hxxps://download[.]cnet[.]com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889[.]html

Analysis

max time kernel
1802s
max time network
1755s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3252 created 3008 3252 WerFault.exe backgroundTaskHost.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

SUPERAntiSpyware.exeSASCORE64.EXESASCORE64.EXESUPERAntiSpyware.exeSSUPDATE64.EXE

pid process

2600 SUPERAntiSpyware.exe
660 SASCORE64.EXE
540 SASCORE64.EXE
2480 SUPERAntiSpyware.exe
3320 SSUPDATE64.EXE
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	process	target process
PID 3252 created 3008	3252	WerFault.exe	backgroundTaskHost.exe

pid	process
2600	SUPERAntiSpyware.exe
660	SASCORE64.EXE
540	SASCORE64.EXE
2480	SUPERAntiSpyware.exe
3320	SSUPDATE64.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SUPERAntiSpyware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	SUPERAntiSpyware.exe

Loads dropped DLL 5 IoCs

Processes:

SUPERAntiSpyware.exeREGSVR32.EXEregsvr32.exe

pid process

2600 SUPERAntiSpyware.exe
2600 SUPERAntiSpyware.exe
2916 REGSVR32.EXE
3296 regsvr32.exe
2600 SUPERAntiSpyware.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2600	SUPERAntiSpyware.exe
2600	SUPERAntiSpyware.exe
2916	REGSVR32.EXE
3296	regsvr32.exe
2600	SUPERAntiSpyware.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SUPERAntiSpyware.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	SUPERAntiSpyware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SUPERAntiSpyware = "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"	SUPERAntiSpyware.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

SUPERAntiSpyware.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt SUPERAntiSpyware.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	SUPERAntiSpyware.exe

Drops file in Program Files directory 23 IoCs

Processes:

SUPERAntiSpyware.exeSUPERAntiSpyware.exe

description	ioc	process
File created	C:\Program Files\SUPERAntiSpyware\Plugins\sab_wab.dll	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\Uninstall.exe	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\sas_enum_cookies.exe	SUPERAntiSpyware.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware\Uninstall.dat	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SASREPAIRS.STG	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\Plugins\sab_mapi.dll	SUPERAntiSpyware.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware\sas_preconfig.db3	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SSUpdate64.exe	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SASTask.exe	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\msvcr71.dll	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\saskutil64.sys	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SUPERDelete.exe	SUPERAntiSpyware.exe
File opened for modification	C:\Program Files\SUPERAntiSpyware\Uninstall.dat-journal	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\detect.wav	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SASCore64.exe	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SAS_Preconfig.db3	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\SAS Default.set	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\High Contrast Black.set	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\RUNSAS.EXE	SUPERAntiSpyware.exe
File created	C:\Program Files\SUPERAntiSpyware\Plugins\sab_incr.dll	SUPERAntiSpyware.exe

Drops file in Windows directory 2 IoCs

Processes:

SUPERAntiSpyware.exe

description	ioc	process
File created	C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task d1696201-5635-4f13-88fa-4c18fd940097.job	SUPERAntiSpyware.exe
File created	C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 00f88bf6-f905-42f4-bb4e-e8eda14af725.job	SUPERAntiSpyware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3368 3008 WerFault.exe backgroundTaskHost.exe

pid	pid_target	process	target process
3368	3008	WerFault.exe	backgroundTaskHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SUPERAntiSpyware.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SUPERAntiSpyware.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SUPERAntiSpyware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	SUPERAntiSpyware.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SUPERAntiSpyware.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID\ = "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID\ = "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ProgID\ = "SUPERAntiSpywareContextMenuExt.SASCon.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\ = "SUPERAntiSpywareContextMenuExtension 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{746C91D0-C4A9-460A-B841-851A2B6F2C4B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\ = "SASContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SASContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\ = "SASContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer\ = "SUPERAntiSpywareContextMenuExt.SASCon.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\InprocServer32\ = "C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ToolboxBitmap32\ = "C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN64.DLL, 102"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SASCTXMN.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SASCTXMN.DLL\AppID = "{746C91D0-C4A9-460A-B841-851A2B6F2C4B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ = "ISASContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\ = "SUPERAntiSpyware Context Menu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\VersionIndependentProgID\ = "SUPERAntiSpywareContextMenuExt.SASConte"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ = "ISASContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{746C91D0-C4A9-460A-B841-851A2B6F2C4B}\ = "SUPERAntiSpywareContextMenuExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}\1.0\HELPDIR\ = "C:\\Program Files\\SUPERAntiSpyware"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}\TypeLib\ = "{209D651D-9AAE-47B4-AD74-16A8F03ACDDB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A42DCBB4-CBAE-4593-BB45-39CAD8F2CF19}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\AppID = "{746C91D0-C4A9-460A-B841-851A2B6F2C4B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\Version\ = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SUPERAntiSpyware.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	SUPERAntiSpyware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SUPERAntiSpyware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SUPERAntiSpyware.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	SUPERAntiSpyware.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	SUPERAntiSpyware.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\SUPERAntiSpyware.exe:Zone.Identifier firefox.exe
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 854 SASDef_GetComponentsDescriptor
HTTP User-Agent header 854 SASDef_GetDescriptor

description	ioc	process
File created	C:\Users\Admin\Downloads\SUPERAntiSpyware.exe:Zone.Identifier	firefox.exe

description	flow	ioc
HTTP User-Agent header	854	SASDef_GetComponentsDescriptor
HTTP User-Agent header	854	SASDef_GetDescriptor

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeSUPERAntiSpyware.exe

pid	process
3368	WerFault.exe
3368	WerFault.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

652
652
652
652

pid	process
652
652
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

firefox.exeAUDIODG.EXEsvchost.exeSUPERAntiSpyware.exeSSUPDATE64.EXESUPERAntiSpyware.exe

description	pid	process
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: 33	1904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1904	AUDIODG.EXE
Token: SeSystemtimePrivilege	2712	svchost.exe
Token: SeSystemtimePrivilege	2712	svchost.exe
Token: SeIncBasePriorityPrivilege	2712	svchost.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeTakeOwnershipPrivilege	2600	SUPERAntiSpyware.exe
Token: SeDebugPrivilege	3320	SSUPDATE64.EXE
Token: SeDebugPrivilege	2480	SUPERAntiSpyware.exe
Token: SeDebugPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: 33	2480	SUPERAntiSpyware.exe
Token: SeIncBasePriorityPrivilege	2480	SUPERAntiSpyware.exe
Token: SeBackupPrivilege	2480	SUPERAntiSpyware.exe
Token: SeRestorePrivilege	2480	SUPERAntiSpyware.exe
Token: SeBackupPrivilege	2480	SUPERAntiSpyware.exe
Token: SeRestorePrivilege	2480	SUPERAntiSpyware.exe
Token: SeBackupPrivilege	2480	SUPERAntiSpyware.exe
Token: SeRestorePrivilege	2480	SUPERAntiSpyware.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

firefox.exeSUPERAntiSpyware.exe

pid	process
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

firefox.exeSUPERAntiSpyware.exe

pid	process
748	firefox.exe
748	firefox.exe
748	firefox.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe
2480	SUPERAntiSpyware.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

748 firefox.exe
748 firefox.exe
748 firefox.exe
748 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 3880 wrote to memory of 748	3880	firefox.exe	firefox.exe
PID 748 wrote to memory of 3932	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3932	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 3352	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 4000	748	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
1⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.0.291980976\76809932" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 1796 gpu
3⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.3.399142391\243484042" -childID 1 -isForBrowser -prefsHandle 2448 -prefMapHandle 2472 -prefsLen 78 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 2480 tab
3⤵
PID:3352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.13.1906063490\2147041518" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3628 -prefsLen 6935 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 3656 tab
3⤵
PID:4000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.20.1078094599\2103532165" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 4956 -prefsLen 7640 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4804 tab
3⤵
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.27.1501118795\944246004" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4428 -prefsLen 7863 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4868 tab
3⤵
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="748.34.1430069512\1882574505" -parentBuildID 20200403170909 -prefsHandle 3932 -prefMapHandle 4352 -prefsLen 7863 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 748 "\\.\pipe\gecko-crash-server-pipe.748" 4356 rdd
3⤵
PID:4024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3008 -s 840
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3008 -ip 3008
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3252

C:\Users\Admin\Downloads\SUPERAntiSpyware.exe
"C:\Users\Admin\Downloads\SUPERAntiSpyware.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" -install -name:!SASCORE -display:"SAS Core Service" -description:"SUPERAntiSpyware Core Service" -pipe:sascoreservicepipe
2⤵
- Executes dropped EXE
PID:660

C:\Windows\SysWOW64\REGSVR32.EXE
"C:\Windows\system32\REGSVR32.EXE" /s "C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL"
2⤵
- Loads dropped DLL
PID:2916

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:3296

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2480

C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
"C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE" *8.0.1052!{0D3C4F0D-1C11-47bc-AD1C-BAB98712DBFB}
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /G everyone:F
3⤵
PID:3212

C:\Windows\System32\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /R everyone
3⤵
PID:916

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE"
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SUPERAntiSpyware\DETECT.WAV
MD5
a48bbf8aa311f6fbca3d36e2fffc88e2

SHA1
337af4f160bb6f9e1074b950f3b1c0a4dc956c0a

SHA256
e76700b5c8cbabdefca606d90862cdb5263c1b7a4e0545f218104c2818eccfc7

SHA512
48e6121639af72fdea763d7a928a9f07c02ac40c3b73e69b4ac574745dbbf84f1d7e86a77a8d5093628e9c9467a62671b2686229b7298ebe013d4e52e18bdc39

Download Submit
C:\Program Files\SUPERAntiSpyware\High Contrast Black.set
MD5
a01d955e1485454b56413cc4c40f547f

SHA1
0fd3b96e0a92f2fda086a955249c6d3676cfff92

SHA256
a5a15f0dcf648affa3f358aaefb3d82794952c10bb379741de52bf58ef1649d5

SHA512
fb78d8802954129cfa42cfc102867512d13011bda3001fb571c65b924cc6f8cbc585ad1083fe62fffec9b01adc8d23e2a3f66deb35575ec8ff8edd7c88dfa98d

Download Submit
C:\Program Files\SUPERAntiSpyware\RUNSAS.EXE
MD5
3497c5e00ecd5fdb728e9b5093e2b831

SHA1
05d8b17dcf41867a890f6de8a518ffd0036c60aa

SHA256
50dd6863e9ecb2f6ea8e6f313ba533dc783322818c80d267a5dd877cdccda124

SHA512
5cf417b8ed546d617f6826eb80d024bf2f51fca26c696cc2d717f939a9043f99dcd7b47839168808a7a897f2086ab51d14d8e3c4fef553e1be77739d60534ad4

Download Submit
C:\Program Files\SUPERAntiSpyware\SAS Default.set
MD5
b3e9dfd17cf864d552e03445a7d3133c

SHA1
d47fc807ad3e667baf9925283eda0aa9edebc463

SHA256
acb0fc3c92fbab280b0da3252442d6eae96653cce0e21d59c8741035391b057d

SHA512
e9f4ab646965fbd7d6fcc17a24d539e7feb06c9d1c2c9a0c1e86ca636b963ea148720a9f856c7b44bb3d789711b79257fd4afc012e981de250b2f77f1f0a31ce

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
MD5
98e06cac2c508118450095e581202230

SHA1
2afe3280140fc56db7a7a9197520bfbc74608235

SHA256
8fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4

SHA512
48667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL
MD5
2640b083bb33cc6095cb0e6e2f8acc98

SHA1
191ed504bc36016899fbfa3f080bd1c3b1a7cc6c

SHA256
550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e

SHA512
7798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL
MD5
2640b083bb33cc6095cb0e6e2f8acc98

SHA1
191ed504bc36016899fbfa3f080bd1c3b1a7cc6c

SHA256
550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e

SHA512
7798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCTXMN64.DLL
MD5
2640b083bb33cc6095cb0e6e2f8acc98

SHA1
191ed504bc36016899fbfa3f080bd1c3b1a7cc6c

SHA256
550ceae946515cf892dbbee249d72d22bf44a11af3db16b578196fdca8170b1e

SHA512
7798740ff940cde4a7d677bf1366ff564c76babb5666c07aad7231ab51b050e4a5549da4c4d3bae944e1910f24d08b1660069e24fb44f8222dbe84e66a249b5b

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCore64.exe
MD5
98e06cac2c508118450095e581202230

SHA1
2afe3280140fc56db7a7a9197520bfbc74608235

SHA256
8fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4

SHA512
48667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579

Download Submit
C:\Program Files\SUPERAntiSpyware\SASCore64.exe
MD5
98e06cac2c508118450095e581202230

SHA1
2afe3280140fc56db7a7a9197520bfbc74608235

SHA256
8fc6c08487f2a481a28f1e5e500b61a21b7a0d44b342f9f887017d6fae4f87f4

SHA512
48667a0d00b954d8c0e89b05e6dbaeb18591e58346436385a2d33bd1f02f31e9ea5ed023cb9e377a431e9adf0c7f1aec90e6fe71386f74bc7c5ae210d38dc579

Download Submit
C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
MD5
3289766038db2cb14d07dc84392138d5

SHA1
d04286973c48c767c8723f4094396bded792ea90

SHA256
a7790b787690cc1a8b97e4532090c5295350a836a9474dea74ceb3e81cf26124

SHA512
22949262df9369a7c2a9fc489f7cf518c790741a943e0fea9f05b852c2ca61c6a1f70252795d7e96ac00b9dfbcda481456b2e2b2f876365e8d2caa38b10c9933

Download Submit
C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
MD5
58a38e75f3316a83c23df6173d41f2b5

SHA1
9ff00f34b5dfae4be15ed8e59e9c7a05640cbdc3

SHA256
b0a8cda1d164b7534fb41ab80792861384709bf0f914f44553275cf20194f1a1

SHA512
a81b979852677a04e6fd24246b6d8d96be60839f51a203027d708d39f1edd9949b262df2e715ed39ce9a7b6882e9d416e11831388158f9f740ab137f7fe18010

Download Submit
C:\Program Files\SUPERAntiSpyware\SASREPAIRS.STG
MD5
efc9ea7aa080142234062f49c1ed2aa0

SHA1
f82b558f985be249259584b3f5be9a63219b0f25

SHA256
87f7dd02e06983dc362923f74fe880367f0ab59d9ba288099a2c538982abfa96

SHA512
e205bdd961c63df227c8a239c605dbcecb4109743bdde51bd07ac2beb4312de4b21cf25b4b963dcb4e0472b0026dd9f8cf455329f630f947f9dd01ecc6c50c5e

Download Submit
C:\Program Files\SUPERAntiSpyware\SASTask.exe
MD5
5302d99fb38de4318738be8eb5504695

SHA1
cef60452c888842a6d59fba68c4b4c811291ec0e

SHA256
d698c5790816236a743720722cc21b5a5f3e7b9ec02c6ec515908a7e1220f1f3

SHA512
413fa4964b555a64a4cfb7ae75e2050267d6876a65d97b9446181f5e7d0f95578a6621b5d214fa3b02b2232441b712a5bd08537053239bb080cf3f340360d01b

Download Submit
C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
MD5
99851aef40ccc89527358327fa3ac645

SHA1
4663a99ce79cfcb0a8cb5b9eee8590c50b665b0d

SHA256
89861e803e5281d4ba890ce1ff997f5bf2b7e2b61e37d56af8b0cd89408d4616

SHA512
41d52c8c45f0338f102b8a20232fe23dd17d008574b18a17795a3129a84d25e3615cd9cd42462376a21fff3055ac5628cc13d07cced924009c3ffdeb372031f9

Download Submit
C:\Program Files\SUPERAntiSpyware\SSUpdate64.exe
MD5
99851aef40ccc89527358327fa3ac645

SHA1
4663a99ce79cfcb0a8cb5b9eee8590c50b665b0d

SHA256
89861e803e5281d4ba890ce1ff997f5bf2b7e2b61e37d56af8b0cd89408d4616

SHA512
41d52c8c45f0338f102b8a20232fe23dd17d008574b18a17795a3129a84d25e3615cd9cd42462376a21fff3055ac5628cc13d07cced924009c3ffdeb372031f9

Download Submit
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MD5
bb572c1a4a0963e317caf54e72f0b84c

SHA1
50a84e35a460f42fb20e6f4d9459c2a00886beb9

SHA256
587513491d3c493bcf4e63838702659bac88cb4faca0b89164db9d0a20cb08db

SHA512
14bec3672b62cb69dbd9ed7e75834f5650ffb73bd54fb6c60d22bb8affc058244837ae09593f3efb423e344d583cd62764c89658a8a2abb986e7c2976b4e231d

Download Submit
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MD5
bb572c1a4a0963e317caf54e72f0b84c

SHA1
50a84e35a460f42fb20e6f4d9459c2a00886beb9

SHA256
587513491d3c493bcf4e63838702659bac88cb4faca0b89164db9d0a20cb08db

SHA512
14bec3672b62cb69dbd9ed7e75834f5650ffb73bd54fb6c60d22bb8affc058244837ae09593f3efb423e344d583cd62764c89658a8a2abb986e7c2976b4e231d

Download Submit
C:\Program Files\SUPERAntiSpyware\SUPERDelete.exe
MD5
35da92670c06c15cf6f5c10708788554

SHA1
1fb77420811528d76794b9ca5410f4d7c7583d5d

SHA256
2227ce63d91490bc94f88149cc12998c5642d9716697d063901ab8b364270815

SHA512
ec0d2531c638312cc9ca3852bc66c5568078129b1ebe7ecf4539fcc8c7fe105a0b464e01683d3f7bafe23a03d211f69ae4c86969becdaba9bbce5457063cf4e8

Download Submit
C:\Program Files\SUPERAntiSpyware\Uninstall.exe
MD5
4d0dd97c0ab63c0d72a895b4db8b0553

SHA1
3a9f3a77c5f33da656cfe4647afcab7615ca7cec

SHA256
a2887b7d3a95f05b3382f55f4496307b6b792e6a2d492178bcdbe22bd939733d

SHA512
572417fe618ef01ed0bf23078de9e412d49bfa72871890effed6b7b3297a3b1cf86321d261d7946ac4be05bd92a003da405cc51bbba0119e45b27ff9ddee8fe4

Download Submit
C:\Program Files\SUPERAntiSpyware\sas_enum_cookies.exe
MD5
981716d86ba53b87f9a4b9f837fc60c4

SHA1
6d5c8e0d4d1e7e1df8c420b49654d6f2f99741e8

SHA256
d07cdf35aba5f4b82bee11d31d4471df06321408eb33c653bcc718a4ca568527

SHA512
032f8d960c076ef8f83253c1d1908dab784f4869aff1c57db48c0ed9d3a3a4488639cd0ae9bee48b8003ec47a0b044c63fcd77ab47b84a731b859964ceb5aca7

Download Submit
C:\Program Files\SUPERAntiSpyware\sas_preconfig.db3
MD5
52cbb622fb744c0db3c292805254e1a6

SHA1
ef7c4007e1aeb9193e516a6c8cb926d349dcb9f6

SHA256
edd0dcdf0b48e21d6a54ff5b081d01c1d83a412d31b36ccec1db7c127d921e81

SHA512
7862a087a33040430dfa11d1ae091d5cae61eb264b5461cdb88ed740bb8e60007da8ddda4e3489051c75f027eda634097e0992410dc6a16ed773c3730d068aab

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\Content1\MDEsU09TXzY5OVdGSF8wMSxodHRwOi8vZ28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NjY=.bmp
MD5
ddb54abfe78ddd03d2a9e6672358a5c0

SHA1
547a89261edd40fb620a50af7be786c3a7696b15

SHA256
823941ec57f84d398a9b14490a31de8abe99465a30dd1d2050a48dd6033682ec

SHA512
e907673f381a5ee8bb39bec2ed19c6a5b0621479a46dc11d7ed5f0cf74e673ae805fa638c7c30b554263d20be1d1c0a6b2a067905eea6585db975cd5ed1c4cad

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\Content1\MDIsU0FTX01QRkIyRk9SMTE5OTVfMDEsaHR0cDovL2dvLnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDU4.bmp
MD5
caed279cbc1df57e97fa3eed3106953c

SHA1
69e622b6fa58eb655802c3473e71d7e9f013b6e3

SHA256
73a9fab16c6b5facf81711b1bdba1a0e94468865e9cbec37a1c741e718f722c7

SHA512
9653fb7ff0618b97185ae772212ce98f71772d76948401988c30a1f748bb25526c937d32b478d33d829b540be4b7aa474d88f58a1c3d2635dc1af1899735ed42

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN
MD5
8c50eac319bad116793d94172401de48

SHA1
9a1e7caf2059f7ad9e0c31de8fb8f2cc5eed8dee

SHA256
069ae753d6a69565b2dc5ead6b7ad6895a10667bc122e8f662c33e8d2e41e7b3

SHA512
506f2e7358f87e98ff2d95fa28bbdcae0c5263735e5ec2483601f02ac1b35147f75a754d7f6c65382a2afb7a3824deb9edb297cbdf3e42e942f6f702d65cbd0e

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.DB
MD5
125767637bea667a3521540cf39fc2cf

SHA1
d2b98c91dd5d180a8be5d7f8ae016c693906c11f

SHA256
966a062127146b38fbabda6d4968df9a27957ef24928f3044cc00538b242ace7

SHA512
cf56b60988d359781a7334b8e5ad8d8003ec866ecb80c028a259718de8801be88e8ed7e85e627dfc2405617462f164e66a500f0534802d9d924627e3ce79a460

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SetupOptions.db3
MD5
5ee472b2dfd8180fce3741c8601fa22e

SHA1
a1c80423802a0a6da7f5be5613afc3653d72bd79

SHA256
2c2a0e45b6e864a8d76c341c565d6bebff37c6fd26b94b973eabe2c016989bdb

SHA512
2d4633362417138f447947363965cb642df26578db5554606cb8e5df1ba5634b3e8f98113102d35ddffbf1236e2c99d7abbae0dcb1900ad2fced5b5ee134f8c3

Download Submit
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\superantispyware.db3
MD5
37d1405c2a7a23f26985c1eff7288d1c

SHA1
50b167bb4bd930cd92c3ca91163fbe80a5238b3f

SHA256
e4e5b7085af68c24d3f17ec9fbd889e5a635d9a068d3ea761f6a14ec994c09ab

SHA512
bfacf1f369c8cf7b4e2a2f1a2e0b64aedf7a0c826229e5c9f13be08d25bcfcd22a23398d2231098a945000a65b53f88e58431bd5b6a0d43b64ab2921ff0f94e0

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SUPERSETUP\SETUP.DLL
MD5
f21ca163b7df7daddab556b8bd242c35

SHA1
4cc603108e71d005363ba07db7905a2e0f40e4e7

SHA256
3416cffe03c9910c0d946aa0a593c4cbc937e20a5921055af537d66d8c7ac594

SHA512
54b0f3c716b9abcb385d7b57b0152deb86c0759e1cd6ab3c228ec718c6b13113a72f8e2a5d93651861e4d6b10fac403ee9344e1ac15fe7e84a7f07a8a7458c40

Download Submit
C:\USERS\PUBLIC\DESKTOP\SUPERANTISPYWARE FREE EDITION.LNK
MD5
59794d335939c7e1ebf27da4c4c222f1

SHA1
f587a039282ba908e7b797c246c909f33804058f

SHA256
3e50f0543c182610fac073871b5dce9ded53d83a467510c46e41e68ade5717cf

SHA512
204d1fefa7356a24cbd8d22f678cdec8195e9c0a706a5aad2f3fd3f95219f5d9d5ee9d87d700a10fe14e5539b831dda39d962e752073a69a9d0109d5c5193f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\gcapi_dll.dll
MD5
cac4a48fbaf0373d0d1ca310c2615a55

SHA1
bd357ed2d894e4fb84fe8f0e2f572bf5eed8b37a

SHA256
b6a209242cccbb2257becd3b826d4a304631bbe9f4f842278619e42c33feb2e3

SHA512
bb63176ce893942be53e3193d498ce85f67ae7fe0a0799a5e7b10a9e4ffdd55a34f4038ce14a638949d0000c726fb355872a7748504c74cee36b2ca55b2b9452

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\gcapi_dll.dll
MD5
cac4a48fbaf0373d0d1ca310c2615a55

SHA1
bd357ed2d894e4fb84fe8f0e2f572bf5eed8b37a

SHA256
b6a209242cccbb2257becd3b826d4a304631bbe9f4f842278619e42c33feb2e3

SHA512
bb63176ce893942be53e3193d498ce85f67ae7fe0a0799a5e7b10a9e4ffdd55a34f4038ce14a638949d0000c726fb355872a7748504c74cee36b2ca55b2b9452

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUPERSetup\setup.dll
MD5
f21ca163b7df7daddab556b8bd242c35

SHA1
4cc603108e71d005363ba07db7905a2e0f40e4e7

SHA256
3416cffe03c9910c0d946aa0a593c4cbc937e20a5921055af537d66d8c7ac594

SHA512
54b0f3c716b9abcb385d7b57b0152deb86c0759e1cd6ab3c228ec718c6b13113a72f8e2a5d93651861e4d6b10fac403ee9344e1ac15fe7e84a7f07a8a7458c40

Download Submit
C:\Users\Admin\Downloads\SUPERAntiSpyware.exe
MD5
cecf29885d73fff8d90d880962275454

SHA1
b33a5250e5fa95fbe4d6b67cd0877d56c8dc9849

SHA256
bdabbdc7ce3f5f355d67c7b2de252bb235dfbec4f1e42d6f1dcb26046f77c9fc

SHA512
2a9100de60481bfdb0385f74dc6f7b712eb4d953892e91efe8146d97c2ed3c2c073d83d9c7605e0dd3bca05ae6fafce0a849a3507134fb810f07ccc1fa2c8860

Download Submit
C:\Users\Admin\Downloads\SUPERAntiSpyware.exe
MD5
cecf29885d73fff8d90d880962275454

SHA1
b33a5250e5fa95fbe4d6b67cd0877d56c8dc9849

SHA256
bdabbdc7ce3f5f355d67c7b2de252bb235dfbec4f1e42d6f1dcb26046f77c9fc

SHA512
2a9100de60481bfdb0385f74dc6f7b712eb4d953892e91efe8146d97c2ed3c2c073d83d9c7605e0dd3bca05ae6fafce0a849a3507134fb810f07ccc1fa2c8860

Download Submit