Automated Malware Analysis Report for SUPERANTISPYWARE

ID: 459764 Sample Name: SUPERANTISPYWARE.EXE Cookbook: default.jbs Time: 14:53:19 Date: 05/08/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Windows Analysis Report SUPERANTISPYWARE.EXE 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 5 Jbx Signature Overview 5 Malware Analysis System Evasion: 5 Lowering of HIPS / PFW / Operating System Security Settings: 5 Stealing of Sensitive Information: 5 Remote Access Functionality: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 27 General 28 File Icon 28 Static PE Info 28 General 28 Authenticode Signature 28 Entrypoint Preview 29 Rich Headers 29 Data Directories 29 Sections 29 Resources 29 Imports 29 Version Infos 29 Possible Origin 29 Network Behavior 29 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 29 Analysis Process: SUPERANTISPYWARE.EXE PID: 5720 Parent PID: 5776 29 General 29 File Activities 30 File Created 30 File Deleted 30 File Written 30 File Read 30 Registry Activities 30 Key Created 30 Key Value Created 30 Analysis Process: svchost.exe PID: 6008 Parent PID: 568 30 General 30 File Activities 30 Registry Activities 30

Copyright Joe Security LLC 2021 Page 2 of 34 Analysis Process: svchost.exe PID: 4972 Parent PID: 568 30 General 30 File Activities 31 Analysis Process: svchost.exe PID: 4316 Parent PID: 568 31 General 31 Registry Activities 31 Analysis Process: svchost.exe PID: 460 Parent PID: 568 31 General 31 Analysis Process: SgrmBroker.exe PID: 5400 Parent PID: 568 31 General 31 Analysis Process: svchost.exe PID: 5908 Parent PID: 568 32 General 32 Registry Activities 32 Analysis Process: svchost.exe PID: 5184 Parent PID: 568 32 General 32 File Activities 32 Analysis Process: MpCmdRun.exe PID: 4808 Parent PID: 5908 32 General 32 File Activities 33 File Written 33 Analysis Process: conhost.exe PID: 3528 Parent PID: 4808 33 General 33 Analysis Process: svchost.exe PID: 3868 Parent PID: 568 33 General 33 File Activities 33 Analysis Process: svchost.exe PID: 3528 Parent PID: 568 33 General 33 File Activities 34 Analysis Process: svchost.exe PID: 5508 Parent PID: 568 34 General 34 File Activities 34 Analysis Process: svchost.exe PID: 2484 Parent PID: 568 34 General 34 File Activities 34 Disassembly 34 Code Analysis 34

Overview

General Information Detection Signatures Classification

Sample SUPERANTISPYWARE.E Name: XE YYaarrraa ddeettteeccttteedd AAddWiiinndd RRAATT

Analysis ID: 459764 CYChaharaann gdgeestse scseteeccduu rrrAiiitttydy W cceeinndtttee Rrrr sAseeTttttttiiinnggss (((nnoo… MD5: a231ad52671062… TCTrrrhiiieeassn gtttooe sdd eestteteecccuttt r ssitaayn ncddebbnootxexere ss eaatnntidnd g oosttth h(enerror… SHA1: eae2fd396a44e66… Ransomware ATAVrVie ppsrr rotoocc edesessste sscttttrrr iiisnnaggnssd fffbooouuxnnedds (( (oaoffnfttteden no utuhsseeer…

Miner Spreading SHA256: 34fbe5823ecb07d… AAbVbnn poorrrromcaeallsl hshii igsghthr i CnCgPPsUU f o UUussnaadgg e(eoften use mmaallliiiccciiioouusss Infos: malicious

Evader Phishing CAChbhenecockrkmss aiiff l AAhningttihivv iiCrruuPssU//AA nUnttsiissappgyyewwaarree//FFiirree sssuusssppiiiccciiioouusss CChheecckkss iiifff AAnntttiiivviiirrruuss///AAnntttiiissppyywwaarrree///FFiiirrree… suspicious Most interesting Screenshot: cccllleeaann CCrrhreeeaactttkeess ifffii illlAeesns t iiinvnsisriiuiddsee/ A ttthhneeti sspyyysswttteeamre dd/Fiiirrrieerecc… clean

Exploiter Banker ECEnrneaaabbtllleess fddileebsbu uigng s ppidrrriieivv iiiltllehegege esssystem direc

AdWind IIEIPPn aadbddlderrrsee ssdsse sbseueegen np iriinniv cicloeongnnenesecctttiiioonn wwiiittthh oo… Spyware Trojan / Bot

Adware Score: 42 MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o … Range: 0 - 100 PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss aaivnne ii inlnovvoaapllliiisdd) ccthohe ehcciknksdsueumr Whitelisted: false PPEE fffiiilllee ccoonntttaaiiinnss sasttntrrra ainngvgaeel irrdree scsohoueurcrrcckeesssum Confidence: 100% QPEuue efrirrliiiee ssc oddniiisstkak i iniinnsfffo osrrrtmraaantttigiiooenn r ((e(oosffftotteeunnr c uuessseedd…

Quueerrriiieess ttdthhiesek vv ioonlllfuuomrmee a iiintnifoffoonrrr m(oaaftttieiioonnn u (((nsneaadm…

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

Process Tree SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel …

TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original System is w10x64 Tries to load missing DLLs SUPERANTISPYWARE.EXE (PID: 5720 cmdline: 'C:\Users\user\Desktop\SUPERANTISPYTWrieAsR toE .loEaXdE m' MissDin5g: AD2L3L1sAD526710623AF198F0328E648016) svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 4972 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 4316 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 460 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA) SgrmBroker.exe (PID: 5400 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6) svchost.exe (PID: 5908 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) MpCmdRun.exe (PID: 4808 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B) conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) svchost.exe (PID: 5184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 3868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 3528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 5508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 2484 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source Rule Description Author Strings Process Memory Space: SUPERANTISPYWARE.EXE PID: JoeSecurity_AdWind Yara detected Joe Security 5720 AdWind RAT

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Stealing of Sensitive Information:

Yara detected AdWind RAT

Remote Access Functionality:

Yara detected AdWind RAT

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 1 OS System Time Remote Data from Exfiltration Data Eavesdrop on Accounts Management Loading 1 Injection 2 Credential Discovery 1 Services Local Over Other Obfuscation Insecure Instrumentation 1 Dumping System Network Network Medium Communication Default Command and Boot or DLL Side- Disable or Modify LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Scripting Logon Loading 1 Tools 1 Memory Discovery 1 3 1 Desktop Removable Over Redirect Phone Interpreter 2 Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) Script Evasion 2 Account Evasion 2 Admin Shares Network Exfiltration Track Device (Windows) Manager Shared Location Drive Local At (Windows) Logon Script Logon Process Injection 2 NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network DLL Side-Loading 1 LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Compile After DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Items Items Delivery Discovery 2 3 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Hide Legend Legend: Behavior Graph Process ID: 459764

Sample: SUPERANTISPYWARE.EXE Signature Startdate: 05/08/2021 Architecture: WINDOWS Created File Score: 42 DNS/IP Info Is Dropped

Tries to detect sandboxes Yara detected AdWind and other dynamic analysis Is Windows Process started started started RAT tools (process name or module or function) Number of created Registry Values

Number of created Files

svchost.exe SUPERANTISPYWARE.EXE svchost.exe Visual Basic

Del9p ohtheir processes 2 144 9 1 Java

.Net C# or VB.NET

74.201.114.185 8.8.8.8 93.184.221.133 23.211.4.86 127.0.0.1 20.54.110.249 192.168.2.1 INTERNAP-2BLKUS GOOGLEUS EDGECASTUS AKAMAI-ASUS unknown MICROCSO,F CT-C+O+RP o-MrS No-AthS-eBLrO lCaKnUSguage unknown United States United States European Union United States unknown United States unknown Is malicious

started Internet

Changes security center settings (notifications, updates, antivirus, firewall)

MpCmdRun.exe

started

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link SUPERANTISPYWARE.EXE 0% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches Copyright Joe Security LLC 2021 Page 7 of 34 No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link 0% Avira URL Cloud safe https://www.superantispyware.comdetect.wavSAS_CURRENTUSER.DB3SAS_ALLUSER.DB3https://ww w.superantispy crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe https://%s.xboxlive.com 0% URL Reputation safe https://dynamic.t 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.entrust.net03 0% URL Reputation safe ocsp.entrust.net02 0% URL Reputation safe https://cert.com 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe cdn.superantispyware.comSASDef_DefinitionUpdateThread 0% Avira URL Cloud safe .pdbrootkitLORDPEFSGUPACKPEC2UPX 0% Avira URL Cloud safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe ocsp.thawte.com0 0% URL Reputation safe https://www.tiktok.com/legal/report/feedback 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 8.8.8.8 unknown United States 15169 GOOGLEUS false 93.184.221.133 unknown European Union 15133 EDGECASTUS false 20.54.110.249 unknown United States 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 23.211.4.86 unknown United States 16625 AKAMAI-ASUS false 74.201.114.185 unknown United States 12182 INTERNAP-2BLKUS false

Private

IP 192.168.2.1 127.0.0.1

General Information

Joe Sandbox Version: 33.0.0 White Diamond

Copyright Joe Security LLC 2021 Page 8 of 34 Analysis ID: 459764 Start date: 05.08.2021 Start time: 14:53:19 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 10s Hypervisor based Inspection enabled: false Report type: light Sample file name: SUPERANTISPYWARE.EXE Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 33 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal42.troj.evad.winEXE@15/54@0/7 EGA Information: Failed HDC Information: Successful, ratio: 100% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .EXE Override analysis time to 240s for sample files taking high CPU consumption Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 14:54:10 API Interceptor 4x Sleep call for process: SUPERANTISPYWARE.EXE modified 14:54:33 API Interceptor 13x Sleep call for process: svchost.exe modified 14:55:49 API Interceptor 1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 93.184.221.133 update.iobit.com/dl/iu8/file/Pub/PreCare.exe Get hash malicious Browse update.io bit.com/dl /iu8/file/ Pub/PreCar e.exe update.iobit.com/dl/iu9/file/BigUpgrade_IU.exe Get hash malicious Browse update.io bit.com/dl /iu9/file/ BigUpgrade _IU.exe

Copyright Joe Security LLC 2021 Page 9 of 34 Match Associated Sample Name / URL SHA 256 Detection Link Context driver_booster_setup.exe Get hash malicious Browse update.io bit.com/in fofiles/db 7/freeware- toolbar.upt TaxRefund.htm Get hash malicious Browse cdn.board host.com/i nvisible.gif TaxRefund.htm Get hash malicious Browse cdn.board host.com/i nvisible.gif www.amazoon.online/b9a2f1e25a?l=22 Get hash malicious Browse embed-e.w istia.com/ deliveries /6992339c8 76a95a3725 0fbe5b0a0e aecca3018a 5/file.jpg? bust=2015-12- 29a www.speedvid.net/t198amvdwusd Get hash malicious Browse cdn.cpmst ar.com/cac hed/x.png 23.211.4.86 wXQEBTXLHd.exe Get hash malicious Browse RIi1iCfuVK.exe Get hash malicious Browse r3xwkKS58W.exe Get hash malicious Browse ySZpdJfqMO.exe Get hash malicious Browse bGk64hnnAZ.exe Get hash malicious Browse 2qPnTEJ3ZZ.exe Get hash malicious Browse AUg4zbbjo6.exe Get hash malicious Browse wYK4BhbEwC.exe Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context MICROSOFT-CORP-MSN-AS- docapQjNeY.exe Get hash malicious Browse 13.107.42.12 BLOCKUS Xerox Scan_367136092111.html Get hash malicious Browse 40.101.138.210 request.zip Get hash malicious Browse 52.109.88.174 info203wb4BR3.IIAYAEIOTOKYAXHSVXKBYDNDNP Get hash malicious Browse 23.102.184.147 AYFC#U00c9.msi info203wb4BR2.TSJQIJKYBJPJDFBACFJIXBQSOV Get hash malicious Browse 23.102.184.147 DIYH#U00f1.msi info203wb4BR1.VEVGJDKHYLCJYEWGECAKBGRORN Get hash malicious Browse 23.102.184.147 NYTL#U00ea.msi request.zip Get hash malicious Browse 52.114.132.20 info20219304BR.VXWAYJHUUOUYLLXJYSPZUMKLB Get hash malicious Browse 20.197.233.196 PCZMP_.msi EBloHRXR2z.exe Get hash malicious Browse 20.11.11.67 sTcU2w5mZY Get hash malicious Browse 20.237.114.65 [email protected] #Ud83d#Udce0LUK08HI Get hash malicious Browse 40.90.142.230 DGB019153.HTM iGZtra5EaP.exe Get hash malicious Browse 20.197.234.75 gcsEBQO3BV.exe Get hash malicious Browse 20.197.234.75 InNXA1LFMy Get hash malicious Browse 20.253.88.81 OJYNvmFRjr Get hash malicious Browse 72.154.192.105 AEOjFHGJAr Get hash malicious Browse 20.232.159.114 minha-conta-06082021.msi Get hash malicious Browse 20.106.52.195 w7DRtI5vjJ Get hash malicious Browse 40.100.99.34 xl2TVqLo6S Get hash malicious Browse 40.114.106.50 uMWZeUs5ZU Get hash malicious Browse 20.177.245.20 EDGECASTUS ATT86715.HTM Get hash malicious Browse 152.199.23.72 ATT99206.HTM Get hash malicious Browse 152.199.23.72 Xerox Scan_367136092111.html Get hash malicious Browse 152.199.21.175 VM_8523-August 4, 2021, 123112 PM HmnYdReqOhNZXRLx Get hash malicious Browse 152.199.23.37 JRlYRGzIiVvdfmVrhORHciWnHgzGkgvxjF.HTM ATT27695.htm Get hash malicious Browse 152.199.21.175

Copyright Joe Security LLC 2021 Page 10 of 34 Match Associated Sample Name / URL SHA 256 Detection Link Context ATT10157.HTM Get hash malicious Browse 152.199.23.72 ATT78660.htm Get hash malicious Browse 152.199.21.175 740493560527658268.htm Get hash malicious Browse 152.199.23.37 HSBC_Payment_slip_for Outstanding 001005l.htm Get hash malicious Browse 152.199.23.37 ATT80307.HTM Get hash malicious Browse 152.199.23.72 Project Proposal and Analysis.html Get hash malicious Browse 152.199.21.175 Dosusign_Na_Sign.htm Get hash malicious Browse 93.184.220.66 Fake.HTM Get hash malicious Browse 152.199.23.72 minha-conta-06082021.msi Get hash malicious Browse 192.229.22 1.185 OneDrive-besked.htm Get hash malicious Browse 152.199.23.37 phish.html Get hash malicious Browse 152.199.23.37 HTM.html Get hash malicious Browse 152.199.23.72 minha-conta-06082021.msi Get hash malicious Browse 192.229.22 1.185 AUTORIZAR_ITEM3884795BR.msi Get hash malicious Browse 152.199.21.175 setup_x86_x64_install.exe Get hash malicious Browse 93.184.221.240

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 24576 Entropy (8bit): 0.36205444996716485 Encrypted: false SSDEEP: 48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt MD5: 353C0E84A6C573D30B15481706263B9A SHA1: 4DCBF5ED97F1251EEF6E0747906368AB5639D0FA SHA-256: 4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751 SHA-512: 210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD Malicious: false Preview: ...... '...... 3...w...... C:\ProgramData\Microsoft\Network\Downloader\...... C:\ProgramData\Microsoft\Network\Downloader\...... 0u...... @...@...... )......

C:\ProgramData\Microsoft\Network\Downloader\edb.log Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 16384 Entropy (8bit): 0.2414200017951034 Encrypted: false SSDEEP: 12:0NGaD0JcaaD0JwQQj/tAg/0bjSQJKh7Iu3z1IRu3z1I:0TgJctgJwr/urjSuC7IAzaRAza MD5: 8BE8233C2D579EC35E2ABEB587CC1C9C SHA1: BE471A532E3D151F478E131DC0AD02C632C26104 SHA-256: 559FBDE8D5F6225FD9310642A0780CA03AB5A64CF568D25FEF5596126B83F3C1 SHA-512: F9F6235EED58986EB00181D12B67F13F4395FEEA6865B556753F299A60D6D2AECFD1E666A4A71B5793558EFF33F3300D7AE642051154E409B7F62B3379A43F1D Malicious: false

Copyright Joe Security LLC 2021 Page 11 of 34 C:\ProgramData\Microsoft\Network\Downloader\edb.log Preview: ...... :{..(.....!6...yy...... 1C:\ProgramData\Microsoft\Network\Downloader\...... C:\ProgramData\Microsoft\Network\Downloader\...... 0u...... @...@...... !6...yy...... &...... e.f.3...w...... 3...w...... h..C.:.\.P.r.o.g.r.a.m .D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G......

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Process: C:\Windows\System32\svchost.exe File Type: Extensible storage engine DataBase, version 0x620, checksum 0xf4e78bc9, page size 16384, DirtyShutdown, Windows version 10.0 Category: dropped Size (bytes): 131072 Entropy (8bit): 0.09768388788474898 Encrypted: false SSDEEP: 24:w4WI4Y5y4WI4Y5J4iAY5J4iAY5e4vnwY5e4vnwY5/Yt9PqAcYt9PqA:tWzYVWzYgiAYgiAY9IY9IYBYt9eYt9 MD5: 6F72BA79C3EAB1FAE3BDB7FEBEDCB22F SHA1: 734386238A41F3F5E4B84C9AC6871294A4F3EFC0 SHA-256: 8F4B7380345465789787A97B2560DB8406693486143749ACDEF03282E33366DA SHA-512: FD55CD7C0EE21F2984E156363518A979D6CA6BAB7B026D6C44E9B04A5A0B5470E8BA7C29D7CA65E9C5E7FA362252BEA88861907810F43A9A4A0C04A6877688D 7 Malicious: false Preview: ...... e.f.3...w...... &...... w..!6...y..h.(...... 3...w...... B...... @...... 3...w...... o.n!6...y.m...... FD..!6...y......

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Process: C:\Windows\System32\svchost.exe File Type: data Category: dropped Size (bytes): 32768 Entropy (8bit): 0.11545894850801051 Encrypted: false SSDEEP: 12:GvUcSKt4rY5gpcSK3LnwtcSKtilBhnI2cS0BlBhnMA:GSKOrY5PSK3LnwuSKgnhnES0BnhnMA MD5: FE0F1732463BD96ED9589ECF344BE748 SHA1: CE7EBE39C9A99F6917123278A8FF0FA36F393E1E SHA-256: 6F43CB8E043AD4F8647C8C822A7AB76D01DB63B1DA3771D06DE022F528E3083B SHA-512: 297332903E7F178C7AAC5DA79EEAD5EB9F46B1C80D00ADC3481C094AF2F5152ED458871A474833BAF08B7884EE268E5416F39C48E181458AB5AB278F318937F9 Malicious: false Preview: `...... 3...w..!6...y...... w...... w...... w....:O.....w...... FD..!6...y......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-8-5-2021( 14-54-10 ).SDB Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Non-ISO extended-ASCII text, with very long lines, with NEL line terminators Category: dropped Size (bytes): 59100 Entropy (8bit): 5.353620388160826 Encrypted: false SSDEEP: 1536:0ACHCGOdK+tCGcRIx5pswhd0bjYIM05gtUGGQjK5L6FE59hg+hV4NDkMIgxqjKuu:dCHCGOdK+tCGcRIx5pswhd0bjYIM05gZ MD5: A1A160A78791BBC17DED30D55470E4A7 SHA1: 95E3442FB4985E4248CE9A590C9E155187674B32 SHA-256: 220434302641233D17C9CE0A4274996A88861A353D32F13C532E6D9C7A038614 SHA-512: 5FB03948B791F042161E140FC667A38E9BF7469F5B5093C0A8D1EBE05563DEFF38C7AF9E772A59992E07F9721CB9887D574082DF2FE747F95B169BF37493A747 Malicious: false Preview: ......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1.DAT

Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped

Size (bytes): 827137 Entropy (8bit): 7.997388707472276 Encrypted: true SSDEEP: 24576:f9t39oRmHHydnwFk6s0ZzWd50m80WY+2m:fGRmHHydnQwMzW/0t0WY+Z MD5: C7CD591610C148D6C465C6EAFB6D5497 SHA1: F9A140A7A1F811DE29D56C907D55781C48378A50 SHA-256: 14610DC6143423D08C8F0519DEEC372CFD8B820A9193408F70DC67C513845704 SHA-512: 56109D6EA17A12A2E582E0C9AC355973447A94719CB944CB9A464DB2C749B0368DF4F42E4133F5F1A9D388C14F38AB22E547EF95771966C4ECB0690EE6F9FDF4 Malicious: false Preview: SABARC..S..=.h.=.;.d...!...... v.+.....H...... ].....!.Z.\.{..^..0...j...#!...... 0.E}.U7"=)..j.....Y.N(c.K...02.:.X....*....x`5%...... dzE#\....b..".$..A..D.g4..2..9-l..V7.._g..K>C.;k.E...x..6..7.Tv.3.. .D..G.x~..S.n.y...X\._...D.X(..d..o2...o@...(..<...... g287.+...... e..R\.!h..0s..E...F...... f.y...I.|.0.~Q...'.Sl..sU$h.?.w"..3...s%.B....S...... [...... O..=...l...... 0.96..G.Le/_OS..i..p_. .xg...... ?"t[?...... P.v}...... D...[.o.h...... V...z.Pzw.yV.1)W...W.q..F.!^.l.O.c..9.D....&..K..K...K}[email protected]..|...Y..59...... +|#....*..5..ja...F.'..XTA..B:.6....".]...... '...=k C.cPMw.m..)..v.'.%6..L.p.).aE..F.....k..+...r{*..R..TE._...!|.X.+.....^g...... KJ.H.PK...... Z.,t..R.Y.K.qF..r..8rPS...... FK....,.=B...ex...-...D..iEH.....H ..Lf\.?+!n...... e.I.....'$?XX.n.. 8..f....a...:.P.p...D.H...I....8....9bHA..S....~...j...8.$;.o%...... lG.R>(.1k4-`..E.....cNJ.`..N...... :]...V...... o.D....X...... n:T.$2.!...... w.m..

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\AOL\MDEsQU9MRlJFRV8wMSxodHRwOi8vZ28uc3VwZXJhbnRpc3B5d2FyZS 5jb20vP2xpbmtpZD0xMDE0MTY=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 3.45478575541215 Encrypted: false SSDEEP: 384:g1E5bSLQCWMEMw+mmgdmerNMEfEx/lFWC:gEw9fw2gdmwSx/lz MD5: 8FB48521A8303F6B03D406D4A41EDF83 SHA1: 5C010A1759737BA557CE6DF76E7313A5EF47FCEC SHA-256: C09159825E0BB0704EDE26BECF0B4D08B245A33956A7E978EDAAD0EF2362FEE6 SHA-512: 288FEAA44C905960D0E86DE3A66F80759F6A9769135675CE354A6E62622B95C3D61493E6374947350946468F67C41E1DF6D6B24E62FA05F9249B0A8B753D3374 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\AOL\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 13312 Entropy (8bit): 7.086416045383016 Encrypted: false SSDEEP: 192:n9olpdSg1szLDrctXWMmUIsmn2SsM5FSaHo3DCRTRmqrOPKHyFOkH:9olpdcLctHBcbTCCRpwKSEkH MD5: DC34D18019465743FB4B647859391011 SHA1: D49D86FE5E9BE4F3D75DF4E704C14AD924F8CBAF SHA-256: D1B8A3499870B0B8B7E7486669E07D4DBD04BA54A917E9F8D55AF3075F45D978 SHA-512: 913F4FB7D40C5A3AC90E6186E4DC8158EA8AE3853D8BE284632F4A540DCF996CCF2E9572960221B99F4066A9D6065B0AD20D3F4CFF8CF0035B6B4FC79E81422D Malicious: false Preview: ...... >......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\MDEsU0FTX0dTRFYyMTAzMjI2OTVfMDEsaHR0cDovL2dvLnN1cGVyYW50aX NweXdhcmUuY29tLz9saW5raWQ9MTAxNDcz.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 3.9731142512078628 Encrypted: false SSDEEP: 1536:p2LcchJ5X/e1kmD0VgH9s4XKzZXXhZCTPis/UCa:p2LcchJ5XWFD0V6C4Xm5iTPis/UCa MD5: 68E8067648D88A8EC2C531D8C669BD4E SHA1: 97FAA042FECCE9EFDB6057591A3B6CDC5D766371 SHA-256: 2BC3EC95372495B2B7679503316EEB2B38E576701B30A9D2A51D28611D0795DA SHA-512: AABDD05645B597B1AC6C32B93A1027665DD85E543B797F6B002401854ED9B84A80A5F18F5EC714D39C252262F8869D2734151636083284A6A2EC99A77F170891

Copyright Joe Security LLC 2021 Page 13 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\MDEsU0FTX0dTRFYyMTAzMjI2OTVfMDEsaHR0cDovL2dvLnN1cGVyYW50aX NweXdhcmUuY29tLz9saW5raWQ9MTAxNDcz.bmp Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... 56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56 .56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56. 56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.5 6.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56 .56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56. 56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.56.5 6.56.56.56.56.56.56.56.56.56.5

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\MDIsU09TX01QQjA2MDEyMCxodHRwOi8vZ28uc3VwZXJhbnRpc3B5d2FyZS 5jb20vP2xpbmtpZD0xMDE0NzA=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 6.981862638907041 Encrypted: false SSDEEP: 3072:qvC919SCy2jV97RuPR/6+Wei3jiqI0dzDdF5iC+jT29OSUmfpnTA++hD6iKiHa4g:NeqBPXihu+m MD5: 31B85935E49F78108E92D0FE82A59F4C SHA1: A22740A40D6D855AAF7C9938CACE45458AB0F464 SHA-256: 1C105A4200FE4D51EF9AA6B7860F31531C976516655FDCCACC8CCE7400298767 SHA-512: 4C81DD671616981EDEFA5FC5BF8F8B86E024F208F24DB706774F066F5C102DACBCB6DCD8065DA9DA246F8611B3BFC62C9C949EAE80BA9D5F99EE1B57B70004 7B Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... ;;;<<<:::::::::::::::;;;:::::::::99999999999999999999999999999999977766666666666666666666677788888888888877777766666 6555555555555555555555555333333333333444444333333333333333333333333444333444333333333333333333333333222222222222222222222222222222 2222222222222222223333333333333334443333332222223332222222222222222222222222222222222222223332222223332223332222221110000001112222 22111000000////////////////////////...///...//////...... ///000000000//////...... /////////...------666555666BBBRRR\\\WWWLLLKKKNNNNNNQQQVVV[[[bbbfffiiidddYYYRRRIII AAA>>>AAABBB@@@???@@@DDDKKKSSSZZZ]]]VVVHHHAAABBB???<<<@@@999...... """"""######!!! !!!!!!... """###!!!" ""######!!! """$$$%%%"""""" ...... !!!...... """###$$$$$$%%%%%%######"""!!!!!! """'''###..."""%%% ((()))&&&#########"""999\\\O

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\MDMsU0FTX01QRkJQUk9YMTk5NV8wMSxodHRwOi8vZ28uc3VwZXJhbnRpc3 B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NzE=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 5.3313155675285735 Encrypted: false SSDEEP: 1536:TQ9UECJL0VhSZFs0tIs1BNsusYfylfqVuXlu72Q8GslHa1cUj+UV8IN4CxYn/TvT:TQJSweZO++5fqVuwsCV4CyTLWfZXw MD5: E3BA0A9BA987A5DE5461EBC164190985 SHA1: C3F9FBD1B8BB49DA91766A5B4A40E04C15C39C2C SHA-256: 2EA8B3B74FDDA04E32EA8AFAE3912373757EC079BA5ACBDC06F61619798111EE SHA-512: F343B90814B9BD0496F759F6B5D3F3348BA078976198FB77334502B80D43FD8E98DCFDC61E983E156E8C0DA8DC69271B2AD47DCC6FBB193FD1AC9F0D4080F8A C Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 118272 Entropy (8bit): 7.609666965178523 Encrypted: false SSDEEP: 3072:+U+XkuSu/uGuUoEI3oqNXIhRoqoNh5o1YCTJzX9BM7oOov:+UokjmL7ENX8hJzNV MD5: 0F51FA7B2AB975BFD18E73836D7D45A5 SHA1: BADB996D9FD3BAA3C2B797BA722E19B93D41696F SHA-256: 99D3D12D2BB65099392F1735D525CFED912D63724D31B6F7BC0E0DAA8349AF82 SHA-512: 112321C164858957774DC3122E39BF93F8B5D9F8D1D46419E6C616A1C76BA3C5070B3395B12EBAC1B9D093A60ACCC0297E50283B929589193DB2AB37B7CF23D1 Malicious: false

Copyright Joe Security LLC 2021 Page 14 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\Thumbs.db Preview: ...... >...... }...... @...... !..."...#...... %...&...'...(...)...*...+...,...... /...0...1...2...3...4...5...6...... 8...9...:...;...<...=...>...?...... g...B...C...D. ..E...F...G...H...I...J...... L...M...N...O...P...Q...R...S...... U...V...W...X...Y...Z...[...\...... ^..._...`...a...b...c...d...e...f...... i...j...k...l...m...n...o...p...q...... s...t...u...v...w...x...y...z...

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\AOL\MDEsQU9MRlJFRV8wMSxodHRwOi8vZ28uc3Vw ZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0MTY=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 3.45478575541215 Encrypted: false SSDEEP: 384:g1E5bSLQCWMEMw+mmgdmerNMEfEx/lFWC:gEw9fw2gdmwSx/lz MD5: 8FB48521A8303F6B03D406D4A41EDF83 SHA1: 5C010A1759737BA557CE6DF76E7313A5EF47FCEC SHA-256: C09159825E0BB0704EDE26BECF0B4D08B245A33956A7E978EDAAD0EF2362FEE6 SHA-512: 288FEAA44C905960D0E86DE3A66F80759F6A9769135675CE354A6E62622B95C3D61493E6374947350946468F67C41E1DF6D6B24E62FA05F9249B0A8B753D3374 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\AOL\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 13312 Entropy (8bit): 7.086416045383016 Encrypted: false SSDEEP: 192:n9olpdSg1szLDrctXWMmUIsmn2SsM5FSaHo3DCRTRmqrOPKHyFOkH:9olpdcLctHBcbTCCRpwKSEkH MD5: DC34D18019465743FB4B647859391011 SHA1: D49D86FE5E9BE4F3D75DF4E704C14AD924F8CBAF SHA-256: D1B8A3499870B0B8B7E7486669E07D4DBD04BA54A917E9F8D55AF3075F45D978 SHA-512: 913F4FB7D40C5A3AC90E6186E4DC8158EA8AE3853D8BE284632F4A540DCF996CCF2E9572960221B99F4066A9D6065B0AD20D3F4CFF8CF0035B6B4FC79E81422D Malicious: false Preview: ...... >......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\GuardStreet\MDEsR1NfQkFER1VZU18wMSxodHRw Oi8vZ28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0MTc=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 2.114335815523988 Encrypted: false SSDEEP: 768:yoNh6ZEN94NHgNN9BN16SlN6km+fUS5jDwAjPj98ckf/G1A8Ur3haWeG18G9G4GS:p7e84mnW MD5: 170C8C089117C4425A7E567C56B98042 SHA1: 876623B5DCD2A86E9AA05BA6826699519E5F9072 SHA-256: DBBF5B6E1E2CE10299C5ACB096E1E58FB9FBC2E8E5584CE1B0BDDCF8456569F2 SHA-512: 707228E03F8065D8872107675CCB6CB95BBC365C6DF85BD14CA466EAEAB128CB060BE64C915B92E09F635F34A63C65DF27ED4AEBDC64C692A1F6261E6647B4E 2 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\GuardStreet\MDEsR1NfQkFER1VZU18wMixodHRw Oi8vZ28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0MzM=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24

Copyright Joe Security LLC 2021 Page 15 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\GuardStreet\MDEsR1NfQkFER1VZU18wMixodHRw Oi8vZ28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0MzM=.bmp Category: dropped Size (bytes): 149744 Entropy (8bit): 2.1097905090103852 Encrypted: false SSDEEP: 768:9/f7SFXu1ngc4mYDYLT1B2naA3dn7TewUitqF20iEUX1oXAtPMLydMQgZZDG99G9:DdoNM MD5: F9A06D46F253D21A67C430FBF37B7E56 SHA1: BBD3C19FAFD795B546E6530A83AC78B34EAECEAB SHA-256: E1FA7B81E7D2A050AC723A57A9C85FB768A90852FA03475DDC7D70F589A2471E SHA-512: 0E19E431F747DA94CE304AEBAAD5156ED6ACBB9DF29A1236C45037E8AE04272299E29DF69BA7463CECFEF36156D6EB4DF014B3E41D136E9356C7397C3DFF574 5 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\GuardStreet\MDIsR1NfVEFLRUJBQ0tDT05UUk9M XzAxLGh0dHA6Ly9nby5zdXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQxOA==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 2.062993793004304 Encrypted: false SSDEEP: 768:y9X34nsaDaOb+l+U8iuLvU2jxsowPwsPwYBgNR0s2kFkONRQ9vNB1CIuykxuEFBU:UyEmu MD5: D5D34988AD0FA758FB1AB64205C7CAA0 SHA1: 1E31498820E94953820E1C2ECAC3F7FF813C4858 SHA-256: DFE2C1DA6C079DE06DC45DA4A12C8F51B5572A1ABD655B9B8F989349819C3868 SHA-512: D174558E9C82ED027005E500B8F20286E3717FE56F2462C05C3910F08536CD5940AAE80AF89B05D1C2BB86683E693E9F7B9763DC7C43D590EDFB5BC677E6478F Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\GuardStreet\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 11776 Entropy (8bit): 6.9687128491692825 Encrypted: false SSDEEP: 192:z6NWmzXxBlJyWWTYB0loY9xNWJBARSP3:z6NWctoWW8WxNWjARSv MD5: 4D22731ED904DF28DCDE588B6EE5CFAE SHA1: 39F7E645FFEDEDA498E82AA554B8221AED0094E8 SHA-256: C967E6F37E11043F7653B40383DF2D66DF5A3841CC352BAB644671125D0A7569 SHA-512: DC87DDD6022F234493A85403398B8B8B5AFEBEEBF2096EDD3ACA244A02077923C7DB5BD22DD4B1A7903F0C5FCE6CDC017BB63C639B0F1E89CCAAA483B2EDF 36C Malicious: false Preview: ...... >......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsQkFfUEdfRkFESU5HTUFOLGh0dHA6Ly9nby5z dXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQwMQ==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 4.614885059698813 Encrypted: false SSDEEP: 768:tt/68dClrdhmUjHHHNftop0UNr24m7aElt/Ryn:tsiClrdh3jnHwp0orzmGElC MD5: 9D05C2F7F1B7709D9660D5F59B04DF7F SHA1: 4423528FDC62CB4B424C66EBC2858C927811A1BB

Copyright Joe Security LLC 2021 Page 16 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsQkFfUEdfRkFESU5HTUFOLGh0dHA6Ly9nby5z dXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQwMQ==.bmp SHA-256: 069C57741CCFB59E854D6D1381DE1EC5BF92B667F30930DCB4EAB04064AC93B9 SHA-512: 269A064125C742234266D25B62C904772B51A9594C24E3F69254D4EF0850844CAF0A427C5F637D6DBA1008BB0B64465DF508EF0640BBD4C10C222CA6EBF2F618 Malicious: false Preview: BM.H...... 6...(...g...Q......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsR1NfQkFER1VZU18wMixodHRwOi8vZ28uc3Vw ZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0MzM=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 2.1097905090103852 Encrypted: false SSDEEP: 768:9/f7SFXu1ngc4mYDYLT1B2naA3dn7TewUitqF20iEUX1oXAtPMLydMQgZZDG99G9:DdoNM MD5: F9A06D46F253D21A67C430FBF37B7E56 SHA1: BBD3C19FAFD795B546E6530A83AC78B34EAECEAB SHA-256: E1FA7B81E7D2A050AC723A57A9C85FB768A90852FA03475DDC7D70F589A2471E SHA-512: 0E19E431F747DA94CE304AEBAAD5156ED6ACBB9DF29A1236C45037E8AE04272299E29DF69BA7463CECFEF36156D6EB4DF014B3E41D136E9356C7397C3DFF574 5 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU09TX01QQjA2MDEyMCxodHRwOi8vZ28uc3Vw ZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NzA=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 6.981862638907041 Encrypted: false SSDEEP: 3072:qvC919SCy2jV97RuPR/6+Wei3jiqI0dzDdF5iC+jT29OSUmfpnTA++hD6iKiHa4g:NeqBPXihu+m MD5: 31B85935E49F78108E92D0FE82A59F4C SHA1: A22740A40D6D855AAF7C9938CACE45458AB0F464 SHA-256: 1C105A4200FE4D51EF9AA6B7860F31531C976516655FDCCACC8CCE7400298767 SHA-512: 4C81DD671616981EDEFA5FC5BF8F8B86E024F208F24DB706774F066F5C102DACBCB6DCD8065DA9DA246F8611B3BFC62C9C949EAE80BA9D5F99EE1B57B70004 7B Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... ;;;<<<:::::::::::::::;;;:::::::::99999999999999999999999999999999977766666666666666666666677788888888888877777766666 6555555555555555555555555333333333333444444333333333333333333333333444333444333333333333333333333333222222222222222222222222222222 2222222222222222223333333333333334443333332222223332222222222222222222222222222222222222223332222223332223332222221110000001112222 22111000000////////////////////////...///...//////...... ///000000000//////...... /////////...------666555666BBBRRR\\\WWWLLLKKKNNNNNNQQQVVV[[[bbbfffiiidddYYYRRRIII AAA>>>AAABBB@@@???@@@DDDKKKSSSZZZ]]]VVVHHHAAABBB???<<<@@@999...... """"""######!!! !!!!!!... """###!!!" ""######!!! """$$$%%%"""""" ...... !!!...... """###$$$$$$%%%%%%######"""!!!!!! """'''###..."""%%% ((()))&&&#########"""999\\\O

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU09TXzY5NV8wMixodHRwOi8vZ28uc3VwZXJh bnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NTQ=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 7.233149114808247 Encrypted: false SSDEEP: 3072:86saX0UyrZ/asW7XqlOzHPRLvt45IA6Sc+9qiJ7uWTgZ:A/FszpCe+9qiZuWTgZ MD5: 635A276D33278990C758820A7C282BB7 SHA1: 8BCCFD8B15A85DD8D97D77E2FD316DF67FE2D4BA SHA-256: 05F731FDE04E891C525ADDAFCFC2AA940A60491242E33C85A2C4665A05A9E3C0 SHA-512: A6424245DE58FACF0F8B8A30A01A6E0C726FEB92FFC423A1BF9F2958AF06B4C23ED3DF46F779AEBC32872BB2A40B3A3CA4DD0F30A502E96D2DF4DDBE8599D9 99 Malicious: false

Copyright Joe Security LLC 2021 Page 17 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU09TXzY5NV8wMixodHRwOi8vZ28uc3VwZXJh bnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NTQ=.bmp Preview: BM.H...... 6...(...g...Q...... H...... \;#\;#\;$\;$];$];$];$];$]<$]<$]<%^<%^<%^<%^<%^=%^=%^=%_=%_=&_=&_=&_>&_>&`>&`>&`>&`>'a>'a>'a>'a?'a?'a?'a?(b?(b? (b@(b@(c@(c@(c@)cA)cA)cA)dA)dA)dA*dA)dB*eB*eB*eB*eB*fC+fC+fC+fC+fC+gC+gD,gD+gD,gD,hD,hD,hE-hE-iE-iE-iE-iE-jF.jF-jF.jG.kF.kG.kG/kG.kH/lH/lH/lH/lH/m I0mI0mI0mI0nI0nI0nJ1nI1oJ1oJ1oK2oJ1oJ2pK2pK2pK2pK2pL3qL3qL3qL3qM3rL4rL3rM4rM4sN4sM4sM5sN5sN4tO5tN5tN5tO5uO5uO6uP6uO6vP6vP7vP7vP6vQ 7wQ7wQ7wQ7wR8xQ7xQ8yR8yR8yR9yS9yR9yR8yS9zS9zS9zS9{T:{T:{T9{T:|U;|T:{T:|U;}U;|U;|V;|V<}U<}V<}V<}V<~W<~V<~V=~V<~V<~W<.W<.X=.W=.X>.W> .W=.X>.Y>.X=.X>.Y>.Y?.Y?.Y?.Z?.Z?.Y>[email protected]?.Z?.Z@.[@.[@.[@.Z@.[@[email protected]@.[@.\A.[@.\A.\@.[A.[A.[@.\A.\A.\B.]B.\A.]B.]B.]B.\B.]A.]B.\A.]B.]B.]B.\B.]B .]B.]B.]B.]B.\C.^C.^C.]C.^C.]C.]C.]C.^D._E._E._F.`F._E.`G.bJ.bJ.cJ.dK.aJ.cJ.bK.cL.eM.eM.fN.fP.gP.hQ.hR.iR.kT.lU.kU.lW.nY.oY.p[.r\.s^.s_.u`.vb.xe.zf.|h..k..l..m..o..p..p.. o..n..k.|h.ze.va.r].mW.hS.eO.cM._K.^G.]F.\F.\F.\F.[F.ZD.ZE.[E.[D.[D.[D.[C.[C.ZC.ZA.YB.ZB.YB.ZA.YA.ZA.YA.ZA.ZB.

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU09TXzY5NV8wMyxodHRwOi8vZ28uc3VwZXJh bnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NjA=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 5.923368549592454 Encrypted: false SSDEEP: 1536:/IVgxYUlPWB40M7tAJdvqjfuulp4q6nGLWX83a3u4BxOx:/IqyUtu401JdSwUWX83a+j MD5: 001B4CB0CE4F8C3A521A3D996CB64E76 SHA1: 279862185456FF04DD60CCBCBA41899823DD1D3B SHA-256: D358AECFF75CCBABE085D1ACD517A5C6E0F25B8E8B2ADBED4F8B0787CB3D443B SHA-512: 647FD02FD4374CAF19948E01EBAD060381D79DC049D34C00D2197131A40776CCAF6D98CB5E765E0B94D38201D5A707C5049FE9946795E676E6A652318153D173 Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... s..r...... X..KA!....^,..q...... `..J..V.T.V/.uO.mB..I63...... vwF&_$.9...... K/(...q.|4..]...... ydU;$.tL:.e.b.uC .vJ...... `.`.e...... F.E.d..{Sv9..g6.`..{O.....|.^.:.?..F..K..W..V..[..k..g..g..e.yJ.t9.C.I.N.K.J.H.G.D.C.?.>.=.;.:.9.6.6.5.4.4..2.1..0..0....~-.~-.~+.}*.|*.|'.|'.|'.{&.{&.z$.{%.z$.{".z!.y!.y!.x .y. .y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y. .y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y. .y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..y..

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU09TXzY5OVdGSF8wMSxodHRwOi8vZ28uc3Vw ZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NjY=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 6.915217581535471 Encrypted: false SSDEEP: 3072:q/9SP8J8+mDVuAziGrCH+mdm5UflVULIXZVRQS0T0wQ0QAt3:L8cvya MD5: DDB54ABFE78DDD03D2A9E6672358A5C0 SHA1: 547A89261EDD40FB620A50AF7BE786C3A7696B15 SHA-256: 823941EC57F84D398A9B14490A31DE8ABE99465A30DD1D2050A48DD6033682EC SHA-512: E907673F381A5EE8BB39BEC2ED19C6A5B0621479A46DC11D7ED5F0CF74E673AE805FA638C7C30B554263D20BE1D1C0A6B2A067905EEA6585DB975CD5ED1C4C AD Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... ;;;<<<:::::::::::::::;;;:::::::::99999999999999999999999999999999977766666666666666666666677788888888888877777766666 6555555555555555555555555333333333333444444333333333333333333333333444333444333333333333333333333333222222222222222222222222222222 2222222222222222223333333333333334443333332222223332222222222222222222222222222222222222223332222223332223332222221110000001112222 22111000000////////////////////////...///...//////...... ///000000000//////...... /////////...------666555666BBBRRR\\\WWWLLLKKKNNNNNNQQQVVV[[[bbbfffiiidddYYYRRRIII AAA>>>AAABBB@@@???@@@DDDKKKSSSZZZ]]]VVVHHHAAABBB???<<<@@@999...... """"""######!!! !!!!!!... """###!!!" ""######!!! """$$$%%%"""""" ...... !!!...... """###$$$$$$%%%%%%######"""!!!!!! """'''###..."""%%% ((()))&&&#########"""999\\\O

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU0FTX01QRkIyOTk1XzAxLGh0dHA6Ly9nby5z dXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQ1MQ==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 3.963495424736989 Encrypted: false SSDEEP: 1536:i6suZJSXa4r/2haGcQCsf6tB4VXua58J+Fl4:tsuCQCsf6tB4VXua58J+Fl4 MD5: 530B7C8831E10831888C858423E33B0B SHA1: E57361874D02E915E717779C19C355299BCA5878 SHA-256: 8AE63BFE0B70A42CA2E1C966E7987077232499C4CB41561685E3A836FD165C22 SHA-512: FFC255BCA8ECCA5821934C064B6046AB787A5459AF2C2DE07466FA17AFE22261EA6F251D85D899391BC5BED5A9D9891FDA7DFDF868E30AC68F1F85D0FDF64B 8D Malicious: false

Copyright Joe Security LLC 2021 Page 18 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU0FTX01QRkIyOTk1XzAxLGh0dHA6Ly9nby5z dXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQ1MQ==.bmp Preview: BM.H...... 6...(...g...Q...... H..#...#...... pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6pX6 pX6pX6pX6p

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU0FTX01QRkJCVFM5OTVfMDEsaHR0cDovL2dv LnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDU3.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 5.689753306617032 Encrypted: false SSDEEP: 1536:QLlHSBF41YNPGAHII0pcLLnpXXhoyVelYZefLNdrScT8V/SZ4Ux7o:dBMEj0pcLLpXRYhjLx7o MD5: 79183BE21BFD252A26161FBE5D7B2864 SHA1: AB132F227B12C31E531ACD21016FE0A5637F4331 SHA-256: A63721F26AFEBA60609E92B345D4EEFAA9EFDEAF331F38C27A644E11BAAC0820 SHA-512: 145DDAC19E566CE06BE8E14F6CAE00E58CD6BC7856FB5DAEBA011F9B1AD5B036147189A76D7E2BE2CD485AD73A80719A1ABE0F231C8B046EA971E7A14416B 6A0 Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... /..6!.2!.,.....8%.:%.5#.8#.:#.,.....'!.VN7h`CjbEh`Cg^Cf]BibIndLmfKlaEq_:^bcFq.Kx.Ox.Qy.U}.V~.W..U}.R|.Pz.Mw.Lv.Ku.Px.Sy.Xz. _..a..e..n..w..Xs..+>...."0."3.#. &+"%-"%-#&+"%*#%-#%-#',.'..%/.&3")2'+0)/4,3<,4;/7>7@C%)*...... ".."...... ,**Q]cz...... n..v...... w.. {..u..h..m..i..g..b.._..[..X..RXWRA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA& RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA &RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&R A&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA& RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA &RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&RA&R

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDEsU0FTX01QRkJfQkc1OTVfMDEsaHR0cDovL2dv LnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDY0.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 3.6656801137081834 Encrypted: false SSDEEP: 768:HRy44gJ1SugdLrXIXaH2qurBtEh+oEaB5I/E2OjOmX2DudyVdWbkw:044gKLdWaHUrzE3EW20XWH0L MD5: 3A480CD3374875007079CCECD9739217 SHA1: E84B56F699F9F175011CCC67749C64B9C2ABA630 SHA-256: 5FF9D102CF6677909F9F628BF75CA48DD5A536D17768EAF232544A8F2FDE560D SHA-512: 415E768AA33F86B3F96BF82439985F1727BEC0F32F447BD47DAE20BD970D604EE33C723F8F18E4F2441FF6704DD55B5A4E9EBEF8D46172EADCFE670136A6EBE 4 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsQkFfUEdfNTQwTUlERlJBVUQsaHR0cDovL2dv LnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDAy.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 3.7064622118880353 Encrypted: false SSDEEP: 384:hw3wdPZtUDHevDlU1L/Y0UtT/2pUewZRrfgpBWohAfDTKebuiRymdJ6NvCaLuL+x:hw3wdP3UD+vDK1L/6eiyoKebuiW MD5: 3727AD92DE0497F2C7F4211CF1C75158 SHA1: 627BD54E7C2CCBBE03569CA011906F3C009CF0DA SHA-256: 086105032C913D04BDF219AF3447EA5A9D2A73EF5A64CD86C51E2E7C37B85CDC SHA-512: 959D5E8C8BF7EBF16077811C2838086F9C4669A85BD101E9C198F531292F05FDF92881615DE5F8C6D23E0DE624F7B3FC1339FD776894B25B0DED334C5B29D6D7 Malicious: false Copyright Joe Security LLC 2021 Page 19 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsQkFfUEdfNTQwTUlERlJBVUQsaHR0cDovL2dv LnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDAy.bmp Preview: BM.H...... 6...(...g...Q...... '..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsR1NfVEFLRUJBQ0tDT05UUk9MXzAxLGh0dHA6 Ly9nby5zdXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQxOA==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 2.062993793004304 Encrypted: false SSDEEP: 768:y9X34nsaDaOb+l+U8iuLvU2jxsowPwsPwYBgNR0s2kFkONRQ9vNB1CIuykxuEFBU:UyEmu MD5: D5D34988AD0FA758FB1AB64205C7CAA0 SHA1: 1E31498820E94953820E1C2ECAC3F7FF813C4858 SHA-256: DFE2C1DA6C079DE06DC45DA4A12C8F51B5572A1ABD655B9B8F989349819C3868 SHA-512: D174558E9C82ED027005E500B8F20286E3717FE56F2462C05C3910F08536CD5940AAE80AF89B05D1C2BB86683E693E9F7B9763DC7C43D590EDFB5BC677E6478F Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsR1NfVlBOXzAxLGh0dHA6Ly9nby5zdXBlcmFu dGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQ0OQ==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 4.779370444201179 Encrypted: false SSDEEP: 768:FAveW3oncK5ODe1WriwZRnrUGV/n1zXtRQHqYPFfV67TDH0del1tviOGxjIYEFME:Y2FXpLFIntxb9j95skaNQyrI MD5: FA38040B2FF0D7331BE0552F3556C183 SHA1: 48D73DA4EABA0D5E56C7B10391C05553F3708668 SHA-256: A3E6AEFA061114C70E2D00D091A469376FF4DD1F5AFFF03CAC1D0DA36D52524D SHA-512: 9142323C2AB9F6DCF9B9A2809AF7DC2275D6B0E981D09F10F054E986EB49DD00E0D7DA6977869928AE44749B7FC70644FEC4460BA23CF83F995A5B47E4F07672 Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... }u.mb^cVHULVQGWZQ[uio.}...... vov|uz...... YS.D9.]R.VN.WQ.KG.ID.WQ.^W.\U.YS.VP.UO.TN.SM.VN.XK.XI.RI.TN...!... ..!...... !..&.. .."...%".%"!...... '..( &.."..#...... ".....-++hjjbbb]]][[[YYYXXXVVVVTTUSSRRRRRRPPPPPPHHHIII......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsU0FTX01QRkIyRk9SMTE5OTVfMDEsaHR0cDov L2dvLnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDU4.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 5.7894806862643815 Encrypted: false SSDEEP: 1536:fDOH+HQn25rJEZaX6LpHyd59LgUapc1N9nks9rc5eWT8+FA/S5UgPW8:fDOLMrJEZK6LIv5Da8N9n65pFbO8 MD5: CAED279CBC1DF57E97FA3EED3106953C SHA1: 69E622B6FA58EB655802C3473E71D7E9F013B6E3 SHA-256: 73A9FAB16C6B5FACF81711B1BDBA1A0E94468865E9CBEC37A1C741E718F722C7 SHA-512: 9653FB7FF0618B97185AE772212CE98F71772D76948401988C30A1F748BB25526C937D32B478D33D829B540BE4B7AA474D88F58A1C3D2635DC1AF1899735ED42 Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... H..M..O..N..N..N..N..P..Q..M..F..C..B..B..A..E..H..H..F..K..L..K..L..J..F..B..;y./i."P..

Copyright Joe Security LLC 2021 Page 20 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\MDIsU0FTX01QRkJQUk9YMTk5NV8wMSxodHRwOi8v Z28uc3VwZXJhbnRpc3B5d2FyZS5jb20vP2xpbmtpZD0xMDE0NzE=.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149742 Entropy (8bit): 4.990684111972333 Encrypted: false SSDEEP: 1536:KHikemshky43WeWJhzkAZRDmhYqjk3W5SapceyGL7TjMidg6ZsestWFw2YvYHLfH:3Ashk+LZ415dp1L35dlsAFRj MD5: A0557D90D0D273C2DACE716FEA8BC041 SHA1: 4CFA0591AA6229A6FE9E618D84D7BDDB3204DE55 SHA-256: 72E96749EDD668E1D22E6AE996011B805EF2E0DC74B54DA4488E84726496D245 SHA-512: C84CFA137A97A92492CE1A61631803A4A47206E1BDD2F30138F094D8183A37AEE0ECCE96A384DD2ABD7E969EF2B579218F5E07FAD4CB5BACF66D4DAA8F1EA EF4 Malicious: false Preview: BM.H...... 6...(...g...Q...... H......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\PrivacyGuard\MDEsQkFfUEdfTkFNMTczLGh0dHA 6Ly9nby5zdXBlcmFudGlzcHl3YXJlLmNvbS8_bGlua2lkPTEwMTQwMw==.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 4.530638320031297 Encrypted: false SSDEEP: 768:kBD6KqBHfF/sHqyCMP4lV9mTlfcuoxuQcE/88f5lfJa3bzvnlbrX:kcKs/F/SqvMQrmg8Qcs88fnfs3bzF MD5: F94DA62AC35A9A8F5206B43937BC8DAB SHA1: EE87C477A33803FCFBFCADADBF1CBC03D424D772 SHA-256: 76A9ACD688335426680D2357F4A8B88FBC186054F151277D26C6082D8879C348 SHA-512: 15D8FEF649D0E5A05B00F274239B3E22D59E47F70E88558FBCADBD4C666E1311C0F43795444F64EF53CFE35CB1997296BA6552C21940270786A5BB1C3CF6664E Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... "..&..* $.0*[email protected]...... y.pi.a[.RM.E?.:4.0+.)$.$......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\PrivacyGuard\MDIsQkFfUEdfUEdKQVZFTFlOMTU saHR0cDovL2dvLnN1cGVyYW50aXNweXdhcmUuY29tLz9saW5raWQ9MTAxNDA0.bmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: PC bitmap, Windows 3.x format, 615 x 81 x 24 Category: dropped Size (bytes): 149744 Entropy (8bit): 3.534196687185292 Encrypted: false SSDEEP: 384:1zXHWFrDr8/nZ+OcneiqYj+4huzCgvqiioir2bwW9RI9OuUbj61ny4BjQNiFJgta:RHZyeojvudzBig4BjNAlG MD5: 7410DE6EAC83D79734E01FB4CC9FEDC7 SHA1: 92442CCCD215E53054547C9E436BC82EBCE78D28 SHA-256: 5F02C278F37677E8D70EE6E9C74F8638F7E3897FEDF47C38C4E4BDF4AC900597 SHA-512: 9B1165048221A2BD11C95BEDE2880C475FB632BF21BDB3B27E1ED9BA514263767DDE37EE2AD83115B8846071AA494FF2056D2636B5973C9B1D99A35BF4CE0BE 7 Malicious: false Preview: BM.H...... 6...(...g...Q...... H...... '..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..' ..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'..'

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\PrivacyGuard\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 12288 Entropy (8bit): 6.940535996688863 Encrypted: false SSDEEP: 192:aAtQLHqJeTEVYoyDr/3hRxGqHBit1duWYwFZoOCY:RtlQTEY3lGIBM1gJ

Copyright Joe Security LLC 2021 Page 21 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\PrivacyGuard\Thumbs.db MD5: 854E0613DCF79B5CB86AE98270695D45 SHA1: 7DF06D8EF82604601E906D915BECAB9212C32AB2 SHA-256: 39A87FBE2C303DCC11D3D2B3474DA52C0D1512142BC2733394F4EB48F89C55DE SHA-512: 7C74D5206AB143C318153A7D35453A5AB2F0F353D5CEA417FB584A258A4B97DBF06EC4B2A47C9B77334F36E1D4B0DECC987FEE8323D84E151F07715379114778 Malicious: false Preview: ...... >......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\CONTENT1\bannderads-backup\Thumbs.db Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: Composite Document File V2 Document, Cannot read section info Category: dropped Size (bytes): 64512 Entropy (8bit): 7.560536009272156 Encrypted: false SSDEEP: 1536:O498Dg+X7498wg+X8g+X7498fkEXYJt0ciolDZEolbLYCXol02olt+dg:7+Xx+Xj+Xs/tio5ZEo1YCXom2oz MD5: B8DE379D53853369CF0245A505AE14F5 SHA1: C3CA99AC0C151CB9DB4EFBACF79A639AEBF97C3B SHA-256: 28A0567C749AE9B22E30FF7A1F2AA4AFCB4AEFFB9BC287EF70110E29D323CB16 SHA-512: EA24355CF1D0FF116327622BAB2E97392BA15B372B74F57C8F93BBAA9951DCAAECCD803EEED2DF97DECCA9B784DDA0C36161D29D61ABC48D18E64712BCCC6 124 Malicious: false Preview: ...... >...... E...!..."...#...$...%...&...'...(...... *...+...,...-...... /...0...1...... 3...4...5...6...7...8...9...:...... <...=...>[email protected]...... G...H...I...J...K...L...M...N...O...... Q...R...S...T...U...V...W...X...Y...Z...... \...]...^..._...`...a...b...c...d...e...... g...h...i...j...k...l...m...n...o...p...... s...t...u...v...w...x...y...z...

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\DEFINITIONS.SAS

Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 176423490 Entropy (8bit): 7.999998977633206 Encrypted: true SSDEEP: 3145728:mhoQFAGD/xoX62EmsAae9V4QZyxLEJJkm8YHA9mEKA+aQ+5cuLsmMP+Z3uxSy/:gAGTxNpmPj4QZyGJm2HA8R4WuwmxNo MD5: 5D3695144EACBC3ED7952CCB0C708FBD SHA1: 052A05D7197395393359B854D99D53AC91E239E1 SHA-256: 64423A98D91CAC31B7EE9EB3B556D2D8D5F58C812F14A75DFCEC736D59798CBB SHA-512: 4B57C06DBA0F9E0DD8DA0BDA5EE57D33DBEC4687567DC786A14FCB1FC1883D3ACC1750A6BD2E5CEFE55171B81E705031F749DE5302EC8E64FAFED9E11E325 495 Malicious: false Preview: SABARC..|.t...... :...... j.....tx....]...... a....Q5....d`.u..lu4f..#OB.."..,N.F...... @.1..Y...... {48em4.+]t...3.zQ..... 2...kP.k..t...... H.....8p...K..#.r. ../R....B...... P.-..e.c.V4o.& .L...n...... *.;@...... tMd...k...... c..z...n.H...... {6@k(.!'...\.$T...N..o.i.n.y.....*XOC..5..5..U^(...n,.!...... kil.z.K...3.X...mq2'..l..u1.>...... `F).....r.`.c...1[..a..?./.s..dGC..f~...... a.$ ...0u....D.I$I;..-=.6..X#.8..w...O..w...:.p.$.:.5..,0...f.. #x...7...c.F.....W.aV.*HK..E8.1s.kh$6.[8=..."..E...{/}..}8;.JwM..fBD.?.....L...... i.I;*.%.q}...5.m..&...... GQF.3.g.*]...s?....m ...... y.1..E...... 6c .o.l-..X.%=<..[.s..'.~4.F...7...j..C.?...F6R(.X..n...@../....,..b.*[email protected]?....`t.. S.Y....V..iU.x...qj$..(~.:KAm..6{}9..(.S...6.....?p.00...._2...... !...... :.0o'On.m...... 7.W..I.>..G..E....Di._..~..D[G.....L..?.L....5...~y-f..2....B}...A\<...g.CZ.F.\.2..-.RV.G.'8}._.c..iU.<.f4B.|.B.p...n+...f.P35)..u....J.uz.4..rF...... Y..W....+

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 125334536 Entropy (8bit): 6.226374258690694 Encrypted: false SSDEEP: 3145728:OwJM/MxvkPLjm7MpiaOlYI0VUuJTWePeFs/Jk2DWl+vv3LyuO8Ueo:OwJM/mMPLXCYI0yaZk+Wyv3LyuQeo MD5: 3E53693A5340558F7A734372C29AF89A SHA1: 669F70E1E5EDE7321FC25B7E2F5B235390456902 SHA-256: 488677E59D6754A8FD418A71F3B8033827CD509287D2C6EB15E848D811836E94 SHA-512: 5C763F2FE2F577F65ABD1472F3C5E2F33DB4E6C742EB00BD2F66B025AFE3D9CCCC7C9BB672C56E13A7BB2150D38B85DDDF0F7AEDA3FCB1B70FE4B8363CA31 9D5 Malicious: false

Copyright Joe Security LLC 2021 Page 22 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN Preview: ....o@\l....),mm.\im..aie..jmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN.WORKING (copy) Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 125334536 Entropy (8bit): 6.226374258690694 Encrypted: false SSDEEP: 3145728:OwJM/MxvkPLjm7MpiaOlYI0VUuJTWePeFs/Jk2DWl+vv3LyuO8Ueo:OwJM/mMPLXCYI0yaZk+Wyv3LyuQeo MD5: 3E53693A5340558F7A734372C29AF89A SHA1: 669F70E1E5EDE7321FC25B7E2F5B235390456902 SHA-256: 488677E59D6754A8FD418A71F3B8033827CD509287D2C6EB15E848D811836E94 SHA-512: 5C763F2FE2F577F65ABD1472F3C5E2F33DB4E6C742EB00BD2F66B025AFE3D9CCCC7C9BB672C56E13A7BB2150D38B85DDDF0F7AEDA3FCB1B70FE4B8363CA31 9D5 Malicious: false Preview: ....o@\l....),mm.\im..aie..jmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.DB Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 1469762 Entropy (8bit): 5.463527091895871 Encrypted: false SSDEEP: MD5: EC364534DEB8ED06B891D4D1D1D66667 SHA1: 750CFDF65723CC7959E56E418EFC8E2C8779CF7B SHA-256: 4E481BD9AE8516D0C6DE6C073F65010933F304030EE1CB1E221566E26B35121C SHA-512: 3341440D55FDA78526053BDC0E0C219CCE3B21CF2A0E122CA2F57814F0B2BC30B5967CD01B4C1D82273F1E145B8CAB07202D714FCB5196B62EB9906390EE17E C Malicious: false Preview: Q>,/>.?$=9SgQ)(+$#$9$"#;(?>$"#S\YX_]QB)(+$#$9$"#;(?>$"#SgQ)(>.?$=9"?SgQ$)S\]]]]]]]]XQB$)SgQ94=(S?(*&(4QB94=(SgQ$9( !$>9SgQ$9( S%&.81>...... 1,....QB$9( SgQ$9( S%&! 1>...... 1,....QB$9( SgQ$9( S%&! 1>"+9:,?(1 ...... 1:...... 1...... ;...... 18...... 1,...... QB$9( SgQ$9( S%&! 1>"+9:,?(1 ...... 1:...... 1...... ;...... 18...... 1,...8. ....QB$9( SgQ$9( S%&! 1>"+9:,?(1 ...... 1:...... 1...... ;...... 18...... 1,.....M9...2..\QB$9( SgQB$9( !$>9SgQ),9,!$>9SgQB),9,!$>9SgQ>8 ,?4S,.....C,...... M ....QB>8 ,? 4SgQ9%?(,9!(;(!SXQB9%?(,9!(;(!SgQ9(? $#,9(,.9$"#S?( ";(QB9(? $#,9(,.9$"#SgQ?(<8$?(>;(?>$"#S]QB?(<8$?(>;(?>$"#SgQB)(>.?$=9"?SgQ)(>.?$=9"?SgQ$)S\]]]]]]]] [QB$)SgQ94=(S?(*&(4QB94=(SgQ$9( !$>9SgQ$9( S%&! 1>...... 1>...... >.....QB$9( SgQ$9( S%&! 1>"+9:,?(1 ...... 1:...... 1...... ;...... 18...... 1>...... >.....QB$9( SgQB$9( !$>9SgQ),9,!$>9SgQB),9,!$>9SgQ>8 ,?4S,.....C>...... >.....QB>8 ,?4SgQ9%?(,9!(;(!SXQB9%?(,9!(;(!SgQ9(? $#,9(,.9$"#S?( ";(QB9(? $#,9(,.9$"#SgQ?(<8$?(>;(? >$"#S]QB?(<8$?(>;(

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_ALLUSER.DB3 Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SQLite 3.x database, last written using SQLite version 3008011 Category: dropped Size (bytes): 16384 Entropy (8bit): 4.119916968604765 Encrypted: false SSDEEP: MD5: 8774B426775F1F04FC7B85F5FA44228F SHA1: D202A42EF018623A5B20C037A5422193826670BF

Copyright Joe Security LLC 2021 Page 23 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_ALLUSER.DB3 SHA-256: B638F808C3E0CDE7F0DA41E2215773D69925CF89764D6E178C5C92072F3F503B SHA-512: A025FC4A985B7F5FF26A46AD4A2D66270C96669F1B04FBA5CB4BEB172A8EE5B21362B7DE7B0A7A89D57D886EDE044E8E8E8A3BC59E536A962825C9B51357B79 C Malicious: false Preview: SQLite format 3...... @ ...... -...... t..t...... etableSETTINGSSETTINGS.CREATE TABLE SETTINGS ( id INTEGER, name TEXT COLLATE NOCASE, type INTEGER, data BLO

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_ALLUSER.DB3-journal Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 15004 Entropy (8bit): 3.4495090190639544 Encrypted: false SSDEEP: MD5: 52C13CAFF6F6405A6B7377837A97E208 SHA1: 47FA5BF7A3925BEEF48D62BB2FA46498E3F1CA7D SHA-256: 4DA6B39C57723C1E281DA59E90D14E7B35052A10C4E11978002B1F57D1A02854 SHA-512: 532B482E24741C56E5EED7B05FFBB3D5277096EB5778405C0317C5CA688208939364DDACA97EB7349CB82ED30A020CF12E578624F88178719E36DC5548C7564D Malicious: false Preview: ...... v...... c...... - U.w......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.DB3 Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SQLite 3.x database, last written using SQLite version 3008011 Category: dropped Size (bytes): 731136 Entropy (8bit): 6.058465797808593 Encrypted: false SSDEEP: MD5: 68741D6CC242379A0F3752BB396500C2 SHA1: E29F563BED595921238E2AC958B8AAF2A22C0EE6 SHA-256: 5CB5349B9AF550C908D91B17D97229AD8FA3FAE3DE3A47F403CF80010F728E95 SHA-512: EE633ECE87C682887FD5BF87C6B9A629054EFC224EE79828F416EA7A77199ED3EDD3BCE0AC7C8C2CB81935DE7E03B553224241BCDE2F0025047EDC0A2CD32B F2 Malicious: false Preview: SQLite format 3...... @ ...... `...... -...... 2...55...tablesas_folders_includedsas_folders_included.CREATE TABLE [sas_folders_included] (.. [id] INTEGER P....P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).{...11..!tablesas_fileexte nsionssas_fileextensions.CREATE TABLE [sas_fileextensions] (.. [id] integer PRIMARY KEY AUTOINCREMENT, .. [folder] TEXT, .. [applytosubfolders] TEXT, .. [ex tension] TEXT, .. [forcescan_extension] TEXT, .. [scan_minsize] INTEGER DEFAULT 0, .. [scan_maxsize] INTEGER DEFAULT 0, .. [forcescan_mz] TEXT, .. [forcesc an_mz_minsize] INTEGER DEFAULT 0, .. [forcescan_mz_maxsize] INTEGER DEFAULT 0, .. [days_created] TEXT, .. [days_lastaccessed] TEXT, .. [days_lastwritten] TEXT).2...55...tablesas_folders_excludedsas_folders_excluded.CREATE TABLE [sas_folders_excluded] (.. [id] INTEGER PRIMARY KEY, .. [folder] TEXT, .. [scantype]

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\av_engine_defs.dat

Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 98201133 Entropy (8bit): 7.9999982120750905 Encrypted: true SSDEEP: MD5: 0BDFD4565DC4CCF237EE24C696F65394 SHA1: 942577F83FB7E6048F5555F1009C92BFE5360BF0 SHA-256: 8348E53C50417D2C4EEE02AA074543665836571F8C03C7AE27AF22462605D7A7 SHA-512: 0A2826FB1498CAFB8050A6EA2A003FC4FC35EF48E8B9DF3FD46F2C905684C8154C08C9C538C2F3DA0CB15C45ADCC5BD134B73BBD5DB135C582D0AD59D08E9B 2E Malicious: false

Preview: SABARC.h.r..l.....W..Z.k...... oi.....<...k..].....+.JG...E...%P..Y..._F..=... .Vc...... m....]y........\..Q..H.Y..s...... SN/.E....W...nm t1i..<.c.J.Yh_j^P.6.nwvNj..J.=c.n=...X....>..<...... [..HB.C..W....]B.<...V.V...k...... V#.....+...6u.>.#..z....F.....,.2..\.6.b..H..1N.F.QYm...A...Cp>r.5...... "Q. ..X.C...a.@!..Z...s.*xH...).E2!...... 8...b.J.5..}Ds..B*..a.....b\..9.z.W}....=..p....t>.].QbE.....o'Jv....uh..GG..... E5..k..x.3.FS.:..r.J...... U.3.We{q.#m..5....rY..J.....i...... 6l..?.. .W..$..R~.f...... 4....%|E>X.ns9l..w.4X...... rk.b....J..H..Q..n...u..g.:%..@.;.{.]..y%.icZf...... '....s.t\.Lv.v.t..:..Jq.H...M.[j.p7...SsW".^.".....,...-@.%...P...bZ..8..Ze..B%.tv.k.ZtHC.B.u ...b..0.3P><.sa6.S..Q...F..`.....Y..=....z.G.H.:.+...... H.....I.~.TX/O...`.{...v ...... |..G...P'.`#.'.z.+.z..cR...\2..C....B.....-.&(F...... {ee....#}>ZF.i..w-4..J..%...!.t.&.)?...ISD2.

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\av_engine_files.dat

Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 16569585 Entropy (8bit): 7.999988403151338 Encrypted: true SSDEEP: MD5: 4381F68D3E78E68E2F7C3FE7508483E2 SHA1: 658177BC2395697232C14027C5145FE7541107A5 SHA-256: 03A24BE7CDEC3206C7C7830834EA6CF363C05516B09AF89E3782061214C8B9FF SHA-512: 91C4EFC945BC20A0C2613E1D0B4D21BCC701022BE68B9EBD9E6A10340E8B58966F850E0E1A8DC333FD007BEC855A6FE8528BC075676249936123F968FB62EDA 0 Malicious: false Preview: SABARC.`\G..|..\.8..Dv....a..B.....@...`...].....&..p...... /D.N..^...P.A? ....qt...\....8..hnlX.P..OYt.45.Yi.J...... p.?9....5...... [.d..o.:.=...It9).x.V^...M.. yd.e.u..S...f...?...c.....a...._..o ..2.....gX$z..V5...;.....iT..M$.ZgS.pY....4.N.0..@}8...... X.].B.n.pL5....Ccw...-.8B.Y.b%.].M...Q=u..)..4...... [email protected]'...... `^.u@\....Z1x..G..A<.Z-.j...*...... ai...p}{k....F.. .!n6...... [....?...[[email protected].*.m..!?.~.t.&&z.5q.X...!...x,.1x..6q.;.... .4n .....H.-..q.V..6.[6.'..?...... M..P>.{.B..o....`.>.F..>...1b. ..+.VN~.K.O:...{."..39...:./...D#{.:}.3...>K[qq!1Q."./.94.....a..% [email protected].(....|..D..-9d...y.n.cZ..t..<..:....((.K$S...O....\5...E.....xT...o.:0.1.M.T...... p+)...XnvP6j..z.9...C.=...N.....MRz|...,..M..yO\..`.6O..I6:...... |./.R+....Z....i.LC.o.@}...[...D ...7A..|.z$d...A.U.)...... ^{:2...&.N..5....[..N..|y...].2..._Z..T.m..p/."9....R.....K....W.[~E....G.C#.fr1....&...>\...... tt.:...P....(..2..PR~*RL...F..}r..!p..c...`~...G.

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\sas-data.tmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SAS Category: dropped Size (bytes): 3 Entropy (8bit): 0.9182958340544896 Encrypted: false SSDEEP: MD5: 2DB46C628CFB3BD1545D3B5A14B4A9C5 SHA1: 9ECED0E5812515E6CC9DBF964A43634D1B12700F SHA-256: A9D35AE9C3C32B5E42DDAEFC88D026BF2ECF55EC56396FF0BDC6CE37F3886A18 SHA-512: 11FA550C4B3ADDA3F3A64FF754F5311BBF47F8EFEB87345AE5E892D966F65245B13698776BE8CFA47AE5BDAF5E3A87D1A1AF7B34301EB71D7021D2D907606C6 2 Malicious: false Preview: SAS

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\sc_res_2.db3 Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SQLite 3.x database, last written using SQLite version 3008011 Category: dropped Size (bytes): 109568 Entropy (8bit): 2.5139803263347154 Encrypted: false SSDEEP: MD5: 283173E5F8B9DBEA487D9F4288AB7D67 SHA1: 7BE115D3ACEF9FF3C6E58D82337941DB40EBEA8F SHA-256: EE6FCE5787E2A5E5D8361E8F1E1D95B4EE25C5658B50E46E89FA689668217782 SHA-512: A18B0E0A23350B8288C594D002638144EC6D76D523A5F7BA52B1F54B7D299FD56D2B5475AEEACAC173CA2E6D924A2AE140DA4E2386772616B51681E018F5A277 Malicious: false Preview: SQLite format 3...... @ ...... -...... >...... P...++.Ytablesqlite_se quencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq)...... gtableSETTINGSSETTINGS.CREATE TABLE SETTINGS ( [ID] INTEGER NOT NULL PR IMARY KEY AUTOINCREMENT, [TYPE] TEXT UNIQUE, [DATA] INTEGER )/...C...indexsqlite_autoindex

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\sc_res_2.db3-journal Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped

Copyright Joe Security LLC 2021 Page 25 of 34 C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\sc_res_2.db3-journal Size (bytes): 118380 Entropy (8bit): 2.353201424292057 Encrypted: false SSDEEP: MD5: 22198E75FA2596E1FDBF7953A720FFE0 SHA1: 1D9FE2A81EA72E833F0760B8142DCB249F6211D4 SHA-256: 6BA3CB20A5D65A334A6C21A95E76ED5396B23D2B23DF9A7DECCD3B817440D14E SHA-512: 70B039F05C8FB9D7B6BC2204B78534EC2B36D09E0140C3AA1990D57A8B085FC7EDAC402E7E6C7A181612E92D179E1A8385D2F607DD3E744C3F0FCE5B6ED57BE E Malicious: false Preview: ...... 1...... c...... K| ......

C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\updatehistory.html Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: HTML document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 1010 Entropy (8bit): 5.2904159676205 Encrypted: false SSDEEP: MD5: BADB0B7AF0CD612465DB2EC7D90934C1 SHA1: 9E8EA16E5782305868B8D1D73153B65B48348A0D SHA-256: B163B64946D5CB744B5E36E9E61D9F0301C0DA0727B67DC6849256E930A5B220 SHA-512: 75D35FDD96171D3F954FA4965631C8A8371772C74C196F9912AF959404E62EAECB2E20AECFC1BF60BF1898081A8D56BB6D169E17E421848230D44A5DDEB38C85 Malicious: false Preview: ..SUPERAntiSpyware - Database Definition Information......

.. .. .. ..

.. .. .. .. ..

....

C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_CURRENTUSER.DB3 Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SQLite 3.x database, last written using SQLite version 3008011 Category: dropped Size (bytes): 22528 Entropy (8bit): 4.3618442067560075 Encrypted: false SSDEEP: MD5: 26FB7E473770C8C144D98A8D9A4DC1E9 SHA1: 035CC9655857F79A674B63852B233B41C7C84DDB SHA-256: DA01DF12D5A3B7E101779CE67D317817BD88C3A24C1859D1449DD13AFCB72413 SHA-512: D279D774C924B5C2BB1A4E760B77F58FCE432F4EAA0CA2A4B3D969F543B9EC4206C5599FDDFFEFD6981E3FEB1D2365A850A31BEC915B343827057F01EB02395 8 Malicious: false Preview: SQLite format 3...... @ ...... -...... t..t...... etableSETTINGSSETTINGS.CREATE TABLE SETTINGS ( id INTEGER, name TEXT COLLATE NOCASE, type INTEGER, data BLO

C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_CURRENTUSER.DB3-journal Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: data Category: dropped Size (bytes): 19656 Entropy (8bit): 3.838426023420597 Encrypted: false SSDEEP: MD5: F0914D82236FE05DD5877513F5DFADF7 SHA1: 2ED0A457AD2CDD7796BE4230ED7B6B939D755877

Copyright Joe Security LLC 2021 Page 26 of 34 C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SAS_CURRENTUSER.DB3-journal SHA-256: 82CF99249BE5CD0AE4706DBE900B5B26BF88E628630C326781929E5EA15759E7 SHA-512: 3B6E3B0A64653616A5C128077A9ACE5757C27CBD6E9CEDCE73749D368DABE8CEB66185E5ECBAC3818B484F8106D6183A99B10FE2244A601DF07A31375E88B1C B Malicious: false Preview: ...... @...... c...... z ......

C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\sas-data.tmp Process: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE File Type: SAS Category: dropped Size (bytes): 3 Entropy (8bit): 0.9182958340544896 Encrypted: false SSDEEP: MD5: 2DB46C628CFB3BD1545D3B5A14B4A9C5 SHA1: 9ECED0E5812515E6CC9DBF964A43634D1B12700F SHA-256: A9D35AE9C3C32B5E42DDAEFC88D026BF2ECF55EC56396FF0BDC6CE37F3886A18 SHA-512: 11FA550C4B3ADDA3F3A64FF754F5311BBF47F8EFEB87345AE5E892D966F65245B13698776BE8CFA47AE5BDAF5E3A87D1A1AF7B34301EB71D7021D2D907606C6 2 Malicious: false Preview: SAS

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Process: C:\Windows\System32\svchost.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 55 Entropy (8bit): 4.306461250274409 Encrypted: false SSDEEP: MD5: DCA83F08D448911A14C22EBCACC5AD57 SHA1: 91270525521B7FE0D986DB19747F47D34B6318AD SHA-256: 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 SHA-512: 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBAC A Malicious: false Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Process: C:\Program Files\Windows Defender\MpCmdRun.exe File Type: data Category: modified Size (bytes): 906 Entropy (8bit): 3.1631698130151316 Encrypted: false SSDEEP: MD5: BFC8C2EE364C4438641B8D71EF33D12A SHA1: 841444E8741B03A14C5B1B75C4C0726B27014A90 SHA-256: 60615501B5A9A23F7F20FD386AD15C1C851A229439DDD0FF947EFD8247473229 SHA-512: FDFA281866B442D9E283EC93D0988B1F23EF53737F30724F297BE6928F8389330946941286C4BD958A6A44A6196BC07063676211EB0C6D0ECBED07BE77DA3A14 Malicious: false Preview: ...... -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. . ".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e...... S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. A.u.g. .. 0.5. .. 2.0.2.1. .1.4.:.5.5.:.4. 8...... M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0. 4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. A.u.g. .. 0.5. .. 2.0.2.1. .1.4.:.5.5.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

Copyright Joe Security LLC 2021 Page 27 of 34 General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 5.381331246678471 TrID: Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: SUPERANTISPYWARE.EXE File size: 11223920 MD5: a231ad526710623af198f0328e648016 SHA1: eae2fd396a44e66f39445e7992a014927c7ddde4 SHA256: 34fbe5823ecb07d5f6d95d50643152106da96308c27d341 dd82741020d61ff2d SHA512: e60e987529bcaa54e8bcb87c28fcbb2d047b1e2ee0ed97 2e922381f6bcb6c933f9bedcf97b5e5d0b6548520605123 7d41fd5991089c9eb1e65896e198b53c87a SSDEEP: 49152:94sJvISgTN7ZWgNiOVt6CNsWr2p8dPh3LAz5m 3a2gJgwGq64x5RxNBmn2qGR+kJE:sxYRWr/PLrQgwl JSn2/R+kJi3 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... w....`...` ...`...... `.-Y....`..n....`..D....`...... `...... `...... `...a.O.`..n..(.`.. n..{.`..D....`..n....`.Rich..`......

File Icon

Icon Hash: e09c32626a9cf870

Static PE Info

General Entrypoint: 0x14024b4c8 Entrypoint Section: .text Digitally signed: true Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE Time Stamp: 0x60DA2AC5 [Mon Jun 28 20:02:13 2021 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2 File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: 3fb2633fe75b746c96e4cd433c9c526c

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 11/21/2019 4:00:00 PM 11/21/2021 3:59:59 PM Subject Chain CN=Support.com Inc, OU=superantispyware, O=Support.com Inc, L=Sunnyvale, S=California, C=US Version: 3 Thumbprint MD5: F0C997D6FB66E542BFAA5AC8FB02DDEE Thumbprint SHA-1: D3C8D1E4DE6AA3E1E656B110A16BF3CD9AED292F Thumbprint SHA-256: 80E5276140DF5F039A132178F06006C035472045D0460639F1F2289B34111AAF Serial: 71CC0B38FAA83AC074D8EE163C351FBC

Rich Headers

Data Directories

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2835a4 0x283600 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x285000 0xa8216 0xa8400 False 0.325768480684 data 5.0487911606 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x32e000 0x4acc4 0xec00 False 0.208653336864 data 4.30244216674 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x379000 0x232b0 0x23400 False 0.435290613918 data 6.11109922467 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x39d000 0x754b34 0x754c00 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SUPERANTISPYWARE.EXE PID: 5720 Parent PID: 5776

General

Start time: 14:54:08 Copyright Joe Security LLC 2021 Page 29 of 34 Start date: 05/08/2021 Path: C:\Users\user\Desktop\SUPERANTISPYWARE.EXE Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\SUPERANTISPYWARE.EXE' Imagebase: 0x140000000 File size: 11223920 bytes MD5 hash: A231AD526710623AF198F0328E648016 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Registry Activities Show Windows behavior

Key Created

Key Value Created

Analysis Process: svchost.exe PID: 6008 Parent PID: 568

General

Start time: 14:54:33 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Registry Activities Show Windows behavior

Analysis Process: svchost.exe PID: 4972 Parent PID: 568

General

Start time: 14:54:44 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2021 Page 30 of 34 Commandline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: svchost.exe PID: 4316 Parent PID: 568

General

Start time: 14:54:45 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Registry Activities Show Windows behavior

Analysis Process: svchost.exe PID: 460 Parent PID: 568

General

Start time: 14:54:46 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k NetworkService -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: SgrmBroker.exe PID: 5400 Parent PID: 568

General

Start time: 14:54:47 Start date: 05/08/2021 Path: C:\Windows\System32\SgrmBroker.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\SgrmBroker.exe Imagebase: 0x7ff7e9dd0000

Copyright Joe Security LLC 2021 Page 31 of 34 File size: 163336 bytes MD5 hash: D3170A3F3A9626597EEE1888686E3EA6 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: svchost.exe PID: 5908 Parent PID: 568

General

Start time: 14:54:47 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Registry Activities Show Windows behavior

Analysis Process: svchost.exe PID: 5184 Parent PID: 568

General

Start time: 14:55:44 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: MpCmdRun.exe PID: 4808 Parent PID: 5908

General

Start time: 14:55:48 Start date: 05/08/2021 Path: C:\Program Files\Windows Defender\MpCmdRun.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Imagebase: 0x7ff73d4c0000 File size: 455656 bytes MD5 hash: A267555174BFA53844371226F482B86B

Copyright Joe Security LLC 2021 Page 32 of 34 Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

File Written

Analysis Process: conhost.exe PID: 3528 Parent PID: 4808

General

Start time: 14:55:48 Start date: 05/08/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Analysis Process: svchost.exe PID: 3868 Parent PID: 568

General

Start time: 14:56:08 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: svchost.exe PID: 3528 Parent PID: 568

General

Start time: 14:56:42 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA

Copyright Joe Security LLC 2021 Page 33 of 34 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities Show Windows behavior

Analysis Process: svchost.exe PID: 5508 Parent PID: 568

General

Start time: 14:56:54 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

File Activities Show Windows behavior

Analysis Process: svchost.exe PID: 2484 Parent PID: 568

General

Start time: 14:57:02 Start date: 05/08/2021 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff7488e0000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language

File Activities Show Windows behavior

Disassembly

Code Analysis