ID: Cookbook: browseurl.jbs Time: 14:02:12 Date: 23/11/2018 Version: Fire Opal

Transcription

1 ID: Cookbook: browseurl.jbs Time: 14:02:12 Date: 23/11/2018 Version: Fire Opal

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Mitre Att&ck Matrix Signature Overview Software Vulnerabilities: Networking: System Summary: Data Obfuscation: Persistence and Installation Behavior: Hooking and other Techniques for Hiding and Protection: Malware Analysis System Evasion: Anti Debugging: HIPS / PFW / Operating System Protection Evasion: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted URLs URLs from Memory and Binaries Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Copyright Joe Security LLC 2018 Page 2 of

3 Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 5592 Parent PID: 688 File Activities Registry Activities Analysis iexplore.exe PID: 5112 Parent PID: 5592 File Activities Registry Activities Analysis Supremo.exe PID: 2736 Parent PID: 5592 File Activities File Created File Deleted File Written File Read Registry Activities Key Created Key Value Created Analysis SupremoSystem.exe PID: 2396 Parent PID: 2736 Analysis SupremoSystem.exe PID: 1376 Parent PID: 552 Analysis Supremo.exe PID: 3272 Parent PID: 1376 File Activities File Created File Written File Read Registry Activities Key Created Key Value Created Key Value Modified Analysis SupremoHelper.exe PID: 2320 Parent PID: 3272 Analysis SupremoHelper.exe PID: 1624 Parent PID: 3272 File Activities File Created Analysis SupremoHelper.exe PID: 5860 Parent PID: 3272 File Activities File Created Analysis SupremoHelper.exe PID: 4708 Parent PID: 3272 Analysis SupremoHelper.exe PID: 2340 Parent PID: 3272 Analysis SupremoHelper.exe PID: 5648 Parent PID: 3272 Analysis SupremoHelper.exe PID: 4592 Parent PID: 3272 Analysis SupremoHelper.exe PID: 5952 Parent PID: 3272 Analysis SupremoHelper.exe PID: 6008 Parent PID: 3272 Analysis SupremoHelper.exe PID: 684 Parent PID: 3272 Analysis SupremoHelper.exe PID: 5832 Parent PID: 3272 Analysis SupremoHelper.exe PID: 1520 Parent PID: 3272 Analysis SupremoHelper.exe PID: 5448 Parent PID: 3272 Analysis SupremoHelper.exe PID: 4920 Parent PID: 3272 Analysis SupremoHelper.exe PID: 3992 Parent PID: 3272 Analysis SupremoHelper.exe PID: 1524 Parent PID: 3272 Copyright Joe Security LLC 2018 Page 3 of

4 Disassembly Copyright Joe Security LLC 2018 Page 4 of 57

5 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Fire Opal Start date: Start time: 14:02:12 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 5m 29s light browseurl.jbs Analysis system description: Windows bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java Number of analysed new started processes analysed: 27 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout MAL EGA enabled mal48.win@42/63@8/6 Adjust boot time Browsing link: download.com/downloads/teamviewer-forwindow/teamviewer_setup_v9.exe Browsing link: mix.com/site/alpemix.exe Browsing link: remocontrol.com/download.aspx? file=supremo.exe&id_sw=7&a mp;ws=supremocontrol.com Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, ieutil.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2018 Page 5 of 57

6 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 2018 Page 6 of 57

7 Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample might require command line arguments, analyze it with the command line cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Valid Accounts Exploitation for Client Execution 1 Winlogon Helper DLL Process Injection 1 Process Injection 1 Credential Dumping Process Discovery 1 Application Deployment Software Data from Local System Data Encrypted 1 Standard Non- Application Layer Protocol 3 Replication Through Removable Media Service Execution Port Monitors Accessibility Features Binary Padding Network Sniffing Security Software Discovery 2 Remote Services Data from Removable Media Exfiltration Over Other Network Medium Standard Application Layer Protocol 1 3 Drive-by Compromise Windows Management Instrumentation Accessibility Features Path Interception Rootkit Input Capture System Information Discovery 2 Windows Remote Management Data from Network Shared Drive Automated Exfiltration Custom Cryptographic Protocol Signature Overview Software Vulnerabilities Networking System Summary Data Obfuscation Persistence and Installation Behavior Hooking and other Techniques for Hiding and Protection Malware Analysis System Evasion Anti Debugging HIPS / PFW / Operating System Protection Evasion Language, Device and Operating System Detection Click to jump to signature section Software Vulnerabilities: Potential browser exploit detected (process start blacklist hit) Networking: Connects to country known for bullet proof hosters Downloads executable code via HTTP Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Copyright Joe Security LLC 2018 Page 7 of 57

8 Creates files inside the system directory Creates mutexes Deletes files inside the Windows folder PE file contains strange resources Tries to load missing DLLs Classification label Creates files inside the user directory Creates temporary files Parts of this applications are using Borland Delphi (Probably coded in Delphi) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Executable creates window controls seldom found in malware Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Data Obfuscation: PE file contains sections with non-standard names Persistence and Installation Behavior: Drops executables to the windows directory (C:\Windows) and starts them Drops PE files Drops PE files to the windows directory (C:\Windows) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Found dropped PE file which has not been started or loaded Queries keyboard layouts Queries a list of all running processes Anti Debugging: Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges HIPS / PFW / Operating System Protection Evasion: Creates a process in suspended mode (likely to inject code) Language, Device and Operating System Detection: Queries the product ID of Windows Queries the volume information (name, serial number etc) of a device Behavior Graph Copyright Joe Security LLC 2018 Page 8 of 57

9 Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend ID: URL: Startdate: 23/11/2018 Architecture: WINDOWS Score: 48 Connects to country known for bullet proof started hosters iexplore.exe started SupremoSystem.exe Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi dropped dropped 9 87 Java C:\Users\user\...\Supremo.exe:Zone.Identifier, very Supremo.exe.z1l7oe...ial:Zone.Identifier, ASCII started started started.net C# or VB.NET iexplore.exe 1 43 Supremo.exe 2 15 Supremo.exe C, C++ or other language 2 33 Is malicious teamviewdownload.com winsupport.ml , 50108, 50109, 80 VNPT-AS-VNVNPTCorpVN , 50094, 50095, 80 VFMNL-ASAmsterdamLocationBGPSetupNL 9 other IPs or domains dropped dropped dropped dropped dropped dropped Viet Nam Netherlands C:\Users\user\...\Supremo.exe.z1l7oe9.partial, PE32 C:\Users\user\...\TeamViewer_Setup_v9[1].exe, PE32 C:\Users\user\AppData\...\Alpemix[1].exe, PE32 C:\Users\user\AppData\...\Supremo[1].exe, PE32 C:\Users\user\AppData\...\SupremoSystem.exe, PE32 started C:\Windows\Temp\...\SupremoHelper.exe, PE32 started started started Drops executables to the windows directory (C:\Windows) and starts them SupremoSystem.exe SupremoHelper.exe SupremoHelper.exe SupremoHelper.exe 13 other processes 2 2 Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Detection Scanner Label Link 0% virustotal Browse Dropped Files Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Supremo[1].exe 0% virustotal Browse.z1l7oe9.partial 0% virustotal Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\Alpemix[1].exe 1% virustotal Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\TeamViewer_Setup_v9[1].exe 0% virustotal Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\TeamViewer_Setup_v9[1].exe 0% metadefender Browse C:\Users\user\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe 0% virustotal Browse Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 2018 Page 9 of 57

10 Domains Detection Scanner Label Link teamviewdownload.com 0% virustotal Browse winsupport.ml 0% virustotal Browse 0% virustotal Browse URLs Detection Scanner Label Link ie7-js.googlecode.com/svn/version/2.0(beta3)/ie8.js 0% virustotal Browse ie7-js.googlecode.com/svn/version/2.0(beta3)/ie8.js 0% Avira URL Cloud safe 0% virustotal Browse 0% Avira URL Cloud safe teamviewdownload.com/downloads/teamviewer-for-window/teamviewer_setup_v9.exe 0% virustotal Browse teamviewdownload.com/downloads/teamviewer-for-window/teamviewer_setup_v9.exe 0% Avira URL Cloud safe 4% virustotal Browse 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 2018 Page 10 of 57

11 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2018 Page 11 of 57

12 Startup System is w10x64 cleanup iexplore.exe (PID: 5592 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5112 cmdline: 'C:\Program Files (x86)\internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch: CC2E3DF41EEEA8013E2AB58D5A) Supremo.exe (PID: 2736 cmdline: '' EB1BD EA9CE06436AF9F99F2) SupremoSystem.exe (PID: 2396 cmdline: 'C:\Users\user\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe' 'C:\Users\user\AppData\Local\Microso ft\windows\inetcache\ie\vinvdfp6\supremo.exe' '/SYSRUN' B E98ABBA6BF21423F70963AA) SupremoSystem.exe (PID: 1376 cmdline: C:\Users\user\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe B E98ABBA6BF21423F70963AA) Supremo.exe (PID: 3272 cmdline: '' /SYSRUN EB1BD EA9CE06436AF9F99F2) SupremoHelper.exe (PID: 2320 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 1624 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 5860 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 4708 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 2340 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 5648 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 4592 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 5952 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 6008 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 684 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 5832 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 1520 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 5448 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 4920 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 3992 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) SupremoHelper.exe (PID: 1524 cmdline: 7768FC67F8335F1C205805EEB67D7AAB) Copyright Joe Security LLC 2018 Page 12 of 57

13 Created / dropped Files C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.bg.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 80B EA3513BC25689F293BDBB6 BC05FB5ACE6763EE9A52FDCC AB903EE87 B0DA615DD778F30F493BA18B5BE0E84421C AB3DBFC53FF8D8B D90F0FF362E39B66C08DB864F1B30E92347D24E E079BDBD F96C06D23C1FF4827FB974B00 5B477E8CE49277B BBE65 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.br.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 5AF9690B4A73AC502A7C03DFE2A EBAD729880F6E8905BC0D8C5EF55EEB996E94C AC0E0888C7A A3B10B8B6C BCE6964BF3F623CB79C3FE3BA1B BB5CB1944ED91235E27A A1EFBAE4191EFB283D170B6CF1FEB2F0C64D03FA CCB1F7BC78F3B0 E6DF501E4E0A8AD6A8A82BF86104D945F0D8BB1 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.bs.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F0E1268C5C0D730C20CA65E3604CE6AE 5E4B D1D319A452E C3DE8FAC5ED 9740AD77C1CD50A433D0BB0B8D81FE78CE5406B5049D230D7E0A79C1B5A8CFB1 085A71A0C455B277A94D1AB65BD1677AFBBE5D29FA6CDC0A6E42A363EB3EA54690CE903F D3D250BE38 D7C342DB9CB6D33DDF5EB246307B0519ABF3ECB C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.ca.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators D78D EE1C60AEBDBC6748BEB1 31F5817D CD7587D35E236038B56AB4B78 B30F578236C4A5F3176D814E626186FF18CB F4A05F66FDCF5FCC17039 BDF31F23B98A9F0C558CC08895FEA8DCA62E7D72E38582D248A95EAECD4F29EE0ACB3CFE715CEA AEC 01F28A69040E8BDFB61244CB F2 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.cs.lng UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): Entropy (8bit): B B93984E0B3FE8E5F10768CA2 Copyright Joe Security LLC 2018 Page 13 of 57

14 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.cs.lng 3B82E8D29E8E9CE C89379A5F1D22A F9DE605AFEEFC41824AF3919E6DC6732BAEADC47102B7BBF5F9829EBE39E 5A A95AFCAFAA962F6299D315B24D BD543521C4C1E859CF9A6AE67F0F528C863CA64D5E900C4 AB E3AF4F475F2A3397D8B40C85FD5 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.de.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators D83DA8BEAB9847AE A28883E2 DEDC3E C8EDC93CF2AC7ECD1C29AEABC4A 8125C0AE0B327E5F3B73C98362D3F72A4C4345FAD776E201E7CE3FD2A4B65CD0 4BD64DB448211FE866222AD356DED3292F3A7E01DB B392233ACED86D93EBB EECDC18755 F64F9343FFBB1C9A3AC20EE7A8AA55D769F0F7 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.el.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators B402FE8B906348BF293B662DC823048B 08A3D33BE978BCB83FEEE6E3A562D752E4C0AFFA B30AD963A92B2C6B69A0A6BA4D3A849E997FBCBB9F D59C258 0FFA591D461C6F029AAA04E3A F89F31210D C9FE665485D36977B54EC1A7D31A FE76D0 123B2A6E2A241D1A6B8CCDA48BE737E1605A C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.en.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators CBF4F3FE799D0103EF37BCF8F7D28288 C5FFC6CF0F7EA7DD7C8DF79C24CBC9DC6C5156CE A374FEF1B6252F094378BDD9E39D87436DC98243A6E478DA2F7F8E75FADCC99F 1CB86EDC120BF5B6716D2EB D5C89801E0D2EAB2E571F047139E44AEB0D2DE8408A7F9231ED205C3AD0 E93D156ABA A2250AD0426E7BFC8D7 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.es.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 57A865C6B4EBA51525EDD4D149C39190 C0F4354BDE0597A EB5F7600E7439FF FCE95426F88F9754A181E73D25CA821AB0FE661DF5C0F17AF140DD A1C11921C547F43084FB7BD6C7BB9A7BB4A6928EA6AC443814D4FA7BF7DBFC944349A7E35B4E3A85D8D392 D AC00C7C4813C92154AE670CFB2084F8 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.et.lng UTF-8 Unicode (with BOM) text, with CRLF line terminators Copyright Joe Security LLC 2018 Page 14 of 57

15 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.et.lng Size (bytes): Entropy (8bit): EB7DBAF237114A88CCEEEBD7205DBF0B F1E8DFEC4BBF5D684CD BD6207E999D2FC 80181A1CE942E87A D402E81EAE80180D9ADE95BC93A956925A4F FBC071C9B092B3F5FF62AB404B2BD55DC CC119AF579DD063BCB D8E2280C563F2C01F42744B 5268D25CDE611C0478A5C51E E6D121 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.fr.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 360EFCDC331EAD4EE661FDA7A4BCAC2C 05D4FAD4A90D27936C7BF3293A6DA6EC270ADEB B449C7065AEE85F18AF2A6CB1C B598DE720F2DDC26B C2CACE24299F9D0CEA476194CDF E E2B95B79E F3C79560E9C2EBA7268F09BF13DE E6515E46AAEE1456A07D45AE48CF362F4093F C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.hi.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 8DF78BEE05B8E9EA552CADAAD38F4DCA 1239C21FB1F DE8B7BA5E57EAA9C82BD88 7BD C F296874A678803E7BA3CDAA819B20EA287CF EE58B21BA38B80E EBF108549D09E0BD2473E47AD5B576F954EA2E1F B9FC44A41BD27ACA8 D092DB67F61B392C169DB6835AB16E582F82FE C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.hr.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 96C8C6EC3D097D6FF4D4FC8B C D31DB01BE89E929E69A59A6BFB1CFFF DDF6A470ADF4E9C62EDEBE1695F7578A B4ACF81B60A777F7A0F7AA C491929C9DD09B56D922FB1384D64A6F2CF8CC3524E7DAED68F02E14DA7905DF3462D2A3A465D6DBC91577C6E D6EDE0CED1C84928F9B33983BCF BD1E C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.hu.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators AB081848B8B F37DB685E95E8 BC61C386376E3FC2C3B46118EC54076B625FDC4F A55F81E2C35D4C38B7B3C47E18E3BA41562EDAEF2EB1F6084F5B439D5 E08A20F1FD3473F7511DB53FDB344A D1234FEDB E20E85E47E8F81F394F4878CE3744AD2BF1BB8 5698A7DCFA2AE893CE5BBDB04185DDFA3C053 Copyright Joe Security LLC 2018 Page 15 of 57

16 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.hy.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6FA865C4595A6BCB88952D8E A3BB D59C76C721EA52B5EA79F7924AAA 600A096CC9BB1ABEDD34B7F0C77AB846DF8D1D BFD707369E951E7075F D2ED159F B2049B6E247A2885ADD184D447C3B8FFD0E22CCEAD41951ED783D0DE38DF5ED5C789FD71D3 B71C06403CF6D9F41D04C3368B0B295AAC5088F C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.it.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators C42883F0A705AF443E52B12C7 0957C7CD4F65161DA7B9783CF68E276E C 45F5DD14A13DD69B A132A056E1DE3E67DF E88F6B76ADE24BBA 9B29BCC6F6904E1723D BC812E0C67B57E81FABED92BBE6B5C69B61394D0CAB8A3BA2DE0F D179195AE105D32563B8222C42FABD9F31C79A C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.ja.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators B B9B8D7AD36C8FFBE242B1F F08BC735D4C909AFDCBFB6596B7A9DBD2C4CEFA E33DE8204BB8769BB32E8CC14C B2B830CE823A5B8DCD BCEAF7405D3C56B550729FE7E104781F959A760FACA4CD6D67AE2115AB635DC001278BDC562BB8496BF710 6DA692A2E79F4A5CFC F732E07E90210 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.lt.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators CDDDE3A0C620C4EF4F86622D7C3BF90C E09828DD6F54BAB5CD30797A5DA03357F57CC096 27B53D4DA FE38E9FF34DBE DD23968C9B3FE4CB98557CD61 745EAFC3DFB93933F43C6964B1CDE03D8FAAD340D55BD045E9DB97F59DC3BFEAAA00B23FB0C94733E4943B3B E50934FE96944A79A62CE5F194C74AC750EA09E5 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.nl.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 1E87B0DB82E23408A50D0A3853F6A5A2 005B732B6EADF42EDA7833A06EFD3B2FD83AEC CD D94FF016DCBC43BC99B606A27732AE7E578669BCD2E609D4 10BE2A5433C8C16567F04B2A96A16B8FF0A9C CFD8E4BEB70A1D6216F0D789EE67F285822A7E1B58 9E1FA4B762BB279405C897EEB73C0B387E579 Copyright Joe Security LLC 2018 Page 16 of 57

17 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.nl.lng C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.no.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 7E1ABD34A59BC44E1881B98D73F97E FE9D3BC8572F D43EBA13B10 0CE95848FCB8933FDAEE3FCC62C851A24A22DE84C59BF46353F371C05CFFDB88 1B90EA9DD90157ED BA66DB622E5C3E006B92108D7D8E144E50AA1DEF0033E3FA5D892F40A6A8C88D6A D865D98FD6FC343686CCCCDF02D0D8F6D C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.pl.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 1624D C456C841 EB40BC9CF2FCBCBF4ECB2B087E3014B3F AB26C23AAACB9E6B23A3F133366C4A390643A E61E281A067AFA6E49 29A2FA8F6F40C51139B F11A745DC AA67AF7611B F474C E1A2304D 7B64183FFAA2ECFD051A AC6CCA0 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.pt.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators FA4BD759EACB8A7141F9785E451B FE2B7F60DDED21F3CCB37F39FF91339FD43 B8D6653A026EEAD68B2FF F5E3F16777D26CB96D789BCBCAFE2D1A1DFD 7357C6E80DA656D38F13B7C399D588202CEA17701CC8F6686F59F0831DED81EAEEDB33CB6C095ECB0EDF37F F3BA0478F8D8EC6F7C2365D930ABA89C C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.ro.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators BA7EB5800F A3B87E05E87BF2 41B6F9600EC5863FE76E FA363DAACDAE 9B3A11E50DE35D6E80BF B8D8BCED844F5B11280CF16DBBFD CCD9A2CF78E32A51433DCD9F4C859F6541EC5138EA4C40AD09CFA8D5E6B282CEFB621393C09CE743DAF40356 AC2586FEA22D44CFC31C78AEB1F0AA39E0BA309 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.ru.lng UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): Entropy (8bit): A76D7DA32CEFA08A7E3A5DE739BE Copyright Joe Security LLC 2018 Page 17 of 57

18 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.ru.lng FF787F D0D03ED35405D4F424AD118 51B157C6BA15A0693AEAA78F6B797DE8BD4FD85F4EED67E F68958A D5A1FB0510F69882CB18C93D4B EA03E2F20609AA135C2DF AD9EBA45889CE3088E812F58 C9D4F75624F9414F12AA50D0346E430B063C C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.sv.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 2F2A8FC80F8EB0DE7C8F3F0F0E766CF1 8C960BE0E1C288DD E0239CFADAA9E59D E9E2DA7A9BFFB82008C3AD2E2F1999AD49E4DB401E98D409847DE3D35B92BFEC 0B72AA574D12B7AC48CE7A0CE3E644308F11332D688A733EA936D2495CABDACE18B0C2504EFB0CCCD670C0C06 441C882B466E24EC21244F359437DFDA5DE4CA3 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.uk.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 87C76A9E3FB4F67A66A2704A7172AB3E 67765AF6DA47979CE45A6FD807E069A C1 2E8B CE2C31D69F48FFC5E62FC7B5D19CFA6C1B9EE82AAE144D44FA 6058EF0A0EB02DFA04495DEE1347F5F2BF1AFB99AA0B67D8908E4E86658BB069F31CD9B87C35CDA0A840127C7 D0AB26D8D79FDFC6E1304D36F48B5A4DFAFF8B8 C:\ProgramData\SupremoRemoteDesktop\Languages\Supremo.zh.lng Size (bytes): Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 4C003AEC8AB00DD37B898BB55DCC9A8E E22BE33A2A9618E D99EE78D4B4093AC F67B8F4F46EB34952E03237B3F137F2C24EA251B5095D5203CECBBE9F5D8D6F2 B25AE003D9355C3F4A32DAE1798C6E5499FF09EB0FCF7AD5C30722BF70D55CFC230AC442EBA988F6E5E40E1DE 6621B2CC16DF3856BF16E881D0AB CC2A C:\ProgramData\SupremoRemoteDesktop\Log\Supremo.00.Client.log Size (bytes): 844 ASCII text, with CRLF line terminators Entropy (8bit): FB16F B53BECCA496EE46EDB 971FCF6BE34610C335741AC8D39BF292DA8EE EDA26BD4CD423F6A562AF9ECD064A8C2EA81B16E96EE16ED3D DA0011F74AE09EE08C5835AE3EFAB76E0E9E705BFBC5558DC0F028037A8D4F DDAA2F13B309386B7 264DB81C38CC4FC19694E8BE10D596AF83C7C1 C:\ProgramData\SupremoRemoteDesktop\Settings.bak data Copyright Joe Security LLC 2018 Page 18 of 57

19 C:\ProgramData\SupremoRemoteDesktop\Settings.bak Size (bytes): 76 Entropy (8bit): DC09BE650BDCAE71632B B30 2C26752F2F65B8E56AA0D5EDB9E4C00BD475011D C152555B37C31FC086E1F76EF69B263C7B89EFBED67A43B846A17B5B67B632C0 C6799A546B6AF7E7F2A6B30FB6CFA9EAF510B09C2199DCB4AC79FD3424DDEA0C254B72BC03CF3BE7B15024F91 931A789725A53DABC7FFE11E84B0C5FD4B0FE5F C:\ProgramData\SupremoRemoteDesktop\Settings.dat Size (bytes): 76 Entropy (8bit): data 1DC09BE650BDCAE71632B B30 2C26752F2F65B8E56AA0D5EDB9E4C00BD475011D C152555B37C31FC086E1F76EF69B263C7B89EFBED67A43B846A17B5B67B632C0 C6799A546B6AF7E7F2A6B30FB6CFA9EAF510B09C2199DCB4AC79FD3424DDEA0C254B72BC03CF3BE7B15024F91 931A789725A53DABC7FFE11E84B0C5FD4B0FE5F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84B51D49-EF6B-11E8-AAD8-C25F135D3C65}.dat Size (bytes): C:\Program Files\internet explorer\iexplore.exe Microsoft Word Document Entropy (8bit): BF709500F1DACC98356CB1AC61F4AACF 0BF5F5FFE1E53ACF529BB41A0B7AF6D634924F BDDEB429B2C564D509CA9B15EE58A8A0CBFCF CE8C044A232B62 A6DABB483C03E70C38EF5A353D294A864D093C9ED7EDB021DD92BF6432E1FED4A501E AFA32FDCE023 0D A9BFCE91C5671C9FE43C2C0925 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{84B51D4B-EF6B-11E8-AAD8-C25F135D3C65}.dat Size (bytes): C:\Program Files\internet explorer\iexplore.exe Microsoft Word Document Entropy (8bit): EF7A C2DEC1A83A9811 3FD2414D951EB40EF70DC52C447C5B27D20A400E 16C15AB9A88BD0A7F5BE5858EACB366EB2719E2FADE127555D410FA B EFFE3FCA838D4F1799F4E6D C8435FA9BABC48CBE40786FB032E AD8C56850B23039D1995BA788 2A38A40C6D34FEECB126FC631BCF0EDE1D80C C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{84B51D4C-EF6B-11E8-AAD8-C25F135D3C65}.dat Size (bytes): C:\Program Files\internet explorer\iexplore.exe Microsoft Word Document Entropy (8bit): F65D594B780FFC0EBF FF776 CDDFEB DAA0B96B FBD9585F 95A9BE2C958339A50C AA4069FC5854F25F92B0521A86F35BDA073E 99464CC780CD99546AC551C743005A4149F6EDFE6D BAFD257DA63DB9053E65C A87755F4C179 9C8133BFC A984A3C4B343A685EA04 Copyright Joe Security LLC 2018 Page 19 of 57

20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators F638B26846B531ED18A30708BE4AD1EA 48017BFABBCC725A64571FCF2952E48F4E867EF5 87C F801195DA30EBC7E2614BCB5A187FEB90DEEC26E0FCF7B7 4BCCC18F23DABACBC4CEBFD5F829282C33B CED0B9887F95E9E5BF370BF5B7BF87C46250B022D06E8 736AB2AE32A48F97CD3475FD4A3C64DA21422EB C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators B6D14A91C432A1C717B5383C669CBF44 98BB633F3E1F925E7A683137BAB76856B0902D FC44009EFE0F174C0F40F2E931BF2F38C96CE057A282E63F34BB05EA5327 2D0429DB801E15217F1EB5A05A7902BFBCF0B43BC82F1CEF B9F061FB458E6BB606C4C2FC08AEB6104 CC6694D49814F52FC98ED F885B25C2 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 662 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 9306BE3FCC8D21961ECACCF2D7AD57AD 7C3D19FE92F4CAAC3D40C7CBCB2F2A00CF90E255 3EE3E6328D2B4783F5070A5A B1DA0F CB55E4CB3 EFD7DAD1041CDE3A7D1B6E4CA1F593AB74A6FFAB333EC5A76EEF5B8944D893477EC414D65DADC1929F1A5FE3 56C6AFD8499C82825E6E84B758B3921F61C4A736 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 647 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 83923B62CCC2F33E44AC C EA EC8E0FB37066A2A F04A4E7FD021A9CD A17E501415D4B062A6F3D15281AFFC2A491B48F 0B84B069AFF8401B3706FEEE634F6E9EC97944FB2C05E014F0E40AB732C2FDC18F5C9FD2E191CBECEA6F78A79 FCAACD15D D330CC4D73F1ADE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators D8E A7ACA25AFEF8E4579FF4FE 48A0FDBD0591AFC7F1443D528EE857AC D9B70E C36414F040BF ABF40EB3A15F44A19E5E512E4 08E4D41956F36C998AAA66B9476D6BD73D91C925DD7E32DFF8BD0E C48C76F7B3461DFCDBF0D25 10E47F3CE04956A748466FC863258C7B5573FA Copyright Joe Security LLC 2018 Page 20 of 57

21 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 335A61D6160C6A61E12D7843CC10759C F60F76FE D32F7ABDF E7 DCDD9C9F42FE13F0B39896E0BB35C56E068440CC2CFA832AA42AA7E4568D8FD3 7D BBAB41B49F9B86C89B12203E55E8B3E244D004E35DCA E6644DAB7E4F14E224657CBD9 F86DA423EE DA54C6D7069A63FF20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 656 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators 3D2D831985AD6E356EC294F17C5A0A AD03B46DFF06D81FAA9852B41A E81ED2F7C7114C C570D4575D94619A9652AADB0F8B78C EB394B86CE23A E77F3BF601D0E52D4B9E9CB666BDB F5966ADF8D4248D147A4EE98C906 FBB5414FAC5C6B86B52EE581E52D865A59DF6 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 659 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators B3E13B03DE46A8BB11A6EE6F F4E463AEE375DED4384AF0A0326E89DF2C20CC4 7077EFE04D7F F37CCD510D2F8DE25E77E973B917FE98925C37BAC07 9A267EA49CF394385EC65D97D1FB14202D7C31726EEB6E7B7FCFC056FE E D0C653B107E 5E95ED826C60D0D2A86E4D5E9C1DF9DBE77DE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 653 Entropy (8bit): C:\Program Files\internet explorer\iexplore.exe XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators E9259F F56255A9BA55A8313D0 B0F13D085563C2AF D2077B1E942ED2D2 01C C9DEA860CE1BB3917C DDCA99FD478E 6496E6380B7FB7C6FD64A14796B46A3C3E3B B5F857455C173E0E54384F2992A32FFCF38CBAADDC287 AD FA9E91469C68B B65145F1 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat C:\Program Files (x86)\internet Explorer\iexplore.exe data Size (bytes): 1278 Entropy (8bit): A9B7D2B88F0A2B213234D9D41341FA12 Copyright Joe Security LLC 2018 Page 21 of 57

22 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat 6E4E C729BFCD61A34BC1526F4C47DB1C4 0307F2EB2ADC0B5CBB8E6AF2B007EB218DB6B00709C E5D69A34533E58 E7DE80BFF59B0DAE4A230C8F E59A252604D30D8426AAED8F54DA47FC7888C4BF946B4B31EF70DC7E0 E60E45FCEA917C531B0328CDDB6F1B79674B811 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\OU86YC2L.htm Size (bytes): Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe HTML document, ASCII text, with very long lines 2F16BBFEE5EA061E51EA0A6EA8E0D F19088FECE4E20E AED3308CD 39703DA37F5D7B089E88FBBD3B6D1292D22DD034132D679EEC4B9B F5F0D BAF6AD4B83BB2D5A95F8974CE0BFD55FB02B13F0C56D09D6EE8BAB5F2C1BF5C9747ED1AE A92D526C4F1BFDF800541E7E13B5C6886FE C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Supremo[1].exe Size (bytes): Entropy (8bit): Antivirus: C:\Program Files (x86)\internet Explorer\iexplore.exe PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed EB1BD EA9CE06436AF9F99F2 98CDA1869CF57BD29B8B F7575DD1E49 7E D6614D62CCC643E29041BAA2A4851FD11D97E05AD4ADD386E2F CC0E430FD3F E504BACE622F5FB7CB97AE996566ACF28C83DA7CF6D D2BA2AE94C128F 7EB53224BD2ABBDCFF F7ED19 Antivirus: virustotal, Detection: 0%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\oppp[1].png Size (bytes): Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe PNG image data, 1000 x 400, 8-bit/color RGB, non-interlaced 7875E4B77D75F04E523A2799E5B2908E 24F748C35F B126F D 9DC84ABC4B4F30F17D092F7D9EDFB0D6C88637CF583F68E55D0C76E1BD7EDBBE 90AD923357E6AD9D131042A92A3D7CBB3AB7D7B AB88F797EF522B2CF0AB0BF B98C7D97 25B41462F02EE4353F8B2F64CD C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\ widget_css_bundle[1].css Size (bytes): C:\Program Files (x86)\internet Explorer\iexplore.exe ASCII text, with very long lines Entropy (8bit): F9DD38CDFFE59BE03908F72ECD230E FEC01CF03F79C39BE9A9E7DE6A38021C68C5304F 1D7B50B44B0B035AFE34A18FB604F B8060A3FA6D1E1E59648EE81F1E7 E5DF F8DE991E19156B3D6B1098D57DED119B3C6FC256D0BEA8BBFE287A55F9D5200B719A7FECB0183 1CC7CD621B7E52C58F13C8611A2356F19C24C4 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\ widgets[1].js C:\Program Files (x86)\internet Explorer\iexplore.exe Copyright Joe Security LLC 2018 Page 22 of 57

23 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\ widgets[1].js Size (bytes): ASCII text, with very long lines Entropy (8bit): A8A90A5F DD89B8105 3EA2511F4468E1ABEBC254FAD96E7CD6B6EDB6AE 2B4DD295ABFEA3E6CBD5F3EDB48E15D71C804F83D8C539A3BF721FD067908FD4 173E910C842F24D8F5C1423A696CF1899FBDDE2C35AE6A1233C677D91E010E3AF3148CBAC6AB5BF91540EA68A4 F0048E42D698D604B4B023CEEB8B9A01F901AA C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\icon18_wrench_allbkg[1].png Size (bytes): 475 Entropy (8bit): C:\Program Files (x86)\internet Explorer\iexplore.exe PNG image data, 18 x 18, 8-bit colormap, non-interlaced F617EFFE6D96C15ACFEA8B2E8AAE551F 6D676AF11AD2E84B620CCE4D5992B657CB2D8AB6 D172D750493BE64A7ED84DEC1DD2A0D787BA42F78BC694B0858F152C52B6620B 3189A6281AD065848AFC700A47BEA885CD3905DAE11CCB28B88C81D3B28F73F4DFA2D5D1883BB9325DC7729A32 AA29B7D1181AE5752DF00F B z1l7oe9.partial Size (bytes): Entropy (8bit): Antivirus: C:\Program Files (x86)\internet Explorer\iexplore.exe PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed EB1BD EA9CE06436AF9F99F2 98CDA1869CF57BD29B8B F7575DD1E49 7E D6614D62CCC643E29041BAA2A4851FD11D97E05AD4ADD386E2F CC0E430FD3F E504BACE622F5FB7CB97AE996566ACF28C83DA7CF6D D2BA2AE94C128F 7EB53224BD2ABBDCFF F7ED19 Antivirus: virustotal, Detection: 0%, Browse.z1l7oe9.partial:Zone.Identifier Size (bytes): 26 C:\Program Files\internet explorer\iexplore.exe ASCII text, with CRLF line terminators Entropy (8bit): FBCCF14D504B7B2DBCB5A5BDA75BD93B D59FC84CDD5217C6CF F78DA6B582B EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 :Zone.Identifier Size (bytes): 1 Entropy (8bit): 0.0 C:\Program Files\internet explorer\iexplore.exe very short file (no magic) ECCBC87E4B5CE2FE28308FD9F2A7BAF3 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB 4E BEDB8B60CE05C1DECFE3AD16B DE01F640B7E4729B49FCE 3BAFBF08882A2D A1B8433F50563B93C14ACD05B79028EB1D A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB Copyright Joe Security LLC 2018 Page 23 of 57

24 :Zone.Identifier C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\css[1].css Size (bytes): 232 C:\Program Files (x86)\internet Explorer\iexplore.exe ASCII text Entropy (8bit): D903FCA76F1F4F1B7DCE155E781D A A6F045E0B964A843D5E863 BDB18BA495044E8D88E995121BC1999FD24F9735B34832C5249E EF2F 7DA04C20B57A7153E566139E8C74635DB235BDFF6F69B40F334F5E18023FA93EB692986E73A0D657296FFA2F69E 96D408D129AFBD84AC8452B D9 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\css[2].css Size (bytes): 257 C:\Program Files (x86)\internet Explorer\iexplore.exe ASCII text Entropy (8bit): E4494EDA2961B320E206ADAD77195AB6 79DE3A1AFA8117E8EACC4D14D5D11DB1F3899FBA 3AA1BB6C09B732EA74E6F213793A9D2F8752D6D9EB21726B1D57C1C4F546BB30 017A3E92169F270762C446A1DBFF0FCE03482F4E793A80D33F A0449ABE5EB958BD422AAEE606C5AA C14B3625B3B6D50A25EE8D04731A340C01464 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\Alpemix[1].exe Size (bytes): Entropy (8bit): Antivirus: C:\Program Files (x86)\internet Explorer\iexplore.exe PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed 03ADABFB458EF0F064838F1BB52D26B1 CCEBF18C082A971EF3707AA3F8CA62EF2F845CFB 4E1BCB F968D35F5226A8298A70ECE0A3BC01A55F357D44FB9EBD06DB3 226CCA12F9F1420B D8A8B83EED0CE AB75CFF6D E44259A69DF46926A4DD26DD31F5AA A3519CF8F10E28AFE4F569A9F87B4AAF0B681C Antivirus: virustotal, Detection: 1%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\TeamViewer_Setup_v9[1].exe Size (bytes): Entropy (8bit): Antivirus: C:\Program Files (x86)\internet Explorer\iexplore.exe PE32 executable (GUI) Intel 80386, for MS Windows FC824330EF9968EA691D A64 15D8593DAA95164E5D195876B3835AF41F4F4F2E 0B77B59596FF0CBFF79BC06E86701A D4C372429C C4F084 68A44636CDF99E4641D918B5F4C94A3EBD200E72AA7D7E29A83ADA1C45B024275C5C9515B BC3 37EE7DCFDF222F8FAD2E4A0930B45B1C682D9 Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\favicon[1].ico C:\Program Files (x86)\internet Explorer\iexplore.exe MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel Size (bytes): 1150 Copyright Joe Security LLC 2018 Page 24 of 57

25 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\favicon[1].ico Entropy (8bit): CD1A902D6F5F7E34E2A811D4F4253A DE181E47F779D835BD0C46468EE95A37D7EAAE53 1B3B516E6076A6763EDA808A1D5AB35CB5CE990003DD93DF5AC72A22EC690D3D 2F00882B0A65872BF209775B5827CBABA01437ACE2FD8FE4CF01E63C30B0BDA9A2FDB5F55EB86ED2EDB30E447 B6DC C079E2D674996BCF850D0CA5CC3 C:\Users\user\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe Size (bytes): Entropy (8bit): Antivirus: PE32 executable (GUI) Intel 80386, for MS Windows B E98ABBA6BF21423F70963AA E0AEEE2B900660D054D721552D4071F7CC FEF322CA6F9B29E6512EA2EA865C DB122BFAF72E9F742CEC19F71F2 B2C0B01B55EA CFC61AA042D492EB9A5D5823CD9E45F999F239F33F4CAB3D9D83C05B5FFFEBA6E9103D 4EE8788E7ECE9BA04A9A521F64EF451F485B45B Antivirus: virustotal, Detection: 0%, Browse C:\Users\user\AppData\Local\Temp\~DF0480AE9994CAC628.TMP C:\Program Files\internet explorer\iexplore.exe data Size (bytes): Entropy (8bit): E84E3040B21F6AC6E4111AA02C7FD16 62A6836B3B50550E443C8C4706DA09D37E8D50DF 8B0B39340FEBE6CDDB45297E482AC8DDD172A0D69DE14BBE211EDAD50FB3144D F57E1679EA27DA F507C24650B E3B2E817E14712B9854BD84E01FAB9F BBF6F7EC27C53B 9A5FFCF F1806AEB919A2DA81BBD8 C:\Users\user\AppData\Local\Temp\~DF5901E3FE27A417BC.TMP C:\Program Files\internet explorer\iexplore.exe data Size (bytes): Entropy (8bit): AA294BC E1FEAE5 1F0055ADE288FA6AC37BBA04041DEA7F0386C4C7 59DEA13FCE4ED3947FD4A92560ACEBD3D18EE4DFF293850E2482FB40C6C12A C038E99A344024D1F62985C592D26C2C9A8435DB A4325ECD547AD92026AA6458F3D5C99141F1A56C 819CFFCF6FC3E05F7BF51F4A76B88C67BA01 C:\Users\user\AppData\Local\Temp\~DFEFC6F275C9E0D124.TMP C:\Program Files\internet explorer\iexplore.exe data Size (bytes): Entropy (8bit): AB889A32AB9ACD33E816C C69A 1190C6B34DED2D295827C2A88310D10A8B90B59B 4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA BD BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF B9298F01C4CDD2D8A9C7BB522FB6 Copyright Joe Security LLC 2018 Page 25 of 57

26 Size (bytes): Entropy (8bit): PE32 executable (GUI) Intel 80386, for MS Windows C2FB518D1BA116D1C49E970BF9C5E8E9 720D34EAB0C31AE7BEF2F064DC6825D0C86CC2E8 A819F8F91227F567E82EC6E850B9E1655C62252E405E816879B1E357B069107B AE23C50AB308C11F50892ABC7D75A B8CBF48FCBE3CE62E1075AAA9C9422F1C270E4FE38DB5B18BE08 0E4C98DB1F94D161EBB5B0727D28F284FFCA94B Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation high blogspot.l.googleusercontent.com high teamviewdownload.com %, virustotal, Browse unknown image.ibb.co high supremocontrol.com high winsupport.ml %, virustotal, Browse unknown unknown unknown high winsupportuk.blogspot.com unknown unknown high unknown unknown 0%, virustotal, Browse unknown unknown unknown high resources.blogblog.com unknown unknown high Contacted URLs Name Malicious Antivirus Detection Reputation 0%, virustotal, Browse Avira URL Cloud: safe unknown high teamviewdownload.com/downloads/teamviewer-for-window/teamviewer_setup_v9.exe 0%, virustotal, Browse Avira URL Cloud: safe unknown URLs from Memory and Binaries Name Malicious Antivirus Detection Reputation OU86YC2L.htm.3.dr high lightbox_bundle.css OU86YC2L.htm.3.dr high ie7-js.googlecode.com/svn/version/2.0(beta3)/ie8.js OU86YC2L.htm.3.dr 0%, virustotal, Browse Avira URL Cloud: safe alt=rss OU86YC2L.htm.3.dr high msapplication.xml3.1.dr high OU86YC2L.htm.3.dr high widgets[1].js.3.dr high widget_css_bundle.css OU86YC2L.htm.3.dr high default OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr high ocsp.thawte.com0 Supremo.exe.z1l7oe9.partial.3.dr high schemas.xmlsoap.org/soap/envelope/ SupremoHelper.exe.10.dr high msapplication.xml.1.dr high OU86YC2L.htm.3.dr high nsis.sf.net/nsis_errorerror TeamViewer_Setup_v9[1].exe.3.dr high Copyright Joe Security LLC 2018 Page 26 of 57

27 Name Malicious Antivirus Detection Reputation OU86YC2L.htm.3.dr high alt Alpemix[1].exe.3.dr high msapplication.xml5.1.dr high OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr high winsupportuk.blogspot.com/ OU86YC2L.htm.3.dr high TeamViewer_Setup_v9[1].exe.3.dr high file=supremo.exe&id_sw=7&ws=supremocontrol.com widgets.js OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr high crl.thawte.com/thawtetimestampingca.crl0 Supremo.exe.z1l7oe9.partial.3.dr high lbx en_gb.js {84B51D4B-EF6B-11E8-AAD8-C25F1 35D3C65}.dat.1.dr OU86YC2L.htm.3.dr high Alpemix[1].exe.3.dr high msapplication.xml7.1.dr high OU86YC2L.htm.3.dr high msapplication.xml6.1.dr high imagestore.dat.3.dr high cross.gif targetblogid= &zx=8a9a8574-d e widgets[1].js.3.dr high OU86YC2L.htm.3.dr high OU86YC2L.htm.3.dr 4%, virustotal, Browse Avira URL Cloud: safe high unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS Italy OVHFR Copyright Joe Security LLC 2018 Page 27 of 57

28 IP Country Flag ASN ASN Name Malicious Viet Nam VNPT-AS-VNVNPTCorpVN Turkey EQUINIX-TURKEY-INTERNET- HIZMETLERI-ANONIM- SIRKETIEquinixTu Netherlands VFMNL- ASAmsterdamLocationBGPSetup NL France AS12876FR Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTPS) 80 (HTTP) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Nov 23, :02: CET Copyright Joe Security LLC 2018 Page 28 of 57