\temp\pdnsetup\ndp462-kb web.exe 0% virustotal Browse l\temp\pdnsetup\ndp462-kb web.exe 0% metadefender Browse l\temp\pdnsetup\paintdotnet.base.dll 0% virustotal Browse l\temp\pdnsetup\paintdotnet.core.dll 0% virustotal Browse l\temp\pdnsetup\paintdotnet.resources.dll 0% metadefender Browse l\temp\pdnsetup\paintdotnet.systemlayer.dll 0% metadefender Browse l\temp\pdnsetup\paintdotnet.exe 0% metadefender Browse l\temp\pdnsetup\setupfrontend.exe 0% metadefender Browse Domains Detection Cloud Link 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN Copyright Joe Security LLC 2017 Page 10 of 143

$132 ebfb7cac196505e07c4454ab658 15eb20aeb Dropped Files No context Screenshot Startup System is w7 paint.net.4.0.19.install.exe (PID: 3132 cmdline: 'C:\Users\user\Desktop\paint.net.4.0.19.install.exe' 986612AF98AB1E8F89AD96F299898439) SetupShim.$

11 Match Associated Sample Name / URL SHA 256 Detection Link Context LNH-INC-HostMySiteUS.exe ff5f a7a malicious Browse ebfb7cac196505e07c4454ab658 15eb20aeb Dropped Files No context Screenshot Startup System is w7 paint.net install.exe (PID: 3132 cmdline: 'C:\Users\user\Desktop\paint.net install.exe' AF98AB1E8F89AD96F ) SetupShim.exe (PID: 3232 cmdline: SetupShim.exe /suppressreboot 6C47A4259F57769A36E884129E866210) SetupFrontEnd.exe (PID: 3252 cmdline: 'SetupFrontEnd.exe' SetupShim.exe /suppressreboot CD3E60ECE21C35AFDABD31FDE2627FF5) cleanup Created / dropped Files Copyright Joe Security LLC 2017 Page 11 of 143

12 C:\Program Files\paint.net\Staging\PaintDotNet_x86_ msi Intel;1033 F86CBC1C5E231E6986A09AA16A C04265F02D25AB4E43E803CF75F9AAFD3FD457 4CB55FB0635E39C0F1BD7C286D5DDBCF8B016DB6E8CDD9EF279EFCA9713AA545 D00F9ABD82CA8E73C264A9B2ED15A8D8D90CC3BB9D09D397F505AA47BFC1B4243B0194EFB7356E1A9184FB2B7DF5F8E B3914EC67B42D843D1EB5BCA48E39408B low l\temp\pdnsetup\ndp462-kb web.exe Antivirus: PE32 executable (GUI) Intel 80386, for MS Windows B5A67867CDCE86E09E2625A6FA4D5FEA C42E6ED BBD59F F4CFE4548 5E21C C51D8B0367A773D475AF2392B3DDCD90676C61697C6B5FD2E6A 31D7081BFFEEB5F E51A E5D971DE7EDB80A51188BCCDA9B9F17F0C3593D30828FC140B7A023F5B6842 BC922F2023C7B8EA3786C2DBEC40472 low Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.base.dll Antivirus: PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 6F7F2E5032C4CE7762DF21CC12ED6F11 A51009E1ABCF3478E6E583B E29B B88BD9AE F83FBC4B AE620C804DDDAF6C6A7BD0FE44C E931AF12CC1D33604C497A57E856FE85EA1C7BD6747F5672A776E4631D530275F9D4E822A34B2C1E37842B43A8 28B885DC02F24D96C1F59FF low Antivirus: virustotal, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.base.pdb MSVC program database ver \002 5F2D2F5FBAE2609DF9839A16E77E75F2 BF46D2EB39C3CAC6C557BC3ACF5D210A85AB21D7 BFAB85ADA6AAED095A00EA83AA1E49C5C3F2C04F408727DB4B25F4609C034B44 B8BA7ACA771E004F05F9000DAA022D63A74CAF2D2FB51D88265F4FAEC2AD0AD C27B1A1B21A16A251A56EB0CF C30D65D4323A8B60B1505D84CEDBF1406 low l\temp\pdnsetup\paintdotnet.core.dll Antivirus: PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 33D87C314B2E1E9C D0DF79FA EDF8CE4B D328DE16CF4A9B C9D18C0E7DA215A309C60E1154B1BFBED2DC9AB769F55FE4F44CD27DD53279EC 8E4B BBEF3873C95C465757B4501C1E70B4A300B5F3B0FF838402C9F54F CCED86E26261E E86 ADBD005C969F77AF59DDCB5DF0167 low Antivirus: virustotal, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.core.pdb MSVC program database ver \002 9EE3B419771CAA09CDC68D87878EED87 933A82A31C1996A44E2B7A205C3C94AF6388E04F 27D042EE346E1374D C3246D10C7AC1AE53DB2B8B16C6DEB8782E6AB7 505E272686CA9CE08E9FD0D057BE77BA7E3265E48FA3AAC29B134285A34A2AE3A4B1C3302E225EFD95BB3B5E2FF33FB 9EFCB00C68D9FD BA5BEEB6BF0 low l\temp\pdnsetup\paintdotnet.data.dll PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 82CA46CE9C CD7A60F C7AA710996D74A99EA22AFCE9F0928FB182B3 Copyright Joe Security LLC 2017 Page 12 of 143

13 l\temp\pdnsetup\paintdotnet.data.dll 7C0C0DFA67702D555169FED9C018887C0CF289904A0AB8D7EAF7E97791ACA8F5 19CA59399CFC4BF4E D052043FF6D9220A97732ED9080E4D3DCA1CEEC7AD6D9A896D E6BD189E3D0B5 CFF87F1D0F2C7DC23E C499F0 low l\temp\pdnsetup\paintdotnet.data.pdb MSVC program database ver \002 ACB2A47C315CBFD4C7762EAB7CBA5029 6FF58123A2CEDE7E72E7F10337D4D65A3560E2F7 088C76E0B9C78CA9D30AF1D C849B34EEB0D56CF6DF50D99C6B2029CB C1668A02F0BE1A A84B5519B558A79419E8BA5DFD86E85EF4E7BD53BA391FC229C3083B3D6A1C371184D79DFD2F D799E DB0446DA1B7113D68 low l\temp\pdnsetup\paintdotnet.framework.dll PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 372F34E025BB2EF85BF5F5BF84D2A680 ED8E50C8973CCA EB85F2D E7 AC41D852A285C7D062A48D9FFFC40FFC8811A7D783C02F87D29CB748F05615D3 9CF2F843F3C8CDB491773A8DB4F650EE29B3245B742EAF1E524A3FCF8B061AA DB5FEC44E22135BA7EF16A CFEC30FFC1A7B762CF073C9FA6B542 low l\temp\pdnsetup\paintdotnet.framework.pdb MSVC program database ver \002 63CC914B4E5FC493D41FBCECD9FDF188 F517AAC2261A653C52DDC021ADBA15382A98BE96 E5FBDE49C96A6BF BA0E D32E0ECE52409DF741B37AB331 0CC0DA C5D9ABA0BFA926EC6869F5378D7092C8BD FD5C093694E910C23496E11E1FA60A43C44904F515 DA72E6A8469DAAC06C67AD E low l\temp\pdnsetup\paintdotnet.resources.dll Antivirus: PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows F5CE4207DE ED6C BD D716F141FCC8555AC B5DA1F6197E5B D4D3C70265C71C2CBD1BA627595FB75CD9C899A E9886A1A9C6B734CD658CCEDA E3E0060D27B B76DD107B A36B70BCC40B0AB6A0CB4A5510 5B F6A2782F1F53CB34BF68A0 low Antivirus: metadefender, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.resources.pdb MSVC program database ver \002 53EF46062ACBACC429F28D0771FAC832 CEE3A35F CC5098DC4090AFFD0961B3C6 76BBF23E0A7B6B5D4933A849D035937B01AA4A5F3A34CC9A7B4BD71B231A603A 37B6A410B31EE9C2F04B7174FB5FA BB72FD730BEB37DF603A15CE0F102F9581F718FCCB A4BBE9BD2 BB79B6F3E2FEE1050DEF F567 low l\temp\pdnsetup\paintdotnet.strings.3.de.resources data 15E736CE440991B E005A01C4 75F1001C21B7EB785B855644A23C8EEF E39CEF6C88C10DCB80E623C08C794153FBF49B7812B862A73630C D8CEE3AAD012BCEA8CCCE33B0C7EE2BFD8B107E64FA4DA7349D263D8FFF91754C332208EA14B4B3CA5DF58AD9D2 F11EA2CDE6E01F07C646E1A20AAC418D6B low Copyright Joe Security LLC 2017 Page 13 of 143

14 l\temp\pdnsetup\paintdotnet.strings.3.es.resources data EB9747E0F36BA7C9EED33FF0BD0EDBC6 8E86FECCA8C01CE6F003D4EF879C264E385A1F B5E B87721B EA97D82B D1ACF1D AC7E5E28873C10E2C13C39F51683EFC44FDFEF13B62F1E990A9BD9E C9A96D D98C08EAA D B4BF45ED8370A69D4560B772B6F10CF low l\temp\pdnsetup\paintdotnet.strings.3.fr.resources data 8578E1607F3275B701A C4799B 84D DF73EFF6A8DA8ACE019705E7069CC7 2ED666B45DD54AF38037D01703C12526EE81CBAB06F71B9E6A713ABA06A96D E54D68FBBAFB1620BC8AF328A2D8096F16DC97DD159C53BEC2D53A3EAFDA24923AE4D1DD71728DD2DD787E7 C8AEA05F0A016CBB E185CC5A73 low l\temp\pdnsetup\paintdotnet.strings.3.ja.resources data 9FDC640DAB85D13E66B6C52FB1164F91 2D0C4E19B945F2812AFCFA6B491BFBACF7B8A26D 3CF771B11E4FBDA8889C17DCE3D431944AC8BD55FAA C81FF503DD F9532E CAA772CB265BC5F0951A91B28F0B660B1DAA9BF4C1F8F033EB71DAA846E30B9473BA36EDE9706 BD9CAED7CBA477625E016AE77D887D8 low l\temp\pdnsetup\paintdotnet.strings.3.ko.resources data EA1B0959D0CF672F62A237BFC F5343E2F73D283E59F3B602552EE232D1D6EBC30 2F342E DDDAA692663A3905EF2D167424DD1EE9760D978BF2F7687 B40280DFBED6D63F0AEAB2C2032BA07847B0FDE75380EB55BE2B4C DD9EBFD AE33618AE5BF49082F3 FB4B3DA862CF911C32578F76C9D7289C low l\temp\pdnsetup\paintdotnet.strings.3.pt-br.resources data 268A7636CF751A4B294512F6E2390F0F E679DABC030C6A80A1A BBB33B12F9D002 8FCDD5453B85F019072C2114D7A73BC8DC EA3DEFF8CB0F6926C97 CF2A64111D78CDBF52C726DA A7E49FB627B7F280A2A60E69DD5E3C5536DEB247EEB91BC54A6E5B3487AB7307C FCC61B499E1BEC8D658F3FBEFAC09B94 low l\temp\pdnsetup\paintdotnet.strings.3.ru.resources data CBAF7FF88792AC1E E192DF6FF D252147CC1C586593A4A2A149ACA3FE04837D D8FAA39081B6C2E FD30A78DD33F18E B9E064C79372DC0B5640A55A6A97E40C19F13231F6C170C250844B6B29CC7B50537C73BB0B06D749FCF9268BADA A23DC5ADDE014AEB4F8657AE low l\temp\pdnsetup\paintdotnet.strings.3.zh-cn.resources data 80DC1020D5BEC10075B33669FF4DA1FD 9261D5C997195FE45A4E8D FB653CAD95 280EF10FAA0170A C355306B4837E50C8247F13D0242CDB0CE1D68151 A353BD418C2F734C629BB CFF AE8420A1FE2FDD83A3FA2D3C86ABDCF323E38458A21358D13A7003EE4 F910F01FCC9857D27AF57A1EE48C4D2 Copyright Joe Security LLC 2017 Page 14 of 143

15 l\temp\pdnsetup\paintdotnet.strings.3.zh-cn.resources low l\temp\pdnsetup\paintdotnet.strings.3.cs.resources data CFBBFC155828A0E8895DFD0 69C7F2D0566CD2C649C1747F9E4FBEB2379F EAA107C02B27007DBC683973F4DC88DEB59921A3DBB9C702ADE817CEB96 B B F73732C3AB4B685390C019F387E6B1E9E4EF209FFD61994E1A3C7857EC900CEF226E8DA1C7BF 0D2761E2787D1D757CA77FFDC017F5 low l\temp\pdnsetup\paintdotnet.strings.3.da.resources data E1C CA469726D34790F9D6A83D AFD21907FE3B1F7293E7866B5F6B28125DB9188D D22AE6B402123ACAEA3A6C45FDDE A36324D9CA11A6EC508551F9C 47769FB064FAD4E9DB1F3297BE9DBE354D0D F2A5C67F04ACC5D8CF40C927FE9FB56AF55ED B57CB54 44F1327BE84A76CAD298F5333C16269F low l\temp\pdnsetup\paintdotnet.strings.3.fa.resources data C0BE56BFB C 6DE442908B495E12E5685E7BD8CF91B068948FE9 F0618A7AEDF9A00D217329E84175F4FFBBF5B0C48381E0D0631A2E79FC0AF817 3E6B9426A1646C9689D3E9BDDC1881F00A57E899EB856FCFB982FC1E1537D2B20400B11C578C83D B6FCBE52 27F5912FF81F6F5D9F B8CAB low l\temp\pdnsetup\paintdotnet.strings.3.fi.resources data D64AF9933AA69799C710B510BD854BEE EE4C46EFBCF46EEF1F23D2E8D4B7BF69E C811FD38B71C36D4BCD727E63D C6C68CEB504701E95A49816E8E0 84B2F0CD582E8AC2BC1B7CFC278A5B34C949E3720E FE A01E24315F3F59CFDD4F18267D19977A248B75 96B7A0BDB2086B9ED2A9556BBCF0CB low l\temp\pdnsetup\paintdotnet.strings.3.hi.resources data 26BA6BBD CA68B304445F 2E A0807D06CC8152B907C0BFD5388EF4 C6C311F368B6E1B9025E1920F1B9A AD74A73E30B5FDF5D18BE73FABD 2829EB083BAD1FD8245F2AF3492F951C3A2C C09AE41EDA4D FE5D9E56989EED3A1096C32907DF1147AA BE151A8C7D49BEECBC23CCC43E9D6BC low l\temp\pdnsetup\paintdotnet.strings.3.hu.resources data BA33CEBB77EC9C29670CA0D06E94109E E1AB466C539C9D A5C1AD26BA59E5C690 F F963F8FACE62D96DAD8A264BC1959C6BA51162C6E75A74FF54FDE11 756E E CDD7C5FE95511A35C9E5E0557C AFB4C2ADA270EB8F1CD7E2D78D2EE117B64D265BD6 3AC02F61CDCD8D2F6BAB137B635E05C low l\temp\pdnsetup\paintdotnet.strings.3.it.resources data 7D5DCDBE0DFC243C780312EFB60A838A 9217A7E3C01C9FF4BD62CFD6D0B2EE875037DB6A 5ADC9867F7824E55370EA1D FA07D52AD22E7AB2A FFD Copyright Joe Security LLC 2017 Page 15 of 143

16 l\temp\pdnsetup\paintdotnet.strings.3.it.resources 1C244E4BF0F5E4950BF446F9EE415FC8DA5FAF6D5746D7FE544FAF2FB85F5126A5ECA48B6F421D74CAB1116E213C3DB9 9B62E6CBEF27CE3D5DDCE6A018093D95 low l\temp\pdnsetup\paintdotnet.strings.3.lt.resources data 1D78D8D2FAAE3195F9A2824CCA83F38F 1D08F065B3A54B06CF3AAA1B08B1F3DA F B1241B262FA9C6E85BAC375F6885FF AF25362A63CC E1F3E D0F0680DFFC87D3CDF1640E80575B70D4DFD8452B53977E39BD C65FF2E112A B087F915FDC0FE 94F5434EDDDD0724B3A8FE low l\temp\pdnsetup\paintdotnet.strings.3.nl.resources data 5D09CB31919D35511C36397E745165E A2469F73C6893EA47F8540D07FAB0E159 B9D4B061E7D5D FFAEFFC0B7E258EE5C71D8441FDD4FDB56D01D5D5 3B64B1DC5137E726A0C3DCBF3AAAEA1F204D5C20423BD59E4AD217CAF01E8DC62AC9CAF02C2BB9681B9635E1E5D6923 F470F8C29A ECB95C low l\temp\pdnsetup\paintdotnet.strings.3.pl.resources data 33D5CA8339A41A2ECFDDAA31E9D1F22B 3BABBC0F31796BAAFA1996CBDC146CEC9B B658DC2CD C24F8C712A277AE962092AB2598DF141BA4B19DAA45 C6CFF0CC2957EB8BA2792C8D103C958C66EFEA7FC FF3587C88B91FF829F13E7AD5A4D21AE82BA AE EAAA0CE B328BC F7AA5 low l\temp\pdnsetup\paintdotnet.strings.3.pt-pt.resources data CDD126850FE5D7BD7DD61E233C32DA2F BD13D287C2F C F15158F4816B F8EE5E28DB640646C259C464A893B91A2B0EE1950A9368A613F56BA9CC31576C C4DB7E79F7BCEFF7DBFB3892B2BA9903A6EB3F BB1AF73CFEB AE0EAD B053243FF FFECF05C22A595C1080B46B4B7185DBE low l\temp\pdnsetup\paintdotnet.strings.3.resources data FF293834ADD1B691A2AE375CFB39AC5E BDA3E8804E742B3E5986ABF5A5EF0A47EE3E2467 B36616DD3F114DF68A D64B85F1D5CDF17BACAA016B8C7B9769E8B C E3CC04D4D86ADAEDFA15140C9C3402DEBACD1106DC7157FF44FCF F5C61CA47AE02C907BA8AC0C5 4F6D026EE22AA893D09959D FDF low l\temp\pdnsetup\paintdotnet.strings.3.sv.resources data 4D5EF126922E3903AB8EFAF28564A750 BB514338CC0D149CDA7D2863A90044A3BFCB80B7 9306D4692DC1B5BBE49E3CD92359F3F0B9F9E40F F878DC301911D17 515E79C B3CB8D6B0688F90E4A82A362BD65A879B230BBC6EC204F7D7E9F259E9C6DBD3D0E4ACD820ACA060D 51C1B03EB8A55C612ECA4C177C24180D low l\temp\pdnsetup\paintdotnet.strings.3.zh-tw.resources data Copyright Joe Security LLC 2017 Page 16 of 143

17 l\temp\pdnsetup\paintdotnet.strings.3.zh-tw.resources 2DE97E6A4235B71C083F6F3A3E FFAED4164FC468CA8417A186E BBA8A AA199FC1F672EB20673AB0DA2AF987FB7A20A54C1F268618ED30C4ED82A E194B50561DCC32B395020ADF4DE4C5D F9A6D58369A88577F8C7A1BEF2AC20F5DF944AEC2C044FB6876CFF3 0E4F07B1808DB4E00B7D1ECAB0C8C6E low l\temp\pdnsetup\paintdotnet.systemlayer.dll Antivirus: PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows A5869E92E530DDCB40B411B7ECFE04D9 AE6A46BFAF6465F37D2521EC4DA61CA5B8BD890E 14C3CF46466F62190F76B7F BDC C12E D85B 0BF50DFD2C0EE2ED76393EEBDD007C7AFBA3C69B2BFB377D438F6B5024F860D0659B15ECA092B1ED9195FBBEE4C2A1 CCEF741011CB73F71911BE40A B low Antivirus: metadefender, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.systemlayer.pdb MSVC program database ver \002 41DD0FEE81A2DDCA9A D D92A AF56091E EAD FC11F1C6ECE649C89932A8D7EDBEF84AF1BF49113CE58FD8BC9D890CD0F 59C914A0DAA09E298E60949E063C18AE083E5D9D83D77D9030EE E42AFE5CAA630678F7BC07654E5415C AD003EC1005C264E33AC9586BF5E33 low l\temp\pdnsetup\paintdotnet.exe Antivirus: PE32 executable (GUI) Intel Mono/.Net assembly, for MS Windows F40AFE36E7D1D8CB5F814A457E 1ADCBD10018F12D BB2D4D7F04859A4DB4 FACACE6AEAFBB5EC9929C217D0F2A86F691AF95367A852A34F10233A75AA0D88 7CB140E00AD36E81FEBCBD7EF34E4AAB87FF2C758A6D94D73D0E3B31A1F3CB3FF195831A0CEB22D33E95A92C C52D02536C82D3BFF3CB272B09C5F62D low Antivirus: metadefender, Detection: 0%, Browse l\temp\pdnsetup\paintdotnet.msi.readme!.txt ASCII text, with CRLF line terminators EB746C8A83E9451A09AE51864C2990C EA01805D35B59BA6DDD170134B614D457DB 30970E2A599EDABB41F5AE211184D3EB071694D59123D44CD3CB21A38DD AD75CD25A22D3F33258FC9AE8C6B1F7C4D05FA45E4870DB14B26EC88DA57552C9180EDE1F2442D32A53C094D4120E CDCEF78D2AF2A3C33A1FAA9F77B low l\temp\pdnsetup\paintdotnet.pdb MSVC program database ver \002 26AD17B75A419A411AB47EDBB09D7A07 ECE CCBFE B913CC3D03BF F65C161286B53EDB3FD147836E75A0A13E42E5ADC7B4562ADD AE57 F8AE32C7E EF8BDC16843F1B49395AA3E0CB3DE6922A F7B4D510ABC1C3E75D9A7C479ED78F51 BBA31083CEFD83CF782291A16839E32 low l\temp\pdnsetup\paintdotnet_x64.msi x64;1033 FAD9BF3D C8134E53BAA5DEE5E 56DEFCB9F7467C8F4A B81231C75186A1 282B916B29700BC377C44344EAE56903DE514CA1234B70BA0EAD A AE30CE1B2B73F1468A5F5C3DBCAE0BD7199AC9BCC46F BD16CEB7C1B51AD2F992D5F337BBC33DFFC0 6579EE99260D60E DFCFE1A5840 Copyright Joe Security LLC 2017 Page 17 of 143

18 l\temp\pdnsetup\paintdotnet_x64.msi low l\temp\pdnsetup\paintdotnet_x86.msi Intel;1033 F86CBC1C5E231E6986A09AA16A C04265F02D25AB4E43E803CF75F9AAFD3FD457 4CB55FB0635E39C0F1BD7C286D5DDBCF8B016DB6E8CDD9EF279EFCA9713AA545 D00F9ABD82CA8E73C264A9B2ED15A8D8D90CC3BB9D09D397F505AA47BFC1B4243B0194EFB7356E1A9184FB2B7DF5F8E B3914EC67B42D843D1EB5BCA48E39408B low l\temp\pdnsetup\resources\de\images.paypaldonate.gif GIF image data, version 89a, 62 x 31 5ACFB2A2F4B79028C5E11F89F8C28EDF C8DF2B5C70ED12ADD4BC5CB01E A3B1B 0092DEC6A0E89BCE E02523B824C39D3E43C0DD5A4E47188E7FA3A19 D66712D06E3D3AB5D D321AE1B6BB2AD049358AD61C3CE1DDE7D834D300EF75D890082E09D895B3FE6A963EB6 ED2DCB6902A9F757D085FDB4B70D30A2 low l\temp\pdnsetup\resources\en-us\icons.curveseffect.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced C379DE E691425A09F B32997B82B09E410C38C3E9D28E602DEE8EAB4CC BB9868DB3D5C018FAF520A023A0DB7F98A82998EA112385A1C561F68814E F8B8EFCD8F4AF4D545622CDEF8CB68E9597EFAB46FB10B73046B1350F4F1E4E F8998F145E1AC3FE A 00AFDDDAF4D3EBBCDE7D68A3A6DD95A low l\temp\pdnsetup\resources\en-us\icons.dentseffecticon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 8A4ED31000D8A0A7D531D60B6BC04BC4 E750C7E4FC2C4B208460A8A FCFB 2D460AC2FC4DAAC202F488A4E2E3BC3174ABE49EBE98ADB1DF43B642E1535FCB D E0DBAD2782FADDCC73B59B3A57B37C4BA2B41FC5597DD5AB CCF84E948FA6B1826B87A65E53AB 7072A91F0420E71E2C6D6E4EA782BC2D low l\temp\pdnsetup\resources\en-us\icons.edgedetecteffect.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 89A61B9881DCD013859DA2EF4A7C955E 9FE7C207C2F583C1E809A5BCF01247F54BFBC0F8 BC7FC653CE7C8D6791CBCFE70D8C579FCD62A8257ED0F9C0D3965CED88B5315B 4C44D315E7695E8AE4C839FD4C070947E7FC2EB64CAE4BC27119F9F6F4DF6D4D654DACD47AE5554A430D5FBA72F8A4E 09A5C5FCBFE400744F41585B3A2841A7D low l\temp\pdnsetup\resources\en-us\icons.inksketcheffecticon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 47C0B3182DF7F441B CC4B8E F552877AB8F49735A24A6BA5B9F6F1 B4CBFA25B3A7E48DF7AA884FD61A95B5C56D7D83DC9DB284AEA95348EC53D5F DA75AFE0FD82F9255BB65777B8EC93A7A3FF779063EC4865C9457EE5F9B59166E8F3B8E5CE18A96E2E96EA6444D9 25DEC6B F4CD D5F5D low l\temp\pdnsetup\resources\en-us\icons.invertcolorseffect.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 8B B0FD41E6652A7AD4EFA71 F54C83393C3EB3630D6887F93DB31A7BC1DF55BC Copyright Joe Security LLC 2017 Page 18 of 143

19 l\temp\pdnsetup\resources\en-us\icons.invertcolorseffect.png 36BB9E A5BEF20ACE0CA5ECCD9E201D99FD BB6A5F93764FC 95CAAAF7D92F2DDA5985EB7A92201E BEDA E75B9E0CCEFFFC13F9F47B DE2D3938E A838AD54B4ED8D6B09BF4D2F8278 low l\temp\pdnsetup\resources\en-us\icons.linetoolicon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced B3D2B930000D A04793B AD02BD57E4174C93D8FF43005DF17279EA 5CE54D8801FD69E28B F8DC0CCF4ABFEB9B1D40392A4F7352E4F7FEB45 89EDB76FC0C67E B58FFF39893D3DD5615ED3CFB4220CF5E4FACAA DA835A198BCD3A5FA7C01BB095 C86879AF944AE1717F1FFDF7611D78F5 low l\temp\pdnsetup\resources\en-us\icons.menueditcuticon.png PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced DE612936C96F7D4A0CC5CD0FB3 7D3DD DA8429E918E8F31A8492CADD659D 9C91BC55ECFB1ABFD32DEE5C5F72FED97C3615BD0F366159F35FB12677F0D15A 7C8341D61085F22A FE7CE81C6C1FAE9EC964E24B16F6564AAC0F22DBB69CA49ABB1F17D E56AC7B4 E0675B0BF9830BB2B31293DAEFBEBAA low l\temp\pdnsetup\resources\en-us\icons.menuwindowtoolsicon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 62DD9C0065DEE852C103DAEFE3532C C7B51161F EC8473AE2F7261ED0A9 95BCFD6BAEAE ACD253246CCA329F291F26BF9BF92E326B82524E59F62 FF5E EE00E9AE4ED CDD9B23EA9681D34E78AC1356F6DB30E48130B2A7E1C3F144EEFE08B7F646F D6E275A0DCBF9E34A6C14BDACBAE3015 low l\temp\pdnsetup\resources\en-us\icons.outlineeffecticon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced DCB70CD0157C0922A75D335FBB 5D9D296B6A9FFF97EA00EED71C73EE F FC8CCF9841A80B65729E1AB4DD2DAD13B BA1FDC0EFB0CECA88A699B5 85C6E7E6C0D56332D43BA8CB6B8EA935B21838E3E5B26D72F48C4E99ACB0A16BDE412D7617C5556FF42EC55F46D F3D81319A09B32F52F9747DAD84332 low l\temp\pdnsetup\resources\en-us\icons.settings.tools.24.png PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced 029F4E68A0D3270C02CC4728EED216DC 39571D6F851E797F5BB9AFB4CDF8215CD4BBD0A ED1364F8DCE3D278BE2EB503CCCCEB523C4E1488AB B893A2CB 918E7213FE47BAE8EA97B01C0A4AECC3A17FFB21756BFF7320CA771A5D34826A8D9A8AB6F4AE694834EDF8239BAF61B 72A2506EE112FF58EB0CCDCB719A9D37A low l\temp\pdnsetup\resources\en-us\icons.texttoolicon.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced 8EFB101B112DD6A33FA070CF F065AD743156E52847C992B379436A62D94F5020 C1AF7EA0D E83758AE7633E1E166E3DF22C05DD95FA58BDE61D2DA18E 418FA447BA9188D FD8003F8B65D84978A70CC4931B080D9AE83B5D0C16F6BB82A4EDB19369C351D98BDC413 98CD72E0082AA858CF2BD9172F9BC21 low Copyright Joe Security LLC 2017 Page 19 of 143

20 l\temp\pdnsetup\resources\en-us\copying.txt ASCII text, with CRLF line terminators 432F744FDED220F69EE D0CF8 15B18A63D33DACF8A76BD2D8ED0837A3F BD643FCA71EEC2C02D38FA49015A26B02F33BD4D8099AC FF4EE 99F6B2B8B7B22A049B8BAE94F4BDDDB7D95CD3F8EC E29AD CE7F64CDDC572825D9294C39561FA530B4 E9A651F8FC001A7E3938F F4FB low l\temp\pdnsetup\resources\es\icons.enum.fontstyle.bold.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 0747F6B6A1A70D3B493DF439CF7B B52B2A2CA90D01AC A7C874B91AEA1F 934DAADC09F9AB93136ED1A18C65322F4F44AB35694ED3F6531D91D6B9F704F8 E2F304E41538AAD365B9B8DC1A6F2671E930AA6F05FAB51F2B0CF93A2D5E1D1C7B23CF4CF D6C17FDF3F8BD 1BB5AC71BA45CE6D56A18660FB893AC2 low l\temp\pdnsetup\resources\es\icons.enum.fontstyle.italic.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 3053FFB80EB553A44870B114E62973AF 8E526E7510D0093B50DC93E1755F55A4B89BF87C CDF032D7A0E195C404D8388BE2DB BF1E20AB81A4938D D C9858AC1C81FBEA40FA3EA8AF9E498AC7BDC FD75C4183C6C02CFA341B B969C7D788D313B D63E86A90F0C0EC06F766151AF4362A l\temp\pdnsetup\resources\es\icons.enum.fontstyle.underline.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 63DBCCDE403150AA5083B66E017EE90D C A8C326CFCDAB9B70B5AC547AE9F4 B9420A27FF D691E9DA0EA4420B8E924E3AF88529A F49 C33BEC25659B57CC35C353B528DD50B4F24C68E7CC70FDD43F09BA41A73FFB79F1A8DE A52F79B0D B 80E35AB787219A4F950A34B9FA379AA l\temp\pdnsetup\resources\es\images.paypaldonate.gif GIF image data, version 89a, 62 x D5D8DCB27D373AC83A5ECE73BF661 4BD5C89638DE64CF848D12A144585DB7D2F42CB2 4BB8E18574E804826BDD0CA57FE6C77E7F861DD65A6CAD57B2F695C45F0EC62B 5441B4C106C7518E14E4EF24763BCCF4ADF9618D A518FDDD9686D0148B B1C569000F914680AB684D796 BEBFE7412E4B90F8BABB2FCB3A4E1 l\temp\pdnsetup\resources\fr\icons.enum.fontstyle.bold.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced B127ED3E3F7C7F307678D52C4A4E7CE2 E61BA238DC5181B61AD75344A8FD48D5AB850E6C 0E1CB30C869424BD9A3BB452F176C F30364FDBA0F0F457ED5C3F9 9FDFAB8CB797F991531E0C366C3C B2118D52632B8EBE1F2EEB5DE6699AC822C75B4EC9DD3F4D0FDFA9BBD B72EF762927EB3C15E90B2587E l\temp\pdnsetup\resources\fr\icons.enum.fontstyle.italic.png PNG image data, 16 x 16, 8-bit colormap, non-interlaced EA2EC1703AEC2E53610D04FB1D2F845F 78A11913DBBCCA85752B108C23A088A5606BEC12 C48C4E C1D5E620E8C0CB2212A28842DC DE249541F8F160A F178C6522EFDB06BD04E9EFE8DC07D255831E31E0479EDFA72AC92567D06C64ECA97B4BC F9E01EDC083D57 12D D2D16CB0267CF59C030E12 Copyright Joe Security LLC 2017 Page 20 of 143

21 l\temp\pdnsetup\resources\fr\icons.enum.fontstyle.italic.png l\temp\pdnsetup\resources\fr\icons.enum.fontstyle.strikeout.png PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 77FFBAF3E9B1DED8A02AFBFDD2BAE4DB 6E EBC92FD90D7090AEE922D36A0A 548D0E22AE2D5D61604DA44CF7DCE9D69DA5B2F0DD3FC94EAE6223B9F7CAB28E BCA17FED F0265FCFB39F9789A41A F711B50828AB9D5128DCDD5D920AD0C823A4F839FCA959E8A43543B A0E931760D30158C580D46A0F667D61 l\temp\pdnsetup\resources\fr\icons.enum.fontstyle.underline.png PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 49A5F47E91D381B5EC9219DD5CDA9E5F 71C151B7C2535E9FE A5C78EF7EC0E3D D19E283A084D8E75003E314ABB975213CD483B9E093EFC1EA FFA871E986A82AD9D60850DA88FD7D22B0443CE55ED5187FAB3F4EAE3CB76438EEA6121D48E B4C3EA0BD497E 34EEAD6222A3A30F55BDEC8FCDBE057EB l\temp\pdnsetup\resources\fr\images.paypaldonate.gif GIF image data, version 89a, 62 x 31 D98F584AF38D140C4405B2AAEEEAFDE BD2C01548AB A928648FB59D7C2EA A253CF1734F C84EFD0AC929EB671D96DD99F093E0DC629FDBE1 0A20B89DB4FDF761F8CD12A8138BB10CDA1424FEC F4BA20C0BD9A14B813CC B49FC4E0465E7688FB D9BCD3679EDB4E94A622FBB3DCBB25E8 l\temp\pdnsetup\resources\ja\icons.enum.fontstyle.strikeout.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 29930E191D36D9BD50D018C CE861F1D4BF205FD84F890193EE3DF65147EA4C8 46CE71C69E5B3A5E9EA089C3E43610F0BCD9638D89D2F032C46BCF4BF815A040 D3A6CD8849FED86D586CE5BB5E67B67A57FEE5188D3B30FD9CA37474DDC8865CFADA DBC493827CF016BAD87C DD4A27855A696F F800BEB2B63 l\temp\pdnsetup\resources\ja\images.paypaldonate.gif GIF image data, version 89a, 62 x 31 CC412D6A2348A2BC98E D4C01B F2E51C83BDFC14CBD17FCF8D8E BDDD02 8E3C3C C4E16D20EFA6CCC697BEE0BD1F ABA63599AC4005B45 5EF2A92CDA216F78AE4FB30AEB51764F6C4D5031FC8FF4F81FCC7C222799FF2E6089C EF5A03DC05FE9A6004A 0FA611D11048EA92C42B0C02F4A1D32 l\temp\pdnsetup\resources\ru\icons.enum.fontstyle.bold.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced F83D343E8E19C4301D8FED0BF89B5935 5CDF5C4BEDED2EC F02212EB2F4A8CDE02 D23C780BAA1D37B29DF415EB922A00A0D8226F44378DF96B01C6FECD196DC44A CA95C5DC5A E0EF16F2C52903FC2F8F42E7DB3AFA96F7BDA2C909C6C4F1047BA0ACD891B593854C011C5EB285F E102536A1561EBE2ED6B41494C5C8FF3 l\temp\pdnsetup\resources\ru\icons.enum.fontstyle.italic.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 3A5867D731EFB490278B8EBC3C1C332E 05C190AA46EC784BE1C37DC4103E02EF05483F3D 602FF11F8F2967FB3E8D9A73F279109BC4B09BE3B592FE1D9F613970FE6B2EB6 Copyright Joe Security LLC 2017 Page 21 of 143

22 l\temp\pdnsetup\resources\ru\icons.enum.fontstyle.italic.png DA99DF02C9ADB863B105410DD8F5DAF6B35EF177249DB2DAB09BA9A3E7BEF5BDCBCC9E24E61C2DCBD61B4131C92518 A1A5D6CA7CB1AD3F8636D3AAE5D9510E64 l\temp\pdnsetup\resources\ru\icons.enum.fontstyle.strikeout.png PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 3BD1566A6C8EBDED55C352B5D3A E04FE8EFB05C8872E56F33EE91A815E622 E0A918AB5CCB378624DF453AB641A D9CDC63B7BF0FEA368BC0D9063FC 52CA933F931D8DC33A48A6001FB9C83F9C6B744F93C0D60B2ED D5D2B48CCEBE6EA42E36523D FF9 684C9B37142D9F7CAACEC7307B748DC l\temp\pdnsetup\resources\ru\icons.enum.fontstyle.underline.png PNG image data, 16 x 16, 4-bit colormap, non-interlaced 8E3728EB8B9F0CDF8A8EFB37CC199F06 F0788CC3FDA3C5B8D9F159F491291DE49F1585FA 13DA1CC7D08920E7A611D096DDDA FA279536FAF8D879A75C350B AD37A786A0BDD72CF84BE3F E3DD324F6B35714F9C805451D019EB79C8F70FA27A7FBA38989D56D4E4A 057EA707B49C476D2C9171D3790A69B l\temp\pdnsetup\resources\zh-cn\images.paypaldonate.gif GIF image data, version 89a, 62 x FCFAD FF78A101BA4517F BD187A64F42AAA97C43960D847BCBA64B54C B5A5BC4A5DA3A793A407DEC9F27A7120C504F79BEE408A5D669407DA1702 2CC00DB1EC076E2E12ADF57C1F8C9BB78C874235F83355F5DAF59C5F774E107883F7C9AB47587A038F0752D8702BA9AE7 AB5C1641F15A12AB60B F6BA l\temp\pdnsetup\setupfrontend.exe Antivirus: PE32 executable (GUI) Intel Mono/.Net assembly, for MS Windows CD3E60ECE21C35AFDABD31FDE2627FF5 9DB2DDC32F5B79E779A44AFB43C9F791188ED8AC 4EEECC6D1165FBAE7ABE2924ECD556F80452E4648E12631EEBBD6C40825A49DA 52FB864C10A63E2A52B8FD97E0455BEAEDDDBC40C63651D4FE8AA88931A6B58FA5F9BAB470E7AAFA176DDB5329FF17E 7ED715B5928AE50327C9F8D191F Antivirus: metadefender, Detection: 0%, Browse l\temp\pdnsetup\setupfrontend.exe.config XML document text 7498F2F766CA8BE28CF89D72B437D633 8D3BE86EC2787ECC10D38A711B27E4A20B0CC5D2 E187778C34382C B49E4C10CEA1C1DEEC90224B843232FDBB254E3F72D 232C518B8D61E97F9C2343BBD459DF4F55B923DEE08D633BB3426A3D31C038B3C72F3C4B2CEC6DCC570CE C3E BDC0469BFE6608CBE043273B3F79F10C l\temp\pdnsetup\setupfrontend.pdb MSVC program database ver \ F56AE4FB83ADF0F1F86A85155E 1C9592B5B EC87AA3229DC94FCE352 01F4DF1C438F765E773FAD923A2DAC88EF7A EFCA0F3A231843DE5447E 4B5409D5C F2A66A423BF8BD93494B3C5BA40404BAE1883DED939AF03D9CE64FD2D1FCC2F7D36BA30C0B5D4BD 8FC5E8A8A2B F4E30F72E Copyright Joe Security LLC 2017 Page 22 of 143

23 l\temp\pdnsetup\setupshim.exe PE32 executable (GUI) Intel 80386, for MS Windows 6C47A4259F57769A36E884129E A62111A1A24FAA94C2BBA252F55656A C AF5F194C3C3A23DF36D9AE2B BFA34E8BEA2DD12F0F619EDB CB18C925CEF81702CD7CDE03D9FEA05AD73AA0559D53A274593B7A335CA253DD095FA4DD30ADDD4AA1DB512CD 02B2DC14A5D9A5358CD B964F l\temp\pdnsetup\x64\paintdotnet.systemlayer.native.x64.dll PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows 390D B79A018AF2DA C6EA92B DA20A42F1E924117F10E3 6D3EB36F41773D7B7C3A5DE923C1C104F5C2075ADC2399B515E06FC3AEBD7EB5 FBD021953E09C6F91E92C2A78146E84DA902519C6A13D00040DF27E32ABE09E7A980F8643FDE9CADD0B3B B7C013675EFAC0F4005D8DCEA3D9E6 l\temp\pdnsetup\x64\api-ms-win-core-console-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 3463D82D90601B441CF024C92ABE4ACC EAC8FDAFCCBC1BEB BFE12EC1EB 49AC9F317D0ADFC3761D6FF0D32844BE70CC78E2AF18319C9A2E2EC2A44D672E FF4FE61C7DC5F8EB7012CC4867D7212CBF965EC786DFDFA8C74ECAD8C582C4AC1107AA2876E5F FBD07C1B35 DC67060C28199A7E21D57ADBDDDAC977 l\temp\pdnsetup\x64\api-ms-win-core-datetime-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows AC3C4CAFA028297DA F C2B11C7FE4EFFC16E67AF716563AEE2419A0F 0F0CEC83DA06F06E9C42FFDED72FA69C51EFED881DEF2B4B7B88274BC1BF3D40 A2D1135F497E3831F AE6A5FF74106D9D4EA B6C336A1082BDDD196424B292C799CE C13E CF29241E76203B069EBF7BB72B l\temp\pdnsetup\x64\api-ms-win-core-debug-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 8C F58F79B5B67B52EDEBB01BD 866F3CA E0BA67EB935E688509F86CE1E3 A20DC11AB10769B38CAFB701C2D08810C8AA61350F0B33AE7838FF5C26EDF956 D6DDCB814D7F507DF03BD5FB378EAE3BF30F31D0CBB DC20E68DC50108EEB5FB5996D167CF 1B29DBDC0EA E1CC75F7D9A l\temp\pdnsetup\x64\api-ms-win-core-errorhandling-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 2A3C5CBE313F4105DCE8A79F533E E C83217CCBE36F3A405381DEFEC12B9 79CB8A8781FEB448FE051E90CCAF3D6ECDFAC12C1AD4BBA2730AA1F0A229C31E E24BA69254B445A62ADD1D58269EE99841C36049F639671A311BFC0F60D965E6A8D79A67375EB0D3EE3BE8CF998F182FF 03291F0709AE2155BBEE924708DD8C2 l\temp\pdnsetup\x64\api-ms-win-core-file-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows C767E725B1F7FC358AB 6E31FA39775C1C6C60FE C31148B0A E535E9A79CD72E3F5E3C0EC9C97A18E86D480A504EA6C85854A6F70B302C3A 8C93F FFAFA37665EFCBFA2C4D E695766C637C9449A39AF5EA0DE114C821A5C50B886ED1AB0F0A2BE0 FDDA164884D73F CFA2137E5B6 Copyright Joe Security LLC 2017 Page 23 of 143

24 l\temp\pdnsetup\x64\api-ms-win-core-file-l1-1-0.dll l\temp\pdnsetup\x64\api-ms-win-core-file-l1-2-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 285E3257C5A12D3384CD3F5A3AE941B2 C05F6A72B73BC7EC8409ED42CCD947F501DA BF70788C00FB1A17BC4160BCDC6930FA219B85473E08138EFC10136D90EB F1EE0689B02E6A6E95940C1B3C2CC6902F3E04DB44F4D767A1E68A890B7B3733B28C1D86F1F361F0DB8B1EE955F5F5BC A86B758B8F2E93D94B5BC4D469187DF5 l\temp\pdnsetup\x64\api-ms-win-core-file-l2-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 72D542226F067DAE07562FD093B0F5F0 C0F7F85753BB351C51DD8E36CA2366A3B24C73BA E8E CF30E16B BC73B07C1A05BBFD94EE3F645122D3D167D7E6 2FBF32B38852DEF53891A73B9B33F33DE96CA09102BAA8C37F02D1B3D5076B26D2A32F2E79AAB1009DC5B2464ABF50C9 56C797BA4321FD37EA A1D182 l\temp\pdnsetup\x64\api-ms-win-core-handle-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 3B620D81C727A8ABA6DC6895AF695D BC6C802D0ADA3121D14C2A8DE4E708C74BC 9AA764023DDB501050F43D1AF0FF87F592ED14C4F022BA58270C B0 54AF DB94EF81A5C4BA F1E305E292BD DD88AD756B15EDB5F0E2E3DA367581C0C9CD92E04699 E28BCAC B D228 l\temp\pdnsetup\x64\api-ms-win-core-heap-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows D54E0DA17090C6911DB3FD0770FAF91E F53B4160EF2E91987D57D2DA0DDB9B6BA 17415ECD7F34DEF148A91DEFE99155B71C8048E253315B2D24D499B99207F C329F6AB44CFEB7EB1572F C9CA3AC9E66AE13EF38D79DADAC9BF367E6DC6655C7E404CB6B243F ACD9CBCD9A37DA D43886D3 l\temp\pdnsetup\x64\api-ms-win-core-interlocked-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 2CA477F1799FC97D6BD05437BDFD FEB0B42E9237CDDC5E47C3F4A076DE86CA600E E81E0D9B2B09524E BB8BD8EF3DACDD001BD19057C4F8943D C0C E6944A78A090E1DD D8CB77F41BA559B56034DC46A3AC731D2E2E67A7DE1F6A65E26CA0C6A 3EB358124A03EAB55C2B5D061B64717 l\temp\pdnsetup\x64\api-ms-win-core-libraryloader-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows D6DB1A6B5087A82E766FE7E9F818C135 D786B2D8AB10EDF0E893FCFBF52B03BCEB15F53A F9457D0DDFA864E4BB383759BD7BBAE B0B7D7D40C11084A1561D 6118ED237839A ACA7A76D8EA DA060D4AFC0399A88603F7F02A93C061BE4475F35599D3CAB8233F392 5A491F4AA094BFBECD2ADC5D3E65F1 l\temp\pdnsetup\x64\api-ms-win-core-localization-l1-2-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 55902B92BBBCA7A2D11A946297F583E6 B6158F009D98A98ED2E56D377F9C4B6323B852FC 2DEA4AE5DF0F7DAA37E26DD0F9232F867884F57E850AA B54F3A81E98 Copyright Joe Security LLC 2017 Page 24 of 143

25 l\temp\pdnsetup\x64\api-ms-win-core-localization-l1-2-0.dll 85E0DF8A390260E4E0CC0A9372DFD3C A5F9F B88783E03701B1F1C28F34E822B21EA7436C3E 270DF58F8DE3EC1B15F68B633F4FD l\temp\pdnsetup\x64\api-ms-win-core-memory-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 8FC176A3A6550F90E73D6DA8445E8780 5D A789CE56037D0D1B36420D97DCE06 65BD14BFC1F14C35E345412BA5E9642E7F6C286F95DE014C0F3AF100E88B DAA3369DF B67F246EED90CC32D FAF06E973B C8B7DC26095ABF420D5C078E C4B3D BAF410819CD6060D3FEB481576EEFA l\temp\pdnsetup\x64\api-ms-win-core-namedpipe-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 27A8F9E71A2F2D134C55DE62FAD6CF0E B60944DBF9A50A166B71FBC58305C3D559C4157F A319A14B76D8D F1CF53924DC2759AC72A76571F8B31E2F737553D ACCCEC14FEEA4B7BDA654A0ECA3EF716DF560764CA28F97EAEED10E94F5A0D46A633FA E4BC7 B99B BC26A88CA8211EE36307A l\temp\pdnsetup\x64\api-ms-win-core-processenvironment-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows EF80685A812D9C252DE35FC9B38BAD11 C641BF0F41D0617B25AA20D63B033236AD3133AC E17AA51C5520A623DD C54DDEA91E06E E019095F5458AD0 431EA4AE368B2CF55542AD614CCA8E24FA2CECF0C5163BDDC A6E43F53EE69D7CFD1931E59EAE9EE EA 35D E6B733AF14A4A5ECBD79437 l\temp\pdnsetup\x64\api-ms-win-core-processthreads-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows ED69BC0F310C5CE427E25973A0A52C31 0BD C952490F6A791A044B5840F5DC90B5 6BAC5963DA125B3E314BEAEF5903D37316E162EB92E7C0F0B EB0BDE01 4FE23992C6EA37A2F88CD2E B08CB302F51F35B A6E29E1412C2E6E1A214FFF6D6FF50D0F7B410591ABD5 7FD7A87C987F18106C6EC44D991666B l\temp\pdnsetup\x64\api-ms-win-core-processthreads-l1-1-1.dll PE32+ executable (DLL) (console) x86-64, for MS Windows D2EEB9F BFDA7FE6BCB2A1540A C330267C8ABD56C04204DEEE9AABD566268DAF97 0EC2B6EE5E8EE5EE22B810795D097DD769EF054EB394355EECAC1A1FDC18C E972F46EC84CB A CBF6B4DF373CD823134A0B2DEEC7E5DC738A74C13C2ACCB74C467892D9A2 75A96AB85147AE42FADC627A0F7E2CF l\temp\pdnsetup\x64\api-ms-win-core-profile-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 46361D1F7B60B86F128F4E23C95CC3E6 8C621D8DC4EC4FE3A9F40D25BA3DC26A19A FEA728F20A4DF8046E75B880343CD425548F8BC38E8C0A6E8C315C F033816B7DBD387134FBF72F5C6EE351BEC480A B0912D E64612B D FA8A32254 AEF F8A6EDC45FEA l\temp\pdnsetup\x64\api-ms-win-core-rtlsupport-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows Copyright Joe Security LLC 2017 Page 25 of 143

26 l\temp\pdnsetup\x64\api-ms-win-core-rtlsupport-l1-1-0.dll 210B0178E7ACA6B9444E2D10AC6EE054 2EA3C9D780F6C3DC60B6247B3FB0DD5A8DC638F3 7857B0C9C AE5E047D7FE1CB0F85424F1EA01FCDC66AFDC231F B3D10262BBCA6559B2223BE60F0D61A77ADA9C147B167641DE58B BCDFC37FB4B11CF65517F5A3E29ADB785 E83C379A056C4992FFA59A468EC393F2 l\temp\pdnsetup\x64\api-ms-win-core-string-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 7F8E52FF5A64D2D471413E288A CEFAD6219C916307E0BF7EF C2CD4C2D5F 952B0EF3B3CC8D15C91E4E6605D49EA6BCEE1459F465B99DD22DECBCE69012FB 7E9025F0EEE30552E24425C0D7FE441264A F2AA94863D68F8D53DA654A83B D0320F5AD3538A2FD7166 9BAF615D9B29D8767EF l\temp\pdnsetup\x64\api-ms-win-core-synch-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows B219FB4F70B3F93EB0D4D12BB1 C1CEAB CFA9AA35A54400F3D959369BB 6DEFA74D4BF10F95815D B5AF5FC4154D EBBE6AECA570BA8 1B4E6AF508AC9D353B0E2D EA57EE654F505E04D3B6A7D758FBC0A72875D72EC185C138E69E1D7DFEE3459E96 C64CF6A2436DB1C F99B922 l\temp\pdnsetup\x64\api-ms-win-core-synch-l1-2-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 8F469C5B261E003ED991F570AEA8F29F A02D605D53A31748D8DCCA18D11259B AE460B343B6FAD12D26FEEEE14E68EFB97E59686DBD2CB22AB C6 F393B8C9EF4CBD6F FD5A3267B5AFAF4C26262F2FC3C52351C697CCC38744E530F779707F802398AA01A7EAEC D2C1FA5B34B8D33153BEEA l\temp\pdnsetup\x64\api-ms-win-core-sysinfo-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows F58FD C154C31C05BBB63A3E D5F009E7CBB070B35ED81ACD BF971B7A BC7203C7C0C539FD225701E39F1E CD580AF52CDF9DFF FF 8389E ACCDC3DED3A8BE06028E5E3FB8D62CAFD218C545DFF052604BD0B0C14A4956EEB C05B45D05 D072E44C4F125B0E5567D3A23318E8AE l\temp\pdnsetup\x64\api-ms-win-core-timezone-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows F2D B45C6A2629FC9C5C80F AB8F625ECD0E0A02B4FA82061C2FF4644B8 8C2D7B0DCA0702B8F1870C9C404F41E B239DEB DFED8CA1507 4F44EA443413C3709C1521DE0B9DC5C05EF9A4F853062E44658D7BC AFC1F A5406B388CD5C9E226C9F A1F73F0C D9DB42FA257E2 l\temp\pdnsetup\x64\api-ms-win-core-util-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows E0B524FF31E7C651EEE7D83B1C7CC2D5 D29F001B843E452CAE91A2D01EF338373FB24763 B4AFBA280ABAF5DD28D92D452B958E440C88A26AB7359A A35775A33B6 4D3DFBCEFB85B8D6EF874CFDF04594EA4D6C58AE7DE544588A9CF AAF9B46BDCCFE9E6F7CD87D00A58D5C FA6CD6D82266B1A27736D4E15DED Copyright Joe Security LLC 2017 Page 26 of 143

27 l\temp\pdnsetup\x64\api-ms-win-crt-conio-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows D2DE2615F123CE2BED3332D505A F2EA D271222FFF7984C8EF21AEE460E DA36262BD A6EC9726B8FCD0764EF3DDAFE C0BBB89A478E4E9 A5E99E724A847C2193CE052DBEDF0CD19A8765E3561EC028CD28E5972C8F004E257DE0D5DD3870D41213A6CC84492AD4 88BD05106D2B5D3AA19F808EEC820D51 l\temp\pdnsetup\x64\api-ms-win-crt-convert-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 66A41A8156A7F9CAE4A7977CB8084FA7 4C72B0D8C90DAF993FA AF04703A81FE4D A454BD7A8FB18D19E EC7ADE9820B54FAB31F9528BF1ABC8CFE32E064B 989EC1A0DEFF20BC9B3099A21BF9D45BF821E94EABFC1B18BA4ECE1689D0CBCF83B6206BCF64530A55AAC1D4165A54 C395F8DB17FE5D DFB1DB4F0D10 l\temp\pdnsetup\x64\api-ms-win-crt-environment-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 89ABE10555D85E9BD183FAE2C37D7AAA 05C72B53F7D7B0667FF6CB14255E5C6453F1F35A D524F5AFF8A3DEAF FED40B821C5E79251B99D0A8571B62AD87ADFFB2 7B9C38E5270C401ACB1B51CCF82FF C4DF905C31BC934D8D0B15A6EAE22D3D E4D61AC717BBE72726BD 2F9B6C4B2FC930B39EC2C31D9FB1147D l\temp\pdnsetup\x64\api-ms-win-crt-filesystem-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 7DBC1CA1F1103CD971A67709D5203DBD 717E689B96A5D029558E7CB663D5C7CDA840B780 88A6DC7C08725B447DD1B DC62B7282DFB50FA FB1 EC58C7BB26F669F5B90731AB8C787B3B4E4131D7A9450DFAE4D74EF24541A51C98EE8CC71DD4744A242DFDE2F75FEB DACCB18BF745E FEF746D0 l\temp\pdnsetup\x64\api-ms-win-crt-heap-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows DEDF6460CB6FC8229B3E889D1B32F75E F47E35654CB90ED4505BA49A92B2FDC661C0FE8A BAE857FE8E AA8D7A88217A021810D305BC58B8F F2299ADB B1CE0119C2EB87EE36FE566477D14D317D B72F7AFD2F83A88F82591AFB6F795EEF76B20C0B F67A4DC 07923FD2F61922FDEA06973C70F8352 l\temp\pdnsetup\x64\api-ms-win-crt-locale-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 21F5271A151394A654B2F1C44FC D2F98700EE87FC747B230B908FEA133B730BF0A A7A987527A2F7AD4474CC5BE04E5BBC10375E072573B13A2CF3FE705789BF822 CC46E3BDCD25F2D EE69AF97781B19A40A51FB318206CA6916F188F40DD94A7A5E6BC2C4C2CE211229D03E 0729B168ED771E52CEE188D0C30638D l\temp\pdnsetup\x64\api-ms-win-crt-math-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 514A74D1050E7BDCBB1F422FB571C351 5A82976E2456FE3F215316A C6AF389D7 62E97230BBE85C0E2930D16CADF830ACDBF9F2BCCEDD3D51FA8EE0C5102AC63A F2B19FE5FC4F95EC3A1B0D76E8E C83A8B8A08EC6A2BA9B3620C08F67132FB AEE27EC172D6EFA E ABE3EC06F1A7756D21DA0 Copyright Joe Security LLC 2017 Page 27 of 143

28 l\temp\pdnsetup\x64\api-ms-win-crt-math-l1-1-0.dll l\temp\pdnsetup\x64\api-ms-win-crt-multibyte-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 3E4803F97B89ADBAA575B45AAC0DD4B8 D810ED1486F A8CD96F774881A629B652 2FB9611A D30BC9B8F6D389CD12BC9B38B325D23675FB737470BDE27DA B9824A29E712AE65B27A4ECC68BAD7F127306E7C2267E1CA9704C09E15CC6FAA0AA D B6375B72F8 E88A587E79BC97F1825B8CD4C1C2DD2 l\temp\pdnsetup\x64\api-ms-win-crt-private-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 3D2B4445B9FAFAA0E13AE0E126BE2669 3B24C99469EF9A35BF720E711A0B022F2403BE22 6BC27EA87E05B365C74B093F0256D1ACF85113BA356AD187886D8ADC D0D9470ABC256F44C9D3881A42A674B41992DC25B7BD048A9E2B8D3523DE A9F73F2907F73E0BE80219C913D 33C D6BD6642C06029E5C44E l\temp\pdnsetup\x64\api-ms-win-crt-process-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 90D42FDF308DFD771797DD41585D3BAF DAEA1F05092DE97EA558DE14B4E112AD48B FF7454E8DD3D766E433DEF1780A265DDC87A07981D223D241A528CC78C0FE E8F35F6087B9601D8A46B F24A2841FF2CDE9F6B7BC10326CF2197E98BAE9C6DDCB2E53E8F81A984019B72080D1 E826731FB6D7C28FDB47373C1E474F5 l\temp\pdnsetup\x64\api-ms-win-crt-runtime-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows DB8C9E3DBB7FC62938AD2CF1E 6D1AA306D ADB30E9AAC451B2E43516ABE 3D077C3CFA0A54F6F58814DEEE22D3DCF4BCAAD44AE405B8D31552A9AFABC086 87A3C82AF000FC1CFEE5F12F01F077C2C B2784E8827C587985F8C D0D15A1498A01DCFCFE717CFBB9EE 64344AE7A78AA75BDB65E2A0AEF07CD l\temp\pdnsetup\x64\api-ms-win-crt-stdio-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows DEC83F473E43EE78E92A4B682A9A7904 CE5E0479C78AD6FFA7D765479A7E1A7157ECA4A3 A5C05A8394C5AA71441AC18E945170A755D1F1FF141E614CDD92DC A5B 60BBD86035BBF3F80C17A01FB44EA5AF5C84584A8AA5F34A7E0ABF989CCCCF8D40BAB4D44AF364C8CCF62CE4E21DF0 ED2C51BB70E817B2BF9C5319DBFD4100D3 l\temp\pdnsetup\x64\api-ms-win-crt-string-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 88B5F9BC EF12782E0C8D12F D327208B4F26C1C6F0E9DF50ECB22A89B426465D B2BC2BA15B638A0D1765C2A8826A8B9FDBE D8FEA072FE7C20B D4DE343A88C9933AF67C4599D308F31332CA7A3EA0428FBAD2D60E2FA2165ECA9EA BE1154C551E7263DD6A57 73E6F7C4DC5B6952E8B767A3C5B16597 l\temp\pdnsetup\x64\api-ms-win-crt-time-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows F862BD B31973BA98E9F1288B3 ADA580FC93B4F5A86DB92E1D612293CCC21C72F9 72D31ABEE96FB3EE1D90AFCF11FDC54CEBA131BBB912B994761F32CD7CFC3EE1 Copyright Joe Security LLC 2017 Page 28 of 143

29 l\temp\pdnsetup\x64\api-ms-win-crt-time-l1-1-0.dll BB442AAB30BB0D EAAFA53A6DEAAAFF19D41342B9FB828C87FC468D96953F8ED1123ACE4C4D371F9EED91C2B F2C42B1D8CA92BBD0A89BC5A27A877A15E l\temp\pdnsetup\x64\api-ms-win-crt-utility-l1-1-0.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 9975D1AE7B84B373D9095D757172EC08 302EDB92E0A6EE FBEF9DFCC249B9285 8D3DF297A7DA678446DC9689F64DFBFF0478CFD2DA168180FF41C16E1344E584 FB71A43887EC9675A4E42F2F810D33F6EC4726DE5723C F43D45982E5D1156E4D97D4C0C9AC8440FA186B13E1 6387C425B5A774218D6917EFBE41D9 l\temp\pdnsetup\x64\msvcp140.dll PE32+ executable (DLL) (console) x86-64, for MS Windows 32A3E5E5BC865A647BAC704AAB1A45E0 D5FC3D5B8B7A7DDCFAAA8AABBAF25628B128560D A142919F28E0F B2FE2F21DA288F7EDD34A43EF28436F6298F E37E777F49B3574BADEE78B9BDF8034A2BA380C9F20E5F62ED9526B29A1C08A0703BC7C7C2FFCD2B82DFEC6FA26EE16 D43CC3490A6FB94861F7387F6F911C256 l\temp\pdnsetup\x64\ucrtbase.dll PE32+ executable (DLL) (console) x86-64, for MS Windows CCA4929EF8DD988D7221EF6BA398F1B5 1D21E60E56A DC18148BE8CECEE C29E74D90AEF21BBAD50E8FE25858C ADB629372CA6FD717CD0CA3 D990D E7A1E1EC9B68E40A984D D0DE80D2A2C51BCCCFEECA59087FCA95AB410C9E170C4 585C8DAA1383F1383B98500D797A41CA l\temp\pdnsetup\x64\vcomp140.dll PE32+ executable (DLL) (GUI) x86-64, for MS Windows E82DD95FF C71E0A5D98CE13 7B2F69977C2B BAAF9AA7430A A 1E6D CEBC FDB91DC90CA8F3FF5C9470C A06623F E97B4F8756CC38016D42FCC FCEA6BEB25265CDF665EE6983DB20CAA7000B6A1BEFC4D14359AC1A 2EEF49A164C6AFC8F60A2D7C4C8A03CD l\temp\pdnsetup\x64\vcruntime140.dll PE32+ executable (DLL) (console) x86-64, for MS Windows A02F93604B9E1B7BBC8D0D259E A04481D34CFF424E6306F8DC819F0F2D116B6AA2 84E1ADCD6BCC FC6DE422041C12B79B682DE9CD599E09461F87DA8B D6D836C565FDB29CB49D42D825AD1B2FEC493A56EA346CE68DDBC0CE315BA4FD B3A5B113E B16C4E5 5D648343ADB34D0ABAEBFA4EA98A29DD l\temp\pdnsetup\x86\paintdotnet.systemlayer.native.x86.dll PE32 executable (DLL) (GUI) Intel Mono/.Net assembly, for MS Windows C0EF42CEF05D FE43EDD14A5 08F2BB4B71FAAE6DFF00236B4AA7E7A9EE4367E5 504AFF603410B75DD4707D3E37E E3FFB61C2BB6DBFB17740C2C6AEFB 0459E8FD6ECDAE3508C D9385B69CF7CE CC586B D111F273C4E1ADC50E1CDD5596AD40FC DF6F814C666A F8C9 l\temp\pdnsetup\x86\api-ms-win-core-console-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows Copyright Joe Security LLC 2017 Page 29 of 143

30 l\temp\pdnsetup\x86\api-ms-win-core-console-l1-1-0.dll F0D8A941B243DFA19440D0CE01566E14 868B89B3A B397AF748F9A6B E80E97AE534151F473CF9538CC C43098B78DE7881AD6731D33533FC52 D6B6DFF31C0EF8D10DE330E6AAFE446824DAE02813CBF99CF41B93BA78113E2D603BA09A3E48E03283CE42A726313C A0315E19A969ACDCC05AB7109F6D l\temp\pdnsetup\x86\api-ms-win-core-datetime-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows E1A16C08F684C03DDBFA98578D5BF25D D53C87CF5BBF F79C08AE764583D99D2B3 59F675DAA7D38C32252AC488EE4EA5472FCA891017A429E8F84C66B56AEA7D99 C78092ACEDDA2EF5EAECD775D3039AE49DA643B3C35D93DEBEBB2FEADFAA169B554A90B1643CCFFDC1A4D84A2197D A35C023ECFB01AC30CC386C16781CAEEB27 l\temp\pdnsetup\x86\api-ms-win-core-debug-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 4F65AF90C59D19B2167EEBD616562D4F A8BE733B15F592BC7AC68C8ED166C6ECBA48360C 94CD DBAFD70AF27A5B971E706E956EE200835F3D60B14906BFB6 47B50FCF68D3BD3398D3D510DD6726A374DD993D619461B3E7A87C0EA DCA2593DB454E0EEDCEB7772 6B2E454733C96011B176B63688BF3E1 l\temp\pdnsetup\x86\api-ms-win-core-errorhandling-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows E553577D0DD4686EDB488AD9A2BA F2F4DA9A36969F88CA5BED74DB4B4422F A23E01FFB6B0D6B6A8674C427AC31EB4903A4B788B7F250D14574E71CC88E0B 7CB0E8ACE710D70AD73B2AB24223AD08FE14FA04B6E657FE8A08DEEC35F275AA8770D0CA73D3C072514CD74C7B91AC1 CAB5CC3E2067DED70A9A30593B78E195E l\temp\pdnsetup\x86\api-ms-win-core-file-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 941C4BA57CD6E0665A F8CDE6F A00D2E91EE3A1BABB4E8AB4A7D2D007E6BBFA5CE 835CF5AEAB4E99B6448E5724C056678B42316EE36C48AB56CD263FD74096A2E9 1E45A755FFBC5DA62903A539A0E6BAC058425FB1CA5DEAD16730AEEB941D24EF05FEBA2BC143DD8F574B7F593DB156D 8F7AFB101E1F2A36A7CF BAAA l\temp\pdnsetup\x86\api-ms-win-core-file-l1-2-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 930E91E6D6194DB50733DCB57D4022A2 C BA0DE9FB62FCB8E5FB420258E4E07E 30F570E7FCA225CEFD7B9A0B40EC8D2AAD E02C447DF9281B4129 0BEE7B032BDC3E E5D00ED585E8AFAA82203E9DE2129ACB26A9F B35CC2B15542AA318506C38E21F96 E95FD7D32CABE8E6F1A238EFCC378AFD l\temp\pdnsetup\x86\api-ms-win-core-file-l2-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows EE45077B01F50D5305B4298AF6252E6F D2F934717D69B86C0C95DCDA63F4D4A1CBEEA6D3 2D D9230A2D9BD19E801FDCD10BD5AA9611B6F9BA BA77 F9C74B594C7BB12EF56E1119FE004E40AD0A2BE7847BD44609BEAB45AF99CDC6763EC9B8D516F7650E808B33BE0CA74 D1B1A475B983558F13033FCFBA1113E9E Copyright Joe Security LLC 2017 Page 30 of 143

31 l\temp\pdnsetup\x86\api-ms-win-core-handle-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows A368E277FEAAB BA4E523A8C CD4336FDDDE F4F71357D044 79F4E5EEB6C0B71435CB74C7FDC131C87982E6CC9597C5E474D3856D9DB9D0F9 1EE62C842AB4EC8B3A9752A2DF828E0A0C9F DB1F6A6A F0A47EB0D43B50E6FC2AC3C727D21F5E315E1 F73E917859FDCB6B3B6ACB4CA58120D2 l\temp\pdnsetup\x86\api-ms-win-core-heap-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows BF2FB965E88041FAE28293D154B5B92C 85AA319150D5F546BEFE D117F8A8B 2AC83374B0C20B493D615F52CEBA06A9220C4B96DF5DF92D73D2F940E4AEE12A B397D7A67E506D3CE4C0706F351868B110B3283E5F11EEBA1FD4249E8DB DBC73DFB994F06F0F643724DD2A FAF418E9C35C4486A33925DD02485EA l\temp\pdnsetup\x86\api-ms-win-core-interlocked-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows C25FEB9FF9CC47963A77DE4DF1FA E2B449826C157D396C27BF0F3BA3ECA8EC 8835BCBC977C06B037E F0AEA75E00C9747D81851D6A8646E8C19D8A7 B9B818B8F08C44E29D7A4B7ECE3F6D8FD55E240B6D1C6EB6AECCE36F B45B A21730C87B51175FC558DB D74ABE8130AAA439E33A0DEB0FF22838 l\temp\pdnsetup\x86\api-ms-win-core-libraryloader-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows D5AFBA750E9EA186D1715D556B B22635C34F005CBDC88053DB04C63A189044C47 A0EFAB7054E736250B984EB224950D C0FF84D49DD2C5E6B34A67D2042 9F03D2E76BE13C2AB01F1EA1B159FF03E1476DBADAF28C97219C20BAAA5396BCFB68BB7D72219F69FDA95EAE57548D6 8C33E27B8A140B715E5A C3F9FB l\temp\pdnsetup\x86\api-ms-win-core-localization-l1-2-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows BB9A62222C56138E6ED8D5E037 CBEDE8DB7E CB64E6D926B DAC7A 53DE3B7081BF03DC2BEBE56573C621FF1D7EB5FECD18D7D88C5F EB17A CDF29580E E01F609892D0B062895A3E1DF18570CE CE58A458FEE934BCB33F91334A66E2D8AC75401AB 8E3E4C2D F7F12A5B9DDA1 l\temp\pdnsetup\x86\api-ms-win-core-memory-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 8D621AD2223D44E E13D EA5388AE582ACA5A611EE9A4A36AB3E660C53DD4 24C097ADAA5F30092E14423E8F9071EEE72A4C65F0C7D2EEB B84B2E35 4B031E2E8E7EF8FDBD52DDFBFEF445A37E8852A0060C4E0E76782B4F496A34ECC368CCD71BA76F1E94C1CC51E3335DE A1F810E62BF3F977A9A77C814FE603F2D l\temp\pdnsetup\x86\api-ms-win-core-namedpipe-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 4E93D5E74133E7B A803B5B2F 8C69CB74CD044B7EA2E74F C421F6E75 FC697BE2C121FBA56C7AE93E5317AD0ECC1C0B00ABC4E737F6D370EF AD95C1B2584CE100B42B693B225B11D5063C00457CB1D07D AECC9C59538C122E825443EC10E0A E6 C036BDD1D1EC00F4FE9D EE0 Copyright Joe Security LLC 2017 Page 31 of 143

32 l\temp\pdnsetup\x86\api-ms-win-core-namedpipe-l1-1-0.dll l\temp\pdnsetup\x86\api-ms-win-core-processenvironment-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows B67042CD04B1A5F830A40A71E462CA2D D2D04DC FA18222BBDE14FB8EE302EEA 3FDD F7258A40268BB1BEFB83507D001ABAC73EA0BDAA FE4 78ADC0D84ACA BC43A3282B36A6E19163EFAD5DB6EF6D8BDD9608A2441FC12614A FBA82C6525C7305A C876692C0A54E15C4BC266E238048D22 l\temp\pdnsetup\x86\api-ms-win-core-processthreads-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 57A4CA876C0EBD029E5E7927C68F62D6 9FF05995C27F44F88F1EFE1A634D64D2C2F9572D 013BF69AEFBC32FDE FFE32FBD598A42046D6BD23A2E8E C4A 0780E074ED7AC3DB8B7B0C592A98B247EB2C59F4F3CFB16CE771118F157AA4F9CF31210B093087B41DE1161AFF8F91BE A4861E3ABECD4BDD46884B8C4BC2E89A l\temp\pdnsetup\x86\api-ms-win-core-processthreads-l1-1-1.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 1AC7C36FDE6F06C85F2286E6F F83B9218AE13AE668B148CB2F75852EC08E121 26FAF205E7CE1FEA D25C91FF051EB1F4BF0D80ABD8B9AB8E B9 9DFFB74DB75601D75E8F456497EF ACF26CEAB97D33828A02646BB33E6A7DAA5192DC69AFBABBAE95C6D7E692 F2F840275CCD1CA03D7D88053D72A66B6 l\temp\pdnsetup\x86\api-ms-win-core-profile-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 22DE9BBD143CEC58F2CDAA03B698C721 D5F312D2F008E5DA8FC4CCB F8E B20410F DCBBDC1DA6EBD1E03CC6CEE33BD5C217BD4C1DA6D334C5D793 5E92ABE5915F9879A4923B D52976FE718C077E9040A75D F C6DA5DB7E630E578327BA952A7E6D E DEAB096E3B1AE8CA8D l\temp\pdnsetup\x86\api-ms-win-core-rtlsupport-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 4E73DCCB3130F2D825D2069BC143C9B8 0CBC704E90551FD117BE8BE4CAAF DE00E BD2EDF D85EA219C44FBDBA831A84261F1305F08358DBAAC2A0E A E788EE450FB6F0EE75A0457FA26D47A2EBB529B1BCD7EA36E9B185B53D8A7A61A3B25061A0C171666EC2E CB E D l\temp\pdnsetup\x86\api-ms-win-core-string-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 508DF4E7A40A5CA910B5E6FA3DD877EF 27D C8D91655D19C67D08C49E3438E8E2 475CAA8E54DC93B933FCDCC6AFD9E35F75DC6D48D5F0C6FFAE8C D93 8A5BDEEDD354883AAB7820D617A646AFB6801C1FC4A134881E343FA3EC8E199C06523A BBBC6B66F28A8B15D00 B20D36773F1C6F635100A771700E164D l\temp\pdnsetup\x86\api-ms-win-core-synch-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows F084D B849AD3113D6D99D393E B0BB3844AFED22AD4150E98AD087BD 2B6C0B3A E25DB7CAA2B84EDD65C21E174C269499CF228FE36EB489 Copyright Joe Security LLC 2017 Page 32 of 143

33 l\temp\pdnsetup\x86\api-ms-win-core-synch-l1-1-0.dll A75C055E3CB545D2E73848BFACDB09DD8ACFD2EFACCABADBC16E405D6EA20BA E1B3D12A999663CF27 5FCEB9964C766B364FC70B3E411A4B18AF l\temp\pdnsetup\x86\api-ms-win-core-synch-l1-2-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows C3239F53C82DA5F4CDA8AF4A62150D4D 973C680B5D7FDF5BD856319F2E85890FF91A320D C72EC11B28990C61917D94E0F9AB7ACD9823D AEE76C3FDDDB21C D8D5841A1EFC3BE9C8FBCDF57A6876FDCAE4EA2837D0FE E99D5743CA86CA46D10EC68CE581B095C5B F0FF5424ADAD6B491DF8AB54EF71 l\temp\pdnsetup\x86\api-ms-win-core-sysinfo-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows F899C0C2CA8D7EB1BC2AB9032DE9C683 2F0B6170C0D5DC1BEEADD0E5CE4B1A941B3AE40F BA B00980D7AF18523A2881E030BC95DBB278AEA21BCFD041F33DA3176 EB239A EB78C4C088023E A6B15E5E155ABB98722A6515B64FE85152CA2E41A740C59EC43F45AEE654C DBF08F3F65CC01A103A7524F652E984 l\temp\pdnsetup\x86\api-ms-win-core-timezone-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 22C9664D02CB3AE7EEDF856C8179BD47 7A528BB7E1C53F3C85D60EA70D585AFCDA368ED5 F3423D639BC1EC08EA956972CD9DA00CD9F9D8DDC22C783246D0CD08F A09A2FB6612AA8F2CE90D2FA4E6191F503BB0FDEDC9E42FC2DA5C11D25912E A048918BE9181C C5D31A 6F05E A707C0BB30EFBA0FBB2 l\temp\pdnsetup\x86\api-ms-win-core-util-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 1A0B16514AEA8B07DE1BC4718D46A943 C2C931F3BF6DA14F7CD6D843B64A5A567F2A414F 78B28E036975C623615FC A521854DDC8BCE63A4B6A99CA423F285F8E 93C3F53970EE43D355CD6B3C624536CB40A54823CB204F96F CE834A04FBAE6CB2C4FD7A161D61154CA7C0F 9F94EBC21515FEC3B4F13C14F804E52 l\temp\pdnsetup\x86\api-ms-win-crt-conio-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 7B8FA504E42525B47A6B9F5A9C18265D 5B8951A7EC59F8F20C60BEC8596FA51E1FFCA68A C9E0A88DFFDAE42CA BD7B8BA830DE2A5E9F DF1C3294B165 EC3F101CF116F80BFF A5C18F437DC6AE144A6D3A4490C28D54B94E993BD6E104CB9364BE198BE7016A680DE F0C70CC19D13D3E7C54F07F9C950F62 l\temp\pdnsetup\x86\api-ms-win-crt-convert-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 2FE34AAEB7BCF84A4A26A2E69C0B C786ED7B820F6191A4EDA129C49A855DAEC492 9D E F0E4F457A794308CC4EDB5C74BF046F5DD37700E3E841F2 E C4ADB2CB FF1D90B6882BCE CD4AA961C173DE8D646AC7BBD0A66A7A8BFD9117 2FBE5BF4565B3BBCD09B21825B5E39C l\temp\pdnsetup\x86\api-ms-win-crt-environment-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows Copyright Joe Security LLC 2017 Page 33 of 143

34 l\temp\pdnsetup\x86\api-ms-win-crt-environment-l1-1-0.dll 38968FE6D6B036D99EA428F68ED236AA F37D0338EAF E D3C2EE C5CB9B055CAC1A0246BEA41ED367673EB4124F7F2C035199A27CEB3C28FFD490 4B99B8EC1AAFF85FA077BD93EA0BBE0C0E1683BFB03A00D0AD98761B9227E08AA9222F617C97E331B0657B559EB59850 ED1B46C34A6D3C0E677F3D6DC479724A l\temp\pdnsetup\x86\api-ms-win-crt-filesystem-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows E9EABAA A7B84CF86ADA0E518D 48E51D6DE2258E4E65124C5ED28630BDF50C243E 9D747B8C54FC7226A B0ADEEFB53ABA1B65C992BDFB9EDD6D7FEFA1169 B42ABDBF E267E A49FB0AE48F4A0ACE05DB23BB682D99AF84187A19D81F233AED DC33F0D AD95C824D5C85FF2DFD4ECDC757FF l\temp\pdnsetup\x86\api-ms-win-crt-heap-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 97FB42EF6AD5463B0DB6FB6E515E07D5 F39CA2E C80F2EE D961ED0DD 0E4F6C9A1E532A37A0701BC9AC67B86D5AF3D7FAA1D799196C93CCBD1D32E396 0AFE D0F3ABAA49DA324B7CACF07E6EBC133AEAD9D43D12A08BC6EC5EEE1280C64CE22E2061ACBD72AB050 43B8B8271FC8B2440D6AE432AA74321C8E l\temp\pdnsetup\x86\api-ms-win-crt-locale-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 5017D7F584EBD7E4A3A32A B 5D112C0266E4AB9BBBC9CF E646F3B09FE 8CF7B2E3B8BF206EF93A8D446CAA445E9D79080B7F01102B12F34483BCCD7A39 ED9FD988CBA4A958C522468AE617021F7FC27DC1EC5E5CB5F64694DF9AF351F99D07B3F01276B1D1401D3B B415 02AEE03CBDEC8A5F105C312A5F4F01C l\temp\pdnsetup\x86\api-ms-win-crt-math-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows DFD5F6FA90800C6FF99B A33D770AED45DBBA8089E0DE762A362E19CE7A C DCB47E DDF3C586607D A54E3B64D C84B186D E9AF617AD712AB8A C19F0F899D315E D69F67EBB440F38CF75F250CE6B6B B36BD FEC6F761D0E5D7 l\temp\pdnsetup\x86\api-ms-win-crt-multibyte-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 5FC8F2D2FEF6549A40C26D51335C27EA 69328A5AF001F010717B79E0A6F1E DCC 641B2B A164A304550E7C7A FA8864FA1C66BBD178D9E6F10BE C0165A2D DF536B B3555A407F99706AFF16B08AE0A402B71CF601D03FA90A7BAF853257C78C9F498C E1AEDD0000B582C6B0D9052B2016AA l\temp\pdnsetup\x86\api-ms-win-crt-private-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows D2BDB526869F2D61CE14BFC32F27BA71 F3F11161DB2B430ACFFD546C31BCCA779B5CC64B D4D9059BFA135447A3FED23064D73A09FB9643FA225C782A77237E31A4DDF6A4 5562B8E94AFA96C60E2D07B2BE90FBA03EFC4AAAA BDDA41FCBDACC63E DCD848FA6154CCD BA3F7DD6B4397A E5A4B723 Copyright Joe Security LLC 2017 Page 34 of 143

35 l\temp\pdnsetup\x86\api-ms-win-crt-process-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 5A3338E7E23E6812AB77784A4EEC4308 7AAB32B6D72F3AC2C5F278EF636333FD5E EBB3F7103DBE9DB40D4C00CD5DA6045CE315542E7DE14F061E A FC1ED672E6E88D978157CD0A456A A7D4A3E3C77AFEA2607D021D32FD5DDDEB4C4D1058A0FD5D5857AE251A DF6E629FF77CD149D201F707C6747CAB l\temp\pdnsetup\x86\api-ms-win-crt-runtime-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 614D4EE35D5E0A38394DCAB2F7F3E062 5D6F9E2BE80057D3760BE90AEA540B8271A2E F21A051C771471C790F9BEDD859964C5723B92E7C9F857FEDCF A 23663A433D10BA2644F FCCD42F755C86AC44D2FE297722AE83C3DCFBFECF0109ED B46DAD4A ADC61C34A1481FCF1D80BC56F4 l\temp\pdnsetup\x86\api-ms-win-crt-stdio-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 97A0C21B7DA8D4000D8FD4A2DCB6636F D5F3213DD FB4AB3C37E3FE3D8296C7C2A 1E609CACDF71C71C55868D4E2460C4082F5BBB1299C1DF110E6971CD460A80A1 ACF4C73D936BFD1F08D4EE78A73F845EED5C9E8B01D5423F99CA9A85DAF9A4B214AF12F6D F346A0C13CEE4D DCE7C85F55DC EEDD4BF65F l\temp\pdnsetup\x86\api-ms-win-crt-string-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 24181BFED98C9EDE05A5B D32 EA6C83FB D98EE F7438D9DB6 FB78D2CDD71F4A9762E9ED3621A3CE0CA9A5DA6807D52610D640D534469B5A B3A33A8B0BE4E48C D3CC32D6C3431EE C804A0A2BD2AB4DFC1C6F84F11AF9EF632D43E5FD09E A67A4A31CDF160747CF71DF8D7FED7B2 l\temp\pdnsetup\x86\api-ms-win-crt-time-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 9F07488CA21FA3A49FCDABB750F1829E 988D6DC1BFD4EA3B91D14CF8BDEED623DF C34991BECCB8981E1A14671F A2FEC DB4C2 8D19086F6C1FE8EE9D F58270C D0A C6870ADC70F0B7739B C297F9A4EF2619FE9E1 6867E23822E55F985B69E19D1449D l\temp\pdnsetup\x86\api-ms-win-crt-utility-l1-1-0.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 026AC640F7193E491BDCCAC1B3379C99 B233114C0DEBF4FC4574D544DDB6A7DD4AAB9436 0D03BD0A77AEA1475E13D5A265B79CC56B731D99480F123C33A E4683 B0B9E2D8AC07BA4E6B32234FCACDA85DB7B0D04320D FCCE43281C6AC4F8EBCB8B3F30571CA69970B17CE476 FD2FC3FFBA39E8EAE13238B21F68ED011 l\temp\pdnsetup\x86\msvcp140.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 8ED5B C221EB79CB69B2064 BFB7C3937C5185BFE510A05AC99839E10AFA8E26 D316F E7CB119883DFE874D20EDE8BE E5040E607CB0C B7DAA ECF10EE4C25A8ED7CA54C78D4D140D9103D24417A754222F150EE16D817CE0366E459865D390B FCDB2B367044B50AE26A2D9F9C2 Copyright Joe Security LLC 2017 Page 35 of 143

36 l\temp\pdnsetup\x86\msvcp140.dll l\temp\pdnsetup\x86\ucrtbase.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 5D2F D6E0152A6C9CE090F01B A0AB6942E182C393A0C35D0FC44AA2FF82F 0AE2D103D87250F64EF5091D ABA0E119B121EED7F0A23B00B DB60BC30F5D D5BE7159D0D41E23EA987A5A4B6D4C2D96A99481B8AEFEF43AF8568CA3DA67FE8D7DC623 C1B732A633A2AF82905A2AC4DA0CDE5CD l\temp\pdnsetup\x86\vcomp140.dll PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 47BB7089D95FA471D81BE98D615811BE 8C39AF EAC04B69FEC33550ED016B858F DDF87F6E61D BDAEBA80F6F8DF68D781D3688AD7D BDEE27FFA3E0E680A10493A632684CB0F422BFCBF9A3724CA9A0DF84F8CE5616FE9DB4D79116CBC4F C9E 51F180F77B61DACD37E1A545C6E10F80 l\temp\pdnsetup\x86\vcruntime140.dll PE32 executable (DLL) (console) Intel 80386, for MS Windows 7049E08F F7A0D7E7DDE8A59D 646DF BB96D7ED08335A9D02CC60B088A6 B3862C0BBE5A8BC3144A9AA5B60C7A3495C FCA6BFF5A573BA236DE 11B772D3947BAB B3262E285E444CA81A429E996FFB8A97C5640ADD2A478B CFC7DE598898E1ED9E60BD 4E6905BB97D6C940A408DF7D22414D9 l\temp\nsr1b6c.tmp data ACFBF0E10172EA5734A B0EBBC 42613FD568B6C44F5C4E905184B4BA6F319DF0BA 2FD85176A84C93DCD97D984C5130C18EA035C60DB276DC6DF2D014273A1B2C BDDA E2EC8410C29C ECDB FA85AA1BDE4595E7C8D766E975F57A1077AB2D1C C093F1D22D94F0EF823F5C2D5E8FEC l\temp\nsy1ce0.tmp\system.dll PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 56A321BD011112EC5D8A32B2F6FD3231 DF20E3A35A1636DE64DF5290AE5E4E F78 BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F CBC53CE51081A78C64BA9C4C8C4DC9E C1E916E19C5776DAC7C82989FAD0F08C73E81AABA332DAD81 05F90D AF45550B97B338B9CC3 l\temp\pdnsetupshim.log ASCII text, with CRLF line terminators ECA3BC2B909D6B6F13C6231AA8D14810 DD A05377B25BA4B346EF76A0AADFA78D6 6E16FD1FBFCED3A4B886260F35B464CEB2104E C98F61B9EDD1E55BB B5D13E2EE0A9F9E2F12925BD4C4C8F9D81DD2DB9DB0C6A C9EE4D491EC31446D50BE868DB78A2F69A6A9 A E501198EBED4ACA207C1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34DA60AA966CD9270C5362E6AEF824CF data 83E10465B722EF33FF0B6F535E8D996B 339CDD57CFD5B141169B615FF D1DA639 02AB57E4E67A0CB48DD2FF34830E8AC40F4476FB08CA6BE3F5CD846F646840F0 Copyright Joe Security LLC 2017 Page 36 of 143

37 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34DA60AA966CD9270C5362E6AEF824CF A3E6460D4702FA B2BED2D8347FBCD732024C106F3383CA1053CEE7B33AFF122D8926AE68015D D5F381 60A99F46D82BF05CAF4A432BE9257E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34DA60AA966CD9270C5362E6AEF824CF data 212C1CBF CE7036E853CFB E3D9ACCE256C88CFEEB347E8E89B278D4B7A4DD2 B2147BF A92927E0B75034DE971300D02111C1DA06479E2871FC C872C29DF91C75840B89EA4B0C84C50CC4DCD0B753A91E70D0992CAC6F F6D5451EAF62399DF348535E0787C28 87F554F65F6D95DF5F992F5173F9637 C:\Users\user\AppData\Local\Temp\PdnMsiInstall.log Little-endian UTF-16 Unicode text, with no line terminators F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF F9755A9BFDF1C54CA0D84 \samr Hitachi SH big-endian COFF object, not stripped 5D904409CAE6D378553C927ACE7D72A2 52F3F768B0ED1099B2C830077E40A272D329A1CD 0FBEA09B5F4E4E50BF7EA609B6B27925FFE8198AE63B4AFD1D5ABEBDF6593C05 152E844B73F1DC9B7C0D4FE6B31A094D3CB5D7E3CA5AC149ABB14E44224FD224298E3B54B679DDA017B9FA8DA80F5DC 23C14F71E983F02D6C54081F4F871FD95 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection true 0%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 2017 Page 37 of 143

38 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States LNH-INC-HostMySiteUS Static File Info General File type: PE32 executable (GUI) Intel 80386, for MS Windows TrID: Win32 Executable (generic) a ( /4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: SHA256: SHA512: File Content Preview: paint.net install.exe af98ab1e8f89ad96f f515aa26e9e6a56fd1b edc040f287c386 49fef f8a470699cbedb281bf4bd4de001970cde1 4efba075e700d5bf9 bd99e5ecb7070bfcf398ce09364a0bb1a6f08832fc1c34df dc1f1b24e1cb7c7872e14bc852b5275eb6aac0 2dc363de39c91e960d9a261577b39c97d8...!..L.!Th is program $...0(..QF.. QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich. QF...PE..L...i:.V..^...l2...p...@ File Icon Static PE Info General Entrypoint: 0x40326c Entrypoint Section:.text Copyright Joe Security LLC 2017 Page 38 of 143

39 General Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: true 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED TERMINAL_SERVER_AWARE 0x56FF3A69 [Sat Apr 2 03:20: UTC] b1a57b635b23ffd553b3fd1e0960b2bd Authenticode Signature Signature Valid: Signature Issuer: Signature Validation Error: Error Number: 0 Not Before, Not After true CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB The operation completed successfully 9/11/2017 2:00:00 AM 9/11/2020 1:59:59 AM Subject Chain CN=DOTPDN LLC, O=DOTPDN LLC, STREET=3925 NE 72nd Ave Ste 107-1, L=Vancouver, S=WA, PostalCode=98661, C=US Version: 3 Thumbprint: Serial: 0DF057FD2C1C69CF096AF1BC9DA07CC8B764BAC9 00A38E256C85B B A Entrypoint Preview Instruction sub esp, h push ebx push ebp push esi push edi xor ebx, ebx push h mov dword ptr [esp+20h], ebx mov dword ptr [esp+14h], h mov dword ptr [esp+1ch], ebx mov byte ptr [esp+18h], h call dword ptr [004070B4h] call dword ptr [004070B0h] cmp ax, h je 00007F44249CFA63h push ebx call 00007F44249D285Ch cmp eax, ebx je 00007F44249CFA59h push 00000C00h call eax mov esi, h push esi call 00007F44249D27D8h push esi call dword ptr [004070ACh] lea esi, dword ptr [esi+eax+01h] cmp byte ptr [esi], bl jne 00007F44249CFA3Dh push Dh call 00007F44249D2830h Copyright Joe Security LLC 2017 Page 39 of 143

40 Instruction push Bh call 00007F44249D2829h mov dword ptr [00423F64h], eax call dword ptr [ h] push ebx call dword ptr [ Ch] mov dword ptr [ h], eax push ebx lea eax, dword ptr [esp+38h] push h push eax push ebx push 0041F518h call dword ptr [ Ch] push C0h push h call 00007F44249D245Ch call dword ptr [ h] mov ebp, 0042A000h push eax push ebp call 00007F44249D244Ah Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x7418 0xa0.rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x2e000 0x13b20.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x6e5918 0x14d8 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x7000 0x27c.rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0x5c74 0x5e00 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.rdata 0x7000 0x1196 0x1200 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ.data 0x9000 0x1b058 0x600 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.ndata 0x x9000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ.rsrc 0x2e000 0x13b20 0x13c00 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0x2e328 0xe1cc PNG image data, 256 x 256, 8-bit/color RGBA, noninterlaced English United States RT_ICON 0x3c4f8 0x25a8 data English United States RT_ICON 0x3eaa0 0x10a8 data English United States RT_ICON 0x3fb48 0x8a8 data English United States Copyright Joe Security LLC 2017 Page 40 of 143

Name RVA Size Type Language Country RT_ICON 0x403f0 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x40958 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x40dc0 0x2e8 data

41 Name RVA Size Type Language Country RT_ICON 0x403f0 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x40dc0 0x2e8 data English United States RT_ICON 0x410a8 0x128 GLS_BINARY_LSB_FIRST English United States RT_DIALOG 0x411d0 0x100 data English United States RT_DIALOG 0x412d0 0x11c data English United States RT_DIALOG 0x413f0 0x60 data English United States RT_GROUP_ICON 0x x76 MS Windows icon resource - 8 icons, 32x32, 16-colors English United States RT_VERSION 0x414c8 0x298 data RT_MANIFEST 0x x3be XML document text English United States Imports DLL KERNEL32.dll USER32.dll GDI32.dll SHELL32.dll ADVAPI32.dll COMCTL32.dll ole32.dll Import GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, Sleep, lstrcmpia, lstrlena, GetVersion, SetErrorMode, lstrcpyna, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcata, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpa, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetCommandLineA, GetTempPathA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfa, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA ImageList_AddMasked, ImageList_Destroy, ImageList_Create OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance Version Infos Description Data LegalCopyright Copyright dotpdn LLC, Rick Brewster, and contributors. All Rights Reserved. ProductVersion ProductName paint.net Setup FileVersion FileDescription Installs paint.net. Translation 0x0000 0x04e4 Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior Network Port Distribution Copyright Joe Security LLC 2017 Page 41 of 143

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version: ID: 46161 Sample Name: tesseract-ocrsetup-3.05.01.exe Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version: 20.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence