e7dd3449cb2fd81c06e0f5c19e20b280c80fc4533356f3bf67fdfcb6ce238056

Analysis

max time kernel
99s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12-03-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyHunter-5.13-121-18928-Installer.exe
Size

6.6MB
MD5

3ce9158024e74733de9ab2232fb73dcb
SHA1

5fc8ed33206ab5b93f736114ba99bf47f81bfef6
SHA256

e7dd3449cb2fd81c06e0f5c19e20b280c80fc4533356f3bf67fdfcb6ce238056
SHA512

ac2e9d45a992513d8f4efee73f5a7166071b837302fc91888122d6a211b0437de75776d509b308809751b7c9fad69ebca5f8c6835d66b6fcb467f4cd434f06bb
SSDEEP

98304:qzCgxMDk3jEO+F7qxBO7j/11ajr5pJ+9PbES9qCJV03oJT2wIZx3oIODbhHMxvTk:qHMOjEO++CqFpJ+9PbxXV0YJzD9HMxvY

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

ShKernel.exe

description ioc process

File created C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys ShKernel.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys	ShKernel.exe

Patched UPX-packed file 2 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource	yara_rule
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	patched_upx
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	patched_upx

Executes dropped EXE 3 IoCs

Processes:

ShKernel.exeShMonitor.exeSpyHunter5.exe

pid process

3828 ShKernel.exe
2368 ShMonitor.exe
1752 SpyHunter5.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

316 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3828	ShKernel.exe
2368	ShMonitor.exe
1752	SpyHunter5.exe

pid	process
316	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ShKernel.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ShKernel.exe
Drops file in System32 directory 1 IoCs

Processes:

ShKernel.exe

description ioc process

File opened for modification C:\Windows\system32\sh5native.exe ShKernel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ShKernel.exe

description	ioc	process
File opened for modification	C:\Windows\system32\sh5native.exe	ShKernel.exe

Drops file in Program Files directory 62 IoCs

Processes:

SpyHunter-5.13-121-18928-Installer.exeShMonitor.exeShKernel.exeSpyHunter5.exesetup.exe

description	ioc	process
File created	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log	ShMonitor.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030905_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030403_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030804_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030103_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030203_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023022803_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030603_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpdata.dat	SpyHunter-5.13-121-18928-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023031003_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\license.txt	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230312_175618.krn.log	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030304_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230312_175631.sh5.log	SpyHunter5.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030502_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng	SpyHunter-5.13-121-18928-Installer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230312175646.pma	setup.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023022703_inc.json.ecf	ShKernel.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5ebeeaff-cefe-4b10-8b63-602a82936fcc.tmp	setup.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Temp\2023030704_inc.json.ecf	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Data\CrCache.dat	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng	SpyHunter-5.13-121-18928-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng	SpyHunter-5.13-121-18928-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat	ShKernel.exe

Drops file in Windows directory 1 IoCs

Processes:

SpyHunter-5.13-121-18928-Installer.exe

description ioc process

File created C:\Windows\Tasks\EsgInstallerTask81.job SpyHunter-5.13-121-18928-Installer.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4212 sc.exe
668 sc.exe
4820 sc.exe
1812 sc.exe
952 sc.exe
1324 sc.exe
1912 sc.exe
4600 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\EsgInstallerTask81.job	SpyHunter-5.13-121-18928-Installer.exe

pid	process
4212	sc.exe
668	sc.exe
4820	sc.exe
1812	sc.exe
952	sc.exe
1324	sc.exe
1912	sc.exe
4600	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpyHunter5.exeShKernel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SpyHunter5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SpyHunter5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ShKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ShKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ShKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ShKernel.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyHunter5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpyHunter5.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

ShKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ShKernel.exe

Modifies registry class 19 IoCs

Processes:

regsvr32.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\ = "SH ShellExt Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SH5 Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SHContextMenuExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

SpyHunter-5.13-121-18928-Installer.exemsedge.exemsedge.exeidentity_helper.exeShKernel.exe

pid	process
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
1336	SpyHunter-5.13-121-18928-Installer.exe
2348	msedge.exe
2348	msedge.exe
1624	msedge.exe
1624	msedge.exe
1968	identity_helper.exe
1968	identity_helper.exe
3828	ShKernel.exe
3828	ShKernel.exe
3828	ShKernel.exe
3828	ShKernel.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

ShKernel.exe

pid process

3828 ShKernel.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1624 msedge.exe
1624 msedge.exe

pid	process
3828	ShKernel.exe

pid	process
1624	msedge.exe
1624	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

SpyHunter-5.13-121-18928-Installer.exeShKernel.exe

description	pid	process
Token: SeShutdownPrivilege	1336	SpyHunter-5.13-121-18928-Installer.exe
Token: SeBackupPrivilege	1336	SpyHunter-5.13-121-18928-Installer.exe
Token: SeRestorePrivilege	1336	SpyHunter-5.13-121-18928-Installer.exe
Token: SeDebugPrivilege	1336	SpyHunter-5.13-121-18928-Installer.exe
Token: SeTakeOwnershipPrivilege	1336	SpyHunter-5.13-121-18928-Installer.exe
Token: SeBackupPrivilege	3828	ShKernel.exe
Token: SeRestorePrivilege	3828	ShKernel.exe
Token: SeSecurityPrivilege	3828	ShKernel.exe
Token: SeTakeOwnershipPrivilege	3828	ShKernel.exe
Token: SeLoadDriverPrivilege	3828	ShKernel.exe
Token: SeBackupPrivilege	3828	ShKernel.exe
Token: SeBackupPrivilege	3828	ShKernel.exe
Token: SeSecurityPrivilege	3828	ShKernel.exe
Token: SeSecurityPrivilege	3828	ShKernel.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

SpyHunter5.exemsedge.exe

pid process

1752 SpyHunter5.exe
1752 SpyHunter5.exe
1624 msedge.exe
1624 msedge.exe
1624 msedge.exe
1624 msedge.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SpyHunter5.exe

pid process

1752 SpyHunter5.exe
1752 SpyHunter5.exe

pid	process
1752	SpyHunter5.exe
1752	SpyHunter5.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

pid	process
1752	SpyHunter5.exe
1752	SpyHunter5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SpyHunter-5.13-121-18928-Installer.exemsedge.exeShKernel.exe

description	pid	process	target process
PID 1336 wrote to memory of 4600	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 4600	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 4212	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 4212	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 668	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 668	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 4820	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 4820	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 1624	1336	SpyHunter-5.13-121-18928-Installer.exe	msedge.exe
PID 1336 wrote to memory of 1624	1336	SpyHunter-5.13-121-18928-Installer.exe	msedge.exe
PID 1336 wrote to memory of 1812	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 1812	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 952	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 952	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 316	1336	SpyHunter-5.13-121-18928-Installer.exe	regsvr32.exe
PID 1336 wrote to memory of 316	1336	SpyHunter-5.13-121-18928-Installer.exe	regsvr32.exe
PID 1624 wrote to memory of 5096	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5096	1624	msedge.exe	msedge.exe
PID 1336 wrote to memory of 1324	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 1324	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 1912	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 1336 wrote to memory of 1912	1336	SpyHunter-5.13-121-18928-Installer.exe	sc.exe
PID 3828 wrote to memory of 1752	3828	ShKernel.exe	SpyHunter5.exe
PID 3828 wrote to memory of 1752	3828	ShKernel.exe	SpyHunter5.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 5024	1624	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

ShKernel.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ShKernel.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ShKernel.exe

C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.13-121-18928-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.13-121-18928-Installer.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:4600

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:4212

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:668

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.enigmasoftware.com/congratulations-spyhunter-installed/?hwx=bcf1cf79d510feeeb2d1891f4f7a128e&lang=ES&sid=gg%2Dsh%2Des
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9797b46f8,0x7ff9797b4708,0x7ff9797b4718
3⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
3⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
3⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
3⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff743e35460,0x7ff743e35470,0x7ff743e35480
4⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14394008793368190275,9185274125286470634,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config ShMonitor start= auto
2⤵
- Launches sc.exe
PID:1812

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config EsgShKernel start= auto
2⤵
- Launches sc.exe
PID:952

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:316

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start EsgShKernel -tt_on
2⤵
- Launches sc.exe
PID:1324

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start ShMonitor
2⤵
- Launches sc.exe
PID:1912

C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3828

C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
"C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1752

C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def

Filesize
52.6MB

MD5
32f36d4119e01a1513ee13e96b964709

SHA1
fb457f18b87957020a6115856d09942af8b81976

SHA256
13550c04277ccd471462a3f05a2f510ea336ced387c59d11697b14c864c982b0

SHA512
a832aad8f98c4e2d120f50e3a32d3352672177394688688ac8d2126fe46f8f951d6f615405c3eae025bf9a6dd9ad7b723c43e921432cbe5fa310820f4769aa52

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Defs\rh\Full.dat

Filesize
60KB

MD5
f414dbebca6dbbdabe36705a5c5e509c

SHA1
2b37953ce5f419dd83b078ab2fc63f0335a3771e

SHA256
53603efc62abc5e1d44d926f09724ae350e1130962a2741c8694700d0cd717fe

SHA512
7d35d8014975980d29f79aa1edca8cebb02277918e39e4581d963e412c7f488443b984b78ff3d42f8a404fce7b4be3c84687dce1f8179a81a943a64000060c52

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng

Filesize
51KB

MD5
febe4aebd5ad7d9eb1909009aa0df52b

SHA1
946a71fa51d00c6dc36269ae6a8594200389f7d8

SHA256
0999b0c9fee242b50d1fd256d159702a76593eca130272abf1fbffdaf5983567

SHA512
0d5d68653a20d9a3ebf348edafd221c5274e9d0094f069a1e4c07ee12d32a5b1db94a6a6999e019a7b2d5ead848b599b128582a47882a7ff155865cbd4dc8376

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng

Filesize
56KB

MD5
279c872157e2cae2a1a9b5311fa57fe7

SHA1
3923198379c500a6482a2b380d255485f191eff9

SHA256
8f1294305de83eaba22c28e2d857aa8fae654fde2915556ce21d7ef614220b21

SHA512
7f81cb83718e18f1de5f90e05477e0ae5298f7495b8a9585c76dc0cee7a11e428b6f4391f9fa7ef82b1a33bed4fdcf97e2a805df0648a5f3a27ec165045c036e

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng

Filesize
44KB

MD5
f7135561d7ad999fe40ef6c27e3364a7

SHA1
004ab1f57a642857520f00960fd373eec45470d3

SHA256
b81a57a68f395d5f1eec7f7596325f6210564fc681c7f6a3e5f9b93a8ae5c212

SHA512
5b7bd630076194d72364a914cb22852183c48a4e63b3e7ab02bb5249fc06ca8e78535f2fffa2123525699404f8ca01c808db1271022c7b1b8ac469a551c1628f

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng

Filesize
45KB

MD5
99f3480cc489960fdbc1c313201e2f31

SHA1
dd2f4a564201d0a72908266a62d36b26f5ab044d

SHA256
8ffdacf83a22590446c8f64d638f3c45a6ec4df52f542a86675636499d2efdf8

SHA512
c55956860dbb4b2d0ddccdcdd863ae5d1d0916d0fbb69267c045f762f28c0e78379ff221ac29a643b1e080e27a7d6b54dd026bbc577019967d2ca81a7002990c

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng

Filesize
49KB

MD5
c75d4942630c06778afdb96f496edf7f

SHA1
96e7e1c38a03389da78989e0c871a8cb627b548d

SHA256
b33829a3f398397743c112f1ad9ec78783ea1669b7a30cec3ec7169c09747af4

SHA512
70e6ad1be6e8c68f446e50867d319c23cd3d995b044e2a6c5bcddb6a1c81c04bf7872129112a1097b4c99cf096e0af0d6d77931a40582017bce44c2a519945a6

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng

Filesize
51KB

MD5
225afbdebcb6fa56a44c623ca0e8f81c

SHA1
c4ca592c3915842c8e0d8f6643016fe89c24036c

SHA256
021aa584753883d9ab8ce3c94767dbf235d0147a4f66f07ac00b35198fc522cb

SHA512
fa2c442739f7045d37c7c5f465dd4126815009f9520e730048507d89864366cfbe5d71cff69b8bfc309422b1745f4d5fd7ee2bd39bef314d9299828cffa964b8

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng

Filesize
47KB

MD5
ed75839820c2c88e4704cacda6ccb206

SHA1
563471f945e3e0f8f7d48a5b9d7ac0e7068fb835

SHA256
25771964220b9a336add497ff731d92682870d4a1b795a5c7d91ef6e2112e4f0

SHA512
07dcbb51bab8fb2fc7b956b13354cdce6ca1ec93eaf4c212dd8e1b2aba9525d9deb2798bec17e79c5995115875c16a94694eecea2f0aa91652c93b7409a002f3

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng

Filesize
48KB

MD5
fe6684ffa08cef12254777153860be3f

SHA1
c966c20b743de2391b8af88a3711fadb304c0771

SHA256
b12f79767a128efbf8b62314c6ec5c59092fa47e0e470c98bb0095ba56e3e6b0

SHA512
b757e7b9f6126e981dac8f032562f82513076ac571e69e18c013627656314887e51676ef33aadd98086857c5dbc4509731491d7d992d22a36e90f2af2ca31f05

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng

Filesize
42KB

MD5
aab8b10b250b0eb7e3378b80e3961d3f

SHA1
8391991e52c20df2447d0b0522373d7a40d92346

SHA256
4b3c928451d7f396b5a50d60ca417763d0560bc713e22b915813ff2905330636

SHA512
9e08a813fd29749ff5e277e8fdc3cc885fbab024334f925db4be774f11e1355f4cb1fda8bd4b0ec4269f0452e50aafe8e9cd24ca41bf3fa202038eb8c61828d5

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng

Filesize
48KB

MD5
68afc29adb443869c540d7557f06e7cd

SHA1
91141c7e3e0cb1272b375407376cb59ec4b51288

SHA256
0721ea01ddd8754950935ba6e0a27af958bb8d7451c4e278d1df6cdf2d91cfae

SHA512
77c28003dd82ac218712c56f22b04d7829b3527969a55f0adcaf687657dd62c9d9066c867d09157dd3166d377b4faf75c4709d04e88866c22f69008ae4e7da13

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng

Filesize
48KB

MD5
91d34e141bc1c5b30c6ebc6fb0232ace

SHA1
3c62a44532a28ad416bb684fce4229553f66c011

SHA256
c03a2c3b69c0aa8c87000a798990f95cf2627c2856c476f1c0023e3fabcae848

SHA512
b9f64af0c9a1dc5bfcef5f910ab8c2534077a4b312c76eeabea2d96bbb1eee00e61ee6337f74a9d903a7be0f95250af50862b35bed8a4e9bb77f7ac4acccd751

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng

Filesize
49KB

MD5
3ad146d94e3badce7f3072d797622077

SHA1
d3db9433f6102aa6d784862b833f61a5b0241da6

SHA256
23901b6fb690ea48723ae8893853605b385e8129c5f65b785fca096c0c8a1c30

SHA512
f4c97b15ac61ecca2fb981386fa99b716bd5de439e7f6d9d0abadd09ee19b5c2b528fd2c1923368e22e9ff664505aeff21b30d6acfb08652285a557c0e28755b

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng

Filesize
60KB

MD5
88459eb2a8a8f93e1e9a7834946d3810

SHA1
3ecc85eaf28953bbfdba9fc42dddc02f778989df

SHA256
46e894079d6d987e0886836b836ea354e591b035ad29feadcf249175c3156261

SHA512
b28c5f5d1a8be8bb1dd776d75840a31e86fe4e3975aabcc497536ae2c53f8d8f450175078e1f2194928089806af83cb1562ce702096d4508bf7da4b31696ff82

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng

Filesize
51KB

MD5
e5416f1ec8732777ef7c479b638ad3b2

SHA1
f01ee362df93c945c27ca4d4c7710b92e4d91f8e

SHA256
c0b4f14df3b92b37a4f6b9b938087b7cc43f5d24b90a4c4e6db53e1eec59302f

SHA512
20f889b3ceb04234b78f65b485c3c25e614b19893fe2656584aea82fb01b2558e4d682dc5de827ca3f047a59e3fcd9b3a8e7e64ee8be6c7934436aa6baaeb137

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng

Filesize
45KB

MD5
6d0de84da5f4e3383438775991ba0a1e

SHA1
defd28d96b3ebb481af8e7e04a0cfdee3730010b

SHA256
9113ec204a04d892140c5f5ca577d20d4ab571ceb4c899a846b6dbf8eb9cb701

SHA512
5a34612a39c74df034cd3b7378b22ef08b079a028653bc74b7724ab2bcee422b2a9d287b5cfe03b2ac48cbe077528c6bf43f1e04679eee9831fc4610a4826276

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng

Filesize
48KB

MD5
e7b648da2c69d49f4bc2c6e7b4f4b349

SHA1
d2042c86f34a45e13bb6769b885f9e34a619c3f8

SHA256
97642571861952c4ba4538eb793fb7ef2826e45989ccb907249532b55d6c26c9

SHA512
c40a1e479df8987763baf215c6b502b172f29a8f518015546029091e151eb5c708fe761d15e3794a039658911a08b50a7546145efee9870f81109c3bc8b525cc

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng

Filesize
50KB

MD5
a7de22d66f1854186c29a64d4135e095

SHA1
c1936683793ed04fc7d49df382c1c63299be3abe

SHA256
400812367e44eeedf8b02dc641f7f047c2948889b5a308a703186272ab65c27f

SHA512
fd31a8d23b56683c2da50f166c593bc1d11f2d289655d9f9060c781bc2529371f900e65e379fb97a89228d2f337db8ae38fe5f2d582877915c6e744dee835586

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng

Filesize
47KB

MD5
3ec4f70bdf98054ee893738e9d25ed69

SHA1
f47bdff913a018f681afd78a38f29076bc915fb0

SHA256
e9b17a080d66b637c4f262c6c3684f739398e877059dedd41f5a4a9944291b7f

SHA512
f2165f92ac9a46b12e5c049982373f86c5b5f9b82b891a0cdceec95acc4ad3d880da7f21cdda4f41cf376cf7a3c6a2fcbe5dbbfe184ddf93f54dce98bb3bd4dc

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng

Filesize
50KB

MD5
6e1554aba346b8694bab5e340077914a

SHA1
5ca61b4f088946cd17f827946ad11a82c9f8bebf

SHA256
6e249cecee8f801326458b115d86ac885b2982616d23b8a06390f1d8b579aabe

SHA512
866fac2e1548fbaf1223d4c0c2b5ffceeecd8897a9acda215fe95879ad4ca0fd5539b6892d6514728d72d66d47dc7723bb06e4f0a9009de5d22e99e98556f20d

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng

Filesize
46KB

MD5
7096bb5172ca5a0648bfb9ed09216b07

SHA1
74487e136b994f2af7611a43a7cbdbf8eb9714d4

SHA256
c70ae330731b83cf9545395f702d045c1c8ffedd7ae89dbd8153315cba785948

SHA512
8c6a5365babaf175561224d4f1f41bf4c060949b8c200ecc1a17d00ecf6fb06951fd2b549baa35d49848400169f772763e521b6894010ec69742e7fa35e258c9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng

Filesize
50KB

MD5
05d8e7e277e2fb5d6b74902f51008ac3

SHA1
3e908beff0658c1d8f043d07d2ca4f69265c046b

SHA256
04c31c78b9a153c9d39843a78ea451f77ff15b02d135e79a05c9a887d26cc309

SHA512
67b841ce90589e7db6ba64263267f4ccf2ea06142999fd9b9864ce4fd7447adbf1cb6c066212026b1ab7e9f5229e141056865c6de57b1c31839384f533604676

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng

Filesize
48KB

MD5
29b88d916646a82c0ed7878bc825ed26

SHA1
42e673472ebca0ceeea704f4a2ed6d7fa8687cdd

SHA256
a6ea033d84d47b4974dec05b1f036460b929e16ed298233c1a01557996578242

SHA512
f3d8b570982f6af313a8b66d67286d4f5a5beed1ac8cce02688d8872932d6b367288500b763f6c7efbace75195ceafcb7853699610e191ec16dd5f05f66a94a9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng

Filesize
48KB

MD5
49d7386b9ddbdfabdf3621d595d651ed

SHA1
ca7f95a8e6063167f9930d1474d65f29c38eae75

SHA256
599ded37004cf8c03c78962de2319d213d04d49d8c8d4ca85e38079b83c27c65

SHA512
b193c41146722b51fd6ceedd46b39250c1078f54f0e135b9a5adf8ade254ebebce4fd7698cbc8806e34aa2675b6442a58f9fec95807a8589f8e812b16ff18def

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng

Filesize
49KB

MD5
2fc03a032f128efdefd147a1d244050a

SHA1
4e092c866ed25d29624df6289fc97204993ab93e

SHA256
b61e579af46077b65f5bc7891b79f4b8af89a57352f39af09c885959e25ee646

SHA512
c234b6acb47a5cfe7173f9743387e1c9bd8aa2a7976ad93fa9f372e7cd0df074c471785724d3b439f7957af7a77e023c6ac59117fd28d31288a2195b5d3003b2

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng

Filesize
57KB

MD5
52716d2ba5f96b43ab622b7f56b3b324

SHA1
0da26b9282f818fa8644eb1ba6155f26ce4e0af3

SHA256
ee232770da43b3466aa1a3cf0cf33c0105ffff98b286b19d871590b95a39b64c

SHA512
3d8854a3dd7b9b4544aa787ec19b76a0ce8dba377a17a82e108ac3e81cb538fa905f6d71b8409101c4db9fe627c5234e0ea88e6e0a3c355b58496f79fad17156

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng

Filesize
50KB

MD5
d68fec7e0ed9e52cef2938cbed9ff66b

SHA1
39f4e182814b35a1059629977a862279e165f2cd

SHA256
e14cf5c83d23c6e64f05e41130d49ac760a80f5bf83ceb2f76f5c8dc545ee746

SHA512
5a4bfd96d974a6092351e290ff692526ce8ca403a9e20e3a56814110f66c094c8b089d3b63ebf8dece2a385c14191dd3c4a8739b21b55b3bf37b5bb295db5cd3

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng

Filesize
49KB

MD5
0eef9137ce7afc2dde59cb4d460d7a61

SHA1
d362fe9fff82337f0549256ddf18b09debae5d34

SHA256
4c1fe17811934ff05f53c3c83cc1e45d8f583acaca49e1b75f2ba4ad550ba078

SHA512
c182b9daa28be79ec2e784d02a52813bf02c5e0577ffccc701546d7bee92a99484c6f56451a445d209af3d5031e7fd9ff16930769d76aee774ef959e640f00b9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng

Filesize
47KB

MD5
68ee970c9ac215e8937b52572fccca3c

SHA1
870da128c3138094f56887fbad81fcc6c3767623

SHA256
71cf4b86cc2958abb61b1fe668f1881abd159274ace5840c9de5f58072893e68

SHA512
ed4fbaadc2d89b6ba5595a8424d498ea2dfd5aacd9fac80470de52c1b00166a87fd5b68183049753c96b45c762fb2adfb97d88b0d36cfebe88cbb3a80ffa29f0

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng

Filesize
47KB

MD5
42a924c6851fd76695f19428ecbde540

SHA1
0c04459ad9e46a20f4e3a8b0f568fa09833897f1

SHA256
21aaf4dc6bb8babee5d49ae6d8219a78edb1ddf1ce8c4e9f3fc9874279751ba7

SHA512
444a3cf6c6325a7567e70e080184c08892a3e2a80ca8c901af89aba76a4e9b8d054d57bff0f08c1ee3b1868467a991a5eada62492232256cf0263d0c59ca2f63

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng

Filesize
48KB

MD5
9a6fbbf4b85cf760544be0675ed67df3

SHA1
4b36870aec564e595054bea6813b38dd8217457f

SHA256
1a4be5f8b2e844d6694912494a7294a7cabb96c85a495d9e08f1f867960a0380

SHA512
0f866c84d79d63d0d8a6b608d802d59a4cf03edb69113f24e222415c29dbc68ad05d19a5bfba836e48af1928fff76c245bc3fc0c660e4726b161e8a7a956acc4

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng

Filesize
56KB

MD5
70a2c16dbe98612a6add64952c60b3d1

SHA1
481fbdf87b168523e5e67fbedc2716e4dedd94a3

SHA256
06850d3b163fb09b1d5280a3d48cddf9f4248481840e2660f0001c05b830b26a

SHA512
6efd6eb4e9a38cc0beb4c7207ef1c769dea7a2f9ffe0c57506b7e606dac1e49950e0ffcdff87d084ec50e56a07dfeaaefddd6c4f3f4c906e1758ca8772e5240a

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Filesize
16.3MB

MD5
47b453e932f9f4acec3f227f8c98df4a

SHA1
9af921c66485d28543876117554cd82eb7a0f435

SHA256
226684559890079528eec5ae58b959bbf5e7025debaab21210269d9fecbb8925

SHA512
377c9fdf57ce6dc30259bbef6b71e37d3dcc99714f2180d8f7203b57b6664ca387e9bd82c1a6143f9d0c5cd0e4a7f1a11d81539368a6086561cdf7443fdd2f0e

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Filesize
16.3MB

MD5
47b453e932f9f4acec3f227f8c98df4a

SHA1
9af921c66485d28543876117554cd82eb7a0f435

SHA256
226684559890079528eec5ae58b959bbf5e7025debaab21210269d9fecbb8925

SHA512
377c9fdf57ce6dc30259bbef6b71e37d3dcc99714f2180d8f7203b57b6664ca387e9bd82c1a6143f9d0c5cd0e4a7f1a11d81539368a6086561cdf7443fdd2f0e

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe

Filesize
526KB

MD5
41e6ce281efe1db7fa6f7b878dae3288

SHA1
7d07cf4324923f45e486f37a8a360fce64ee5a74

SHA256
9d4559ee6d629cfc42d7c353c00ddda3f4542b68767c1fe2d0e0dca9bdd3927e

SHA512
e56fcfdfc772bc4e703571a88242d6b5b90b4637564283212cb4d64bf717961402e8acfede4a32d6ef126d00d77f865d90c021d461b1fe59a406d708bbe2455c

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe

Filesize
526KB

MD5
41e6ce281efe1db7fa6f7b878dae3288

SHA1
7d07cf4324923f45e486f37a8a360fce64ee5a74

SHA256
9d4559ee6d629cfc42d7c353c00ddda3f4542b68767c1fe2d0e0dca9bdd3927e

SHA512
e56fcfdfc772bc4e703571a88242d6b5b90b4637564283212cb4d64bf717961402e8acfede4a32d6ef126d00d77f865d90c021d461b1fe59a406d708bbe2455c

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
830KB

MD5
8fac441d6aecbfb99de79d66d04c143e

SHA1
02262e11a534da0854b70aecec2c62e8c35ae473

SHA256
2d945748b3d5022a93cf72b6d1f61189ddae3158368fc8a2a4e2d19f8f2d2b67

SHA512
3a45bc900bacb9343f2bc9b6cb395a8d1ef963086913387d5982dd2a32f1de2dde01b89a70da14cf626bbd7a2cb9a5c90aa8fc2859a74399d5029f1617a97123

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
830KB

MD5
8fac441d6aecbfb99de79d66d04c143e

SHA1
02262e11a534da0854b70aecec2c62e8c35ae473

SHA256
2d945748b3d5022a93cf72b6d1f61189ddae3158368fc8a2a4e2d19f8f2d2b67

SHA512
3a45bc900bacb9343f2bc9b6cb395a8d1ef963086913387d5982dd2a32f1de2dde01b89a70da14cf626bbd7a2cb9a5c90aa8fc2859a74399d5029f1617a97123

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
882e775e7ed96b4f97cb306bd8c78086

SHA1
ae86e57691e9f47388ead1a83f9d3aa3142a0f05

SHA256
7bdb756faa7cf90798fa76f64bc90e52b9b50aefcdd952adfdb28f309b1269d1

SHA512
2cef8d4650dfeadec69d7b4df4508d97bb7648a8413449e732343aab26f1370e4bd7d43695d677af05c27737deea7fb7ea4c500690b9ba4914e896fe8610d305

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
882e775e7ed96b4f97cb306bd8c78086

SHA1
ae86e57691e9f47388ead1a83f9d3aa3142a0f05

SHA256
7bdb756faa7cf90798fa76f64bc90e52b9b50aefcdd952adfdb28f309b1269d1

SHA512
2cef8d4650dfeadec69d7b4df4508d97bb7648a8413449e732343aab26f1370e4bd7d43695d677af05c27737deea7fb7ea4c500690b9ba4914e896fe8610d305

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
882e775e7ed96b4f97cb306bd8c78086

SHA1
ae86e57691e9f47388ead1a83f9d3aa3142a0f05

SHA256
7bdb756faa7cf90798fa76f64bc90e52b9b50aefcdd952adfdb28f309b1269d1

SHA512
2cef8d4650dfeadec69d7b4df4508d97bb7648a8413449e732343aab26f1370e4bd7d43695d677af05c27737deea7fb7ea4c500690b9ba4914e896fe8610d305

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\purl.dat

Filesize
64B

MD5
65f061266f35050f24e8978af0c13e9f

SHA1
7d45f4aa11b28310362744df7c3c071624379447

SHA256
4e9d8320411aa1b03324c82d3e990cb9ccbf1491bed0b40be115b2d610b9ec3d

SHA512
0efcee3ea949630aa63012ebc2f0a6c0e7d07b1245cbd2464791396aa2d4fc19a2feebf6b6e40813bfeef1d49d92c7dea062d3a550e2e523249814c5ab2366d5

Download Submit
C:\ProgramData\Start Menu\Programs\EnigmaSoft\SpyHunter5.lnk

Filesize
1KB

MD5
9c2869c3f7dcba25e4012709eea64a75

SHA1
489a35656a2f5cf612f62ef301221e3071283e05

SHA256
fd8289bd5846d0f5f4584d27cbbfb0d5f62aa000307db7bc488e779f2b246d7b

SHA512
94b8418b0203034e57b1dac30653641f1599d086177d155610c3a232ccb25e67259d55296b4ae2de3bf5e81b3d5b6bb0428d7c5084c98aa2c6ea181a327b8108

Download Submit
C:\ProgramData\Start Menu\Programs\EnigmaSoft\Uninstall.lnk

Filesize
699B

MD5
93e202092b751cef2f05efd627e914cf

SHA1
e7c4a20225df7b1ae3e43bb3f75e5cc4cb507e68

SHA256
b75d9ec4075cdfcf7347b21fd789b3428631ef816a1699231cd23d2aecd2c04b

SHA512
355eb1b59d319966fd91f511099a8e41ea658f160273590008a5e25c868bb6463b2df5fd6abb6fdacbddb992952e6c5d0e50d9ade7aeeaa32774b1f24fedecc2

Download Submit
C:\ProgramData\Start Menu\Programs\SpyHunter5.lnk

Filesize
1KB

MD5
1da416f6a573d3e951bf4e5424aea257

SHA1
1ec7f97a304c3a28cb5068613cdd1ae0e0a59baf

SHA256
8d6a521ee667a203a32bd0067fbc0d981e4c181e579f12392158c2520f3b23a4

SHA512
c8fd82194720b96fa8cb64aacca0b355831255cc38e6affbd4d8c450840a5f182e313d4542e774ba53e667b5c8680310efa1eacee87a5c142ae75a0614a88f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
d7de9cdc4ac953f2f36597ed4dac78f6

SHA1
0517083f6689a6fbde1895f665e5839fec27ef7f

SHA256
09e3808ed6f0021745f6735ca3cdd8096e934d72ab63b4cf72135e2bca5067e2

SHA512
ff09bd64a2cdd37e67c7484c3c77b455839609c1cd1f92932c776ebc98618c765631c45f4fe6bb1134dca0d0e4772c500332e44853180b4c1c75908ca058eb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d188.TMP

Filesize
48B

MD5
bc63ddd27b56fc793ca0783b901c8179

SHA1
f3ea142291a3b5018e9e2ec54eb3aeb6a17275be

SHA256
603f4c0bd92129cf55efec4ad368786d1a300b19054c43d92d7db6993980c45b

SHA512
13ec4784304a48460a3c9751297b8c43f57de5eadc35b7c6a44f61c637d9d7751c74bdbac05d466fdc7ab86cc42cb1a7ad0ca7673cd44c0f12bde837df0c2126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
deff3bee7c7bcc5763ec7e9ab0f29acc

SHA1
ac0a330b37dd256848708e0e6b3c03dac031f40d

SHA256
a54028f34baaa09b9a295fc7cd80e224fea5ba6fd84ae83b998c2be76bcbb29c

SHA512
7d0b51b63bb7cab1de966f75905991d1294cb15c73154cc43bd2f4e1e585d0099935ebfbc6911e8be727c9aaaa02489c62f551155e77025c91a5e96e9e3ed9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
53c533425089fa0738636a80f19ed0d7

SHA1
4bc44bcdea44be6f101de2ce4ee79a9733097730

SHA256
8c5df3b14cf5f5183fba27ac967723b2f17c47d3cb26a7693f750eec1243830f

SHA512
268f04726fc62b3f97addbe8c6394d029459cb2a49e6d1c2118859aa090d6bcc8ee764c4e328148c820918cbd89174acd3de1e2e478e61cee2076b19c3c8b5a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
8777b9830d00e1bdcaa1a047f9f04910

SHA1
a3e1bac904c91b560ca5d64c728c80da71cabda1

SHA256
235fa60d546d22662e80ed4e9611d340a16060b4f9557879704f309c8d8ca202

SHA512
407bd64d7a7fac1579168159c14294fc39c7886ba2613447295012223cd611e3b1965f243e104cbbf3734b18998048f63b91eaa8828ca99ccb63585492ed6028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
36b8ac33fe7844ba84de231a247fcb59

SHA1
de4521a2e04d59920203053019f36153eeb53a98

SHA256
e39ba153203c40ae318d5b1c160ebc1dce1e00e2823f76de46a07592cff236c0

SHA512
22b8bb8121aab07a10bd47ab2c2106d492aba02b6398302a20ccbd263daca63f028d9b4bb1ed56b4a478c48b5e8d05be7280213d5db9c9019c468fd0eb80c054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
f15b1a9c585445febe213b4e59b47d18

SHA1
81e1daff680078c537ab466ba075cfcaeaab9a4f

SHA256
4d629a68ce1f2d80975d2b5ded3fec0eba2dde663a5b5dc06b714a0afc006e1d

SHA512
7498f899717d1b81c897b6ff951c4c81acf993646f75400a503eb2d3634c40412aa1dcfde443769774566ce2d3ee32189d4e4aa5b215d6ef60397b6ae8477aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
a9f3142ed2e7a4cc650b01683b0ca9b5

SHA1
301323334cf1333b3b4ffc6ca764c3e37b4a9fa3

SHA256
01619a5ff5979b26d6b344af426a40dd409fc70114077e1cf966d117daee88b5

SHA512
9af97ecc6406d520fd9ce394c965f24b500a71da4d8ebb260638076401abbeb3d45abf51906cae4471ddd9f7c97a08240c3a73737203b037fd83ad763a99e37a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3ca889329c81f88950a89d624faa1c94

SHA1
c05ecea07de12d59f77f45ae99a1cf7346e9b6f4

SHA256
ce796b3d845683bc93c6ccf6ca618c4d9f2dadc3b3e94b782fc63c6c4b36fbe0

SHA512
751c8da3c3310519c2736cbc0a8bb3ecdbcc1ea418f9c112b847ec8cbf8dc0286d4086f242c18ce65e43bfa37ff05543c5fcd1fde58960b6bcfc0e4537386702

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

Filesize
2KB

MD5
9c3be85bad1caf30a4d75917cbb68b57

SHA1
2bb033bbb4051d9e22c803762ed5a4cdacab32b1

SHA256
ee4f712e6f54d53c8b737681e533d60390791c89b6b6ab570fa8755eea5e9e6e

SHA512
c93175d3ca8233f52c6b15c5854fdeceac73cf038b6277e14e4868db18d69f8e27efcb097e2ef2df7c11294ee6d807029dd2d6193a9c96a61fc7eee32f982889

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
deff3bee7c7bcc5763ec7e9ab0f29acc

SHA1
ac0a330b37dd256848708e0e6b3c03dac031f40d

SHA256
a54028f34baaa09b9a295fc7cd80e224fea5ba6fd84ae83b998c2be76bcbb29c

SHA512
7d0b51b63bb7cab1de966f75905991d1294cb15c73154cc43bd2f4e1e585d0099935ebfbc6911e8be727c9aaaa02489c62f551155e77025c91a5e96e9e3ed9e3

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
f67aa475f7ebe6c844310a62583fdae1

SHA1
a9eb301a06eef746285f7921a523f35c5f4a7c95

SHA256
07863454ac43b686a42d8a60d2ea59bbe66ad9577ae1c3eca14e25700f6a35e8

SHA512
9be6e6ceaa47f81cdf4c0a3482b0a40b5f99525cc36014991d375bb4e3beea6ab42a80d277125c4cf8945269d0663b44787043d24e71f08eb02c88b177d86098

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F7456FD78DEB390E51DB22FDEB14606

Filesize
2KB

MD5
d5fdb0116438693f39c5513192bba793

SHA1
6ecad673f347ae217d03eb58f1a8507d650699f4

SHA256
471e11444ab5e4efda80eb35c3a6cee58b4de81c5f11de56485cfb3ccf7b44e5

SHA512
50c5536c5f5eda4c5aa0c4c79210783e43a78252590f01ea8a27829d98ac5904d478f66695ca8755d1dc7615372e559c1109ea23a8b1b3dc1d7088c824008471

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\EnigmaFileMonDriver.sys

Filesize
82KB

MD5
6bed4cee4117f47e2ef797da56935c04

SHA1
34ebf65a197f4bd8fffe891130a0b0cb903f75f6

SHA256
0bf9f7247339c1676f6f59ee4647a6266daefa74ca00c7f1ed608bdc3a0ef693

SHA512
8faf611dce276b4877463847248bc7a4f41aa1032c679de55f650536858993c9ec4a8b834017c0c23a5d20e7efb0eb63aadcf94b1df49bd2541413f4448f1ea3

Download Submit
\??\pipe\LOCAL\crashpad_1624_NUATEUXYYZCILLWM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit