Overview
overview
10Static
static
URLScan
urlscan
1https://download.cne...
windows7_x64
10https://download.cne...
windows10_x64
1https://download.cne...
windows10-2004_x64
10https://download.cne...
windows11_x64
https://download.cne...
android_x64
https://download.cne...
android_x64
https://download.cne...
android_x86
https://download.cne...
macos_amd64
1https://download.cne...
linux_armhf
https://download.cne...
linux_mips
https://download.cne...
linux_mipsel
https://download.cne...
linux_amd64
Analysis
-
max time kernel
1802s -
max time network
1755s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 15:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
win10v2004-en-20220113
Behavioral task
behavioral4
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
win11
Behavioral task
behavioral5
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
android-x64
Behavioral task
behavioral6
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
android-x64-arm64
Behavioral task
behavioral7
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
android-x86-arm
Behavioral task
behavioral8
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
macos
Behavioral task
behavioral9
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral10
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral11
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral12
Sample
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3252 created 3008 3252 WerFault.exe backgroundTaskHost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
SUPERAntiSpyware.exeSASCORE64.EXESASCORE64.EXESUPERAntiSpyware.exeSSUPDATE64.EXEpid process 2600 SUPERAntiSpyware.exe 660 SASCORE64.EXE 540 SASCORE64.EXE 2480 SUPERAntiSpyware.exe 3320 SSUPDATE64.EXE -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SUPERAntiSpyware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation SUPERAntiSpyware.exe -
Loads dropped DLL 5 IoCs
Processes:
SUPERAntiSpyware.exeREGSVR32.EXEregsvr32.exepid process 2600 SUPERAntiSpyware.exe 2600 SUPERAntiSpyware.exe 2916 REGSVR32.EXE 3296 regsvr32.exe 2600 SUPERAntiSpyware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SUPERAntiSpyware.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run SUPERAntiSpyware.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SUPERAntiSpyware = "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" SUPERAntiSpyware.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
SUPERAntiSpyware.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt SUPERAntiSpyware.exe -
Drops file in Program Files directory 23 IoCs
Processes:
SUPERAntiSpyware.exeSUPERAntiSpyware.exedescription ioc process File created C:\Program Files\SUPERAntiSpyware\Plugins\sab_wab.dll SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\Uninstall.exe SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\sas_enum_cookies.exe SUPERAntiSpyware.exe File opened for modification C:\Program Files\SUPERAntiSpyware\Uninstall.dat SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SASREPAIRS.STG SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\Plugins\sab_mapi.dll SUPERAntiSpyware.exe File opened for modification C:\Program Files\SUPERAntiSpyware\sas_preconfig.db3 SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SSUpdate64.exe SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SASTask.exe SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\msvcr71.dll SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\saskutil64.sys SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SUPERDelete.exe SUPERAntiSpyware.exe File opened for modification C:\Program Files\SUPERAntiSpyware\Uninstall.dat-journal SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\detect.wav SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SASCore64.exe SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SAS_Preconfig.db3 SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\SAS Default.set SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\High Contrast Black.set SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\RUNSAS.EXE SUPERAntiSpyware.exe File created C:\Program Files\SUPERAntiSpyware\Plugins\sab_incr.dll SUPERAntiSpyware.exe -
Drops file in Windows directory 2 IoCs
Processes:
SUPERAntiSpyware.exedescription ioc process File created C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task d1696201-5635-4f13-88fa-4c18fd940097.job SUPERAntiSpyware.exe File created C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 00f88bf6-f905-42f4-bb4e-e8eda14af725.job SUPERAntiSpyware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3368 3008 WerFault.exe backgroundTaskHost.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SUPERAntiSpyware.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 SUPERAntiSpyware.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SUPERAntiSpyware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 SUPERAntiSpyware.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SUPERAntiSpyware.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID\ = "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID\ = "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ProgID\ = "SUPERAntiSpywareContextMenuExt.SASCon.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\ = "SUPERAntiSpywareContextMenuExtension 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{746C91D0-C4A9-460A-B841-851A2B6F2C4B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\ = "SASContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SASContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\ = "SASContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer\ = "SUPERAntiSpywareContextMenuExt.SASCon.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32\ = "C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN64.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ToolboxBitmap32\ = "C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN64.DLL, 102" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SASCTXMN.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SASCTXMN.DLL\AppID = "{746C91D0-C4A9-460A-B841-851A2B6F2C4B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ = "ISASContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\VersionIndependentProgID\ = "SUPERAntiSpywareContextMenuExt.SASConte" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ = "ISASContextMenu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{746C91D0-C4A9-460A-B841-851A2B6F2C4B}\ = "SUPERAntiSpywareContextMenuExtension" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\HELPDIR\ = "C:\\Program Files\\SUPERAntiSpyware" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\AppID = "{746C91D0-C4A9-460A-B841-851A2B6F2C4B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Version\ = "1.0" regsvr32.exe -
Processes:
SUPERAntiSpyware.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 SUPERAntiSpyware.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SUPERAntiSpyware.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SUPERAntiSpyware.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 SUPERAntiSpyware.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 SUPERAntiSpyware.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\SUPERAntiSpyware.exe:Zone.Identifier firefox.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 854 SASDef_GetComponentsDescriptor HTTP User-Agent header 854 SASDef_GetDescriptor -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeSUPERAntiSpyware.exepid process 3368 WerFault.exe 3368 WerFault.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 652 652 652 652 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
firefox.exeAUDIODG.EXEsvchost.exeSUPERAntiSpyware.exeSSUPDATE64.EXESUPERAntiSpyware.exedescription pid process Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: 33 1904 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1904 AUDIODG.EXE Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeIncBasePriorityPrivilege 2712 svchost.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeDebugPrivilege 748 firefox.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeTakeOwnershipPrivilege 2600 SUPERAntiSpyware.exe Token: SeDebugPrivilege 3320 SSUPDATE64.EXE Token: SeDebugPrivilege 2480 SUPERAntiSpyware.exe Token: SeDebugPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: 33 2480 SUPERAntiSpyware.exe Token: SeIncBasePriorityPrivilege 2480 SUPERAntiSpyware.exe Token: SeBackupPrivilege 2480 SUPERAntiSpyware.exe Token: SeRestorePrivilege 2480 SUPERAntiSpyware.exe Token: SeBackupPrivilege 2480 SUPERAntiSpyware.exe Token: SeRestorePrivilege 2480 SUPERAntiSpyware.exe Token: SeBackupPrivilege 2480 SUPERAntiSpyware.exe Token: SeRestorePrivilege 2480 SUPERAntiSpyware.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
firefox.exeSUPERAntiSpyware.exepid process 748 firefox.exe 748 firefox.exe 748 firefox.exe 748 firefox.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
firefox.exeSUPERAntiSpyware.exepid process 748 firefox.exe 748 firefox.exe 748 firefox.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe 2480 SUPERAntiSpyware.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 748 firefox.exe 748 firefox.exe 748 firefox.exe 748 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 3880 wrote to memory of 748 3880 firefox.exe firefox.exe PID 748 wrote to memory of 3932 748 firefox.exe firefox.exe PID 748 wrote to memory of 3932 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 3352 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe PID 748 wrote to memory of 4000 748 firefox.exe firefox.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.0.291980976\76809932" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 1796 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.3.399142391\243484042" -childID 1 -isForBrowser -prefsHandle 2448 -prefMapHandle 2472 -prefsLen 78 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 2480 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.13.1906063490\2147041518" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3628 -prefsLen 6935 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 3656 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.20.1078094599\2103532165" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 4956 -prefsLen 7640 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4804 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.27.1501118795\944246004" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4428 -prefsLen 7863 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4868 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.34.1430069512\1882574505" -parentBuildID 20200403170909 -prefsHandle 3932 -prefMapHandle 4352 -prefsLen 7863 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4356 rdd3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x5281⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3008 -s 8402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 3008 -ip 30081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\Downloads\SUPERAntiSpyware.exe"C:\Users\Admin\Downloads\SUPERAntiSpyware.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" -install -name:!SASCORE -display:"SAS Core Service" -description:"SUPERAntiSpyware Core Service" -pipe:sascoreservicepipe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\REGSVR32.EXE"C:\Windows\system32\REGSVR32.EXE" /s "C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL"2⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE"C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE" *8.0.1052!{0D3C4F0D-1C11-47bc-AD1C-BAB98712DBFB}3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cacls.exe"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /G everyone:F3⤵
-
C:\Windows\System32\cacls.exe"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /R everyone3⤵
-
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\SUPERAntiSpyware\DETECT.WAVMD5
a48bbf8aa311f6fbca3d36e2fffc88e2
SHA1337af4f160bb6f9e1074b950f3b1c0a4dc956c0a
SHA256e76700b5c8cbabdefca606d90862cdb5263c1b7a4e0545f218104c2818eccfc7
SHA51248e6121639af72fdea763d7a928a9f07c02ac40c3b73e69b4ac574745dbbf84f1d7e86a77a8d5093628e9c9467a62671b2686229b7298ebe013d4e52e18bdc39
-
C:\Program Files\SUPERAntiSpyware\High Contrast Black.setMD5
a01d955e1485454b56413cc4c40f547f
SHA10fd3b96e0a92f2fda086a955249c6d3676cfff92
SHA256a5a15f0dcf648affa3f358aaefb3d82794952c10bb379741de52bf58ef1649d5
SHA512fb78d8802954129cfa42cfc102867512d13011bda3001fb571c65b924cc6f8cbc585ad1083fe62fffec9b01adc8d23e2a3f66deb35575ec8ff8edd7c88dfa98d
-
C:\Program Files\SUPERAntiSpyware\RUNSAS.EXEMD5
3497c5e00ecd5fdb728e9b5093e2b831
SHA105d8b17dcf41867a890f6de8a518ffd0036c60aa
SHA25650dd6863e9ecb2f6ea8e6f313ba533dc783322818c80d267a5dd877cdccda124
SHA5125cf417b8ed546d617f6826eb80d024bf2f51fca26c696cc2d717f939a9043f99dcd7b47839168808a7a897f2086ab51d14d8e3c4fef553e1be77739d60534ad4
-
C:\Program Files\SUPERAntiSpyware\SAS Default.setMD5
b3e9dfd17cf864d552e03445a7d3133c
SHA1d47fc807ad3e667baf9925283eda0aa9edebc463
SHA256acb0fc3c92fbab280b0da3252442d6eae96653cce0e21d59c8741035391b057d
SHA512e9f4ab646965fbd7d6fcc17a24d539e7feb06c9d1c2c9a0c1e86ca636b963ea148720a9f856c7b44bb3d789711b79257fd4afc012e981de250b2f77f1f0a31ce
-
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXEMD5
98e06cac2c508118450095e581202230
SHA12afe3280140fc56db7a7a9197520bfbc74608235
SHA2568fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4
SHA51248667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579
-
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLLMD5
2640b083bb33cc6095cb0e6e2f8acc98
SHA1191ed504bc36016899fbfa3f080bd1c3b1a7cc6c
SHA256550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e
SHA5127798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b
-
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLLMD5
2640b083bb33cc6095cb0e6e2f8acc98
SHA1191ed504bc36016899fbfa3f080bd1c3b1a7cc6c
SHA256550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e
SHA5127798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b
-
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLLMD5
2640b083bb33cc6095cb0e6e2f8acc98
SHA1191ed504bc36016899fbfa3f080bd1c3b1a7cc6c
SHA256550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e
SHA5127798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b
-
C:\Program Files\SUPERAntiSpyware\SASCore64.exeMD5
98e06cac2c508118450095e581202230
SHA12afe3280140fc56db7a7a9197520bfbc74608235
SHA2568fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4
SHA51248667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579
-
C:\Program Files\SUPERAntiSpyware\SASCore64.exeMD5
98e06cac2c508118450095e581202230
SHA12afe3280140fc56db7a7a9197520bfbc74608235
SHA2568fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4
SHA51248667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579
-
C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYSMD5
3289766038db2cb14d07dc84392138d5
SHA1d04286973c48c767c8723f4094396bded792ea90
SHA256a7790b787690cc1a8b97e4532090c5295350a836a9474dea74ceb3e81cf26124
SHA51222949262df9369a7c2a9fc489f7cf518c790741a943e0fea9f05b852c2ca61c6a1f70252795d7e96ac00b9dfbcda481456b2e2b2f876365e8d2caa38b10c9933
-
C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYSMD5
58a38e75f3316a83c23df6173d41f2b5
SHA19ff00f34b5dfae4be15ed8e59e9c7a05640cbdc3
SHA256b0a8cda1d164b7534fb41ab80792861384709bf0f914f44553275cf20194f1a1
SHA512a81b979852677a04e6fd24246b6d8d96be60839f51a203027d708d39f1edd9949b262df2e715ed39ce9a7b6882e9d416e11831388158f9f740ab137f7fe18010
-
C:\Program Files\SUPERAntiSpyware\SASREPAIRS.STGMD5
efc9ea7aa080142234062f49c1ed2aa0
SHA1f82b558f985be249259584b3f5be9a63219b0f25
SHA25687f7dd02e06983dc362923f74fe880367f0ab59d9ba288099a2c538982abfa96
SHA512e205bdd961c63df227c8a239c605dbcecb4109743bdde51bd07ac2beb4312de4b21cf25b4b963dcb4e0472b0026dd9f8cf455329f630f947f9dd01ecc6c50c5e
-
C:\Program Files\SUPERAntiSpyware\SASTask.exeMD5
5302d99fb38de4318738be8eb5504695
SHA1cef60452c888842a6d59fba68c4b4c811291ec0e
SHA256d698c5790816236a743720722cc21b5a5f3e7b9ec02c6ec515908a7e1220f1f3
SHA512413fa4964b555a64a4cfb7ae75e2050267d6876a65d97b9446181f5e7d0f95578a6621b5d214fa3b02b2232441b712a5bd08537053239bb080cf3f340360d01b
-
C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXEMD5
99851aef40ccc89527358327fa3ac645
SHA14663a99ce79cfcb0a8cb5b9eee8590c50b665b0d
SHA25689861e803e5281d4ba890ce1ff997f5bf2b7e2b61e37d56af8b0cd89408d4616
SHA51241d52c8c45f0338f102b8a20232fe23dd17d008574b18a17795a3129a84d25e3615cd9cd42462376a21fff3055ac5628cc13d07cced924009c3ffdeb372031f9
-
C:\Program Files\SUPERAntiSpyware\SSUpdate64.exeMD5
99851aef40ccc89527358327fa3ac645
SHA14663a99ce79cfcb0a8cb5b9eee8590c50b665b0d
SHA25689861e803e5281d4ba890ce1ff997f5bf2b7e2b61e37d56af8b0cd89408d4616
SHA51241d52c8c45f0338f102b8a20232fe23dd17d008574b18a17795a3129a84d25e3615cd9cd42462376a21fff3055ac5628cc13d07cced924009c3ffdeb372031f9
-
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeMD5
bb572c1a4a0963e317caf54e72f0b84c
SHA150a84e35a460f42fb20e6f4d9459c2a00886beb9
SHA256587513491d3c493bcf4e63838702659bac88cb4faca0b89164db9d0a20cb08db
SHA51214bec3672b62cb69dbd9ed7e75834f5650ffb73bd54fb6c60d22bb8affc058244837ae09593f3efb423e344d583cd62764c89658a8a2abb986e7c2976b4e231d
-
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeMD5
bb572c1a4a0963e317caf54e72f0b84c
SHA150a84e35a460f42fb20e6f4d9459c2a00886beb9
SHA256587513491d3c493bcf4e63838702659bac88cb4faca0b89164db9d0a20cb08db
SHA51214bec3672b62cb69dbd9ed7e75834f5650ffb73bd54fb6c60d22bb8affc058244837ae09593f3efb423e344d583cd62764c89658a8a2abb986e7c2976b4e231d
-
C:\Program Files\SUPERAntiSpyware\SUPERDelete.exeMD5
35da92670c06c15cf6f5c10708788554
SHA11fb77420811528d76794b9ca5410f4d7c7583d5d
SHA2562227ce63d91490bc94f88149cc12998c5642d9716697d063901ab8b364270815
SHA512ec0d2531c638312cc9ca3852bc66c5568078129b1ebe7ecf4539fcc8c7fe105a0b464e01683d3f7bafe23a03d211f69ae4c86969becdaba9bbce5457063cf4e8
-
C:\Program Files\SUPERAntiSpyware\Uninstall.exeMD5
4d0dd97c0ab63c0d72a895b4db8b0553
SHA13a9f3a77c5f33da656cfe4647afcab7615ca7cec
SHA256a2887b7d3a95f05b3382f55f4496307b6b792e6a2d492178bcdbe22bd939733d
SHA512572417fe618ef01ed0bf23078de9e412d49bfa72871890effed6b7b3297a3b1cf86321d261d7946ac4be05bd92a003da405cc51bbba0119e45b27ff9ddee8fe4
-
C:\Program Files\SUPERAntiSpyware\sas_enum_cookies.exeMD5
981716d86ba53b87f9a4b9f837fc60c4
SHA16d5c8e0d4d1e7e1df8c420b49654d6f2f99741e8
SHA256d07cdf35aba5f4b82bee11d31d4471df06321408eb33c653bcc718a4ca568527
SHA512032f8d960c076ef8f83253c1d1908dab784f4869aff1c57db48c0ed9d3a3a4488639cd0ae9bee48b8003ec47a0b044c63fcd77ab47b84a731b859964ceb5aca7
-
C:\Program Files\SUPERAntiSpyware\sas_preconfig.db3MD5
52cbb622fb744c0db3c292805254e1a6
SHA1ef7c4007e1aeb9193e516a6c8cb926d349dcb9f6
SHA256edd0dcdf0b48e21d6a54ff5b081d01c1d83a412d31b36ccec1db7c127d921e81
SHA5127862a087a33040430dfa11d1ae091d5cae61eb264b5461cdb88ed740bb8e60007da8ddda4e3489051c75f027eda634097e0992410dc6a16ed773c3730d068aab
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\Content1\MDEsU09TXzY5OVdGSF8wMSxodHRwOi8vZ28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NjY=.bmpMD5
ddb54abfe78ddd03d2a9e6672358a5c0
SHA1547a89261edd40fb620a50af7be786c3a7696b15
SHA256823941ec57f84d398a9b14490a31de8abe99465a30dd1d2050a48dd6033682ec
SHA512e907673f381a5ee8bb39bec2ed19c6a5b0621479a46dc11d7ed5f0cf74e673ae805fa638c7c30b554263d20be1d1c0a6b2a067905eea6585db975cd5ed1c4cad
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\Content1\MDIsU0FTX01QRkIyRk9SMTE5OTVfMDEsaHR0cDovL2dvLnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDU4.bmpMD5
caed279cbc1df57e97fa3eed3106953c
SHA169e622b6fa58eb655802c3473e71d7e9f013b6e3
SHA25673a9fab16c6b5facf81711b1bdba1a0e94468865e9cbec37a1c741e718f722c7
SHA5129653fb7ff0618b97185ae772212ce98f71772d76948401988c30a1f748bb25526c937d32b478d33d829b540be4b7aa474d88f58a1c3d2635dc1af1899735ed42
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BINMD5
8c50eac319bad116793d94172401de48
SHA19a1e7caf2059f7ad9e0c31de8fb8f2cc5eed8dee
SHA256069ae753d6a69565b2dc5ead6b7ad6895a10667bc122e8f662c33e8d2e41e7b3
SHA512506f2e7358f87e98ff2d95fa28bbdcae0c5263735e5ec2483601f02ac1b35147f75a754d7f6c65382a2afb7a3824deb9edb297cbdf3e42e942f6f702d65cbd0e
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.DBMD5
125767637bea667a3521540cf39fc2cf
SHA1d2b98c91dd5d180a8be5d7f8ae016c693906c11f
SHA256966a062127146b38fbabda6d4968df9a27957ef24928f3044cc00538b242ace7
SHA512cf56b60988d359781a7334b8e5ad8d8003ec866ecb80c028a259718de8801be88e8ed7e85e627dfc2405617462f164e66a500f0534802d9d924627e3ce79a460
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SetupOptions.db3MD5
5ee472b2dfd8180fce3741c8601fa22e
SHA1a1c80423802a0a6da7f5be5613afc3653d72bd79
SHA2562c2a0e45b6e864a8d76c341c565d6bebff37c6fd26b94b973eabe2c016989bdb
SHA5122d4633362417138f447947363965cb642df26578db5554606cb8e5df1ba5634b3e8f98113102d35ddffbf1236e2c99d7abbae0dcb1900ad2fced5b5ee134f8c3
-
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\superantispyware.db3MD5
37d1405c2a7a23f26985c1eff7288d1c
SHA150b167bb4bd930cd92c3ca91163fbe80a5238b3f
SHA256e4e5b7085af68c24d3f17ec9fbd889e5a635d9a068d3ea761f6a14ec994c09ab
SHA512bfacf1f369c8cf7b4e2a2f1a2e0b64aedf7a0c826229e5c9f13be08d25bcfcd22a23398d2231098a945000a65b53f88e58431bd5b6a0d43b64ab2921ff0f94e0
-
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SUPERSETUP\SETUP.DLLMD5
f21ca163b7df7daddab556b8bd242c35
SHA14cc603108e71d005363ba07db7905a2e0f40e4e7
SHA2563416cffe03c9910c0d946aa0a593c4cbc937e20a5921055af537d66d8c7ac594
SHA51254b0f3c716b9abcb385d7b57b0152deb86c0759e1cd6ab3c228ec718c6b13113a72f8e2a5d93651861e4d6b10fac403ee9344e1ac15fe7e84a7f07a8a7458c40
-
C:\USERS\PUBLIC\DESKTOP\SUPERANTISPYWARE FREE EDITION.LNKMD5
59794d335939c7e1ebf27da4c4c222f1
SHA1f587a039282ba908e7b797c246c909f33804058f
SHA2563e50f0543c182610fac073871b5dce9ded53d83a467510c46e41e68ade5717cf
SHA512204d1fefa7356a24cbd8d22f678cdec8195e9c0a706a5aad2f3fd3f95219f5d9d5ee9d87d700a10fe14e5539b831dda39d962e752073a69a9d0109d5c5193f4e
-
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\gcapi_dll.dllMD5
cac4a48fbaf0373d0d1ca310c2615a55
SHA1bd357ed2d894e4fb84fe8f0e2f572bf5eed8b37a
SHA256b6a209242cccbb2257becd3b826d4a304631bbe9f4f842278619e42c33feb2e3
SHA512bb63176ce893942be53e3193d498ce85f67ae7fe0a0799a5e7b10a9e4ffdd55a34f4038ce14a638949d0000c726fb355872a7748504c74cee36b2ca55b2b9452
-
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\gcapi_dll.dllMD5
cac4a48fbaf0373d0d1ca310c2615a55
SHA1bd357ed2d894e4fb84fe8f0e2f572bf5eed8b37a
SHA256b6a209242cccbb2257becd3b826d4a304631bbe9f4f842278619e42c33feb2e3
SHA512bb63176ce893942be53e3193d498ce85f67ae7fe0a0799a5e7b10a9e4ffdd55a34f4038ce14a638949d0000c726fb355872a7748504c74cee36b2ca55b2b9452
-
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\setup.dllMD5
f21ca163b7df7daddab556b8bd242c35
SHA14cc603108e71d005363ba07db7905a2e0f40e4e7
SHA2563416cffe03c9910c0d946aa0a593c4cbc937e20a5921055af537d66d8c7ac594
SHA51254b0f3c716b9abcb385d7b57b0152deb86c0759e1cd6ab3c228ec718c6b13113a72f8e2a5d93651861e4d6b10fac403ee9344e1ac15fe7e84a7f07a8a7458c40
-
C:\Users\Admin\Downloads\SUPERAntiSpyware.exeMD5
cecf29885d73fff8d90d880962275454
SHA1b33a5250e5fa95fbe4d6b67cd0877d56c8dc9849
SHA256bdabbdc7ce3f5f355d67c7b2de252bb235dfbec4f1e42d6f1dcb26046f77c9fc
SHA5122a9100de60481bfdb0385f74dc6f7b712eb4d953892e91efe8146d97c2ed3c2c073d83d9c7605e0dd3bca05ae6fafce0a849a3507134fb810f07ccc1fa2c8860
-
C:\Users\Admin\Downloads\SUPERAntiSpyware.exeMD5
cecf29885d73fff8d90d880962275454
SHA1b33a5250e5fa95fbe4d6b67cd0877d56c8dc9849
SHA256bdabbdc7ce3f5f355d67c7b2de252bb235dfbec4f1e42d6f1dcb26046f77c9fc
SHA5122a9100de60481bfdb0385f74dc6f7b712eb4d953892e91efe8146d97c2ed3c2c073d83d9c7605e0dd3bca05ae6fafce0a849a3507134fb810f07ccc1fa2c8860