41207d84b3887bcd4f622815a8a240cfd2a5a5040750861ab8bbf579409db23e

Analysis

max time kernel
130s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyHunter-5.11-71-9911-Installer.exe
Size

7.4MB
MD5

911736872bcb9f85b9181c7d785ee032
SHA1

806691ea5f3cf3cd335b00e436c51c9cb85bc9a4
SHA256

46dda74095b229c3724b4ef7e5f4c05b0b0e15426ca76e9ac947475f21459d19
SHA512

016c73a7e8ecad84ba73e220a37869bdf8465411a2085133112ba1215b92553c3ff7194e425b94b13b43f0152a0c1194376c87c5ffbd2441df0f3236d2b8fda6
SSDEEP

196608:i/VwpAGiJt4L0cYWkLTUSfNH6w6T39HiBD:ibJ20BTbHICD

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

ShKernel.exe

description ioc process

File created C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys ShKernel.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys	ShKernel.exe

Patched UPX-packed file 2 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource	yara_rule
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	patched_upx
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	patched_upx

Executes dropped EXE 3 IoCs

Processes:

ShKernel.exeShMonitor.exeSpyHunter5.exe

pid process

2712 ShKernel.exe
2164 ShMonitor.exe
4460 SpyHunter5.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4492 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2712	ShKernel.exe
2164	ShMonitor.exe
4460	SpyHunter5.exe

pid	process
4492	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ShKernel.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ShKernel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ShKernel.exe

Drops file in System32 directory 9 IoCs

Processes:

ShKernel.exe

description	ioc	process
File opened for modification	C:\Windows\system32\sh5native.exe	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_FB973C282413B622B89499D766DDDEB8	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_FB973C282413B622B89499D766DDDEB8	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	ShKernel.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	ShKernel.exe

Drops file in Program Files directory 50 IoCs

Processes:

SpyHunter-5.11-71-9911-Installer.exeShMonitor.exeShKernel.exesetup.exeSpyHunter5.exe

description	ioc	process
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log	ShMonitor.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\license.txt	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng	SpyHunter-5.11-71-9911-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat	ShKernel.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230316184850.pma	setup.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat	SpyHunter-5.11-71-9911-Installer.exe
File opened for modification	C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal	ShKernel.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\39e9fc70-4cb5-4341-945f-ab7d54b18814.tmp	setup.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230316_184834.krn.log	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Data\CrCache.dat	ShKernel.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Logs\20230316_184837.sh5.log	SpyHunter5.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng	SpyHunter-5.11-71-9911-Installer.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpdata.dat	SpyHunter-5.11-71-9911-Installer.exe

Drops file in Windows directory 1 IoCs

Processes:

SpyHunter-5.11-71-9911-Installer.exe

description ioc process

File created C:\Windows\Tasks\EsgInstallerTask81.job SpyHunter-5.11-71-9911-Installer.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3388 sc.exe
2680 sc.exe
60 sc.exe
3456 sc.exe
3532 sc.exe
5084 sc.exe
2232 sc.exe
4944 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\EsgInstallerTask81.job	SpyHunter-5.11-71-9911-Installer.exe

pid	process
3388	sc.exe
2680	sc.exe
60	sc.exe
3456	sc.exe
3532	sc.exe
5084	sc.exe
2232	sc.exe
4944	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ShKernel.exeSpyHunter5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ShKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ShKernel.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyHunter5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpyHunter5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SpyHunter5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SpyHunter5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ShKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ShKernel.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

ShKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ShKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ShKernel.exe

Modifies registry class 19 IoCs

Processes:

regsvr32.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SH5 Shell Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\ = "SH ShellExt Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SHContextMenuExt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ShKernel.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ShKernel.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

SpyHunter-5.11-71-9911-Installer.exemsedge.exemsedge.exeidentity_helper.exeShKernel.exe

pid	process
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
436	SpyHunter-5.11-71-9911-Installer.exe
1360	msedge.exe
1360	msedge.exe
4968	msedge.exe
4968	msedge.exe
4496	identity_helper.exe
4496	identity_helper.exe
2712	ShKernel.exe
2712	ShKernel.exe
2712	ShKernel.exe
2712	ShKernel.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

ShKernel.exe

pid process

2712 ShKernel.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe

pid	process
2712	ShKernel.exe

pid	process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

SpyHunter-5.11-71-9911-Installer.exeShKernel.exe

description	pid	process
Token: SeShutdownPrivilege	436	SpyHunter-5.11-71-9911-Installer.exe
Token: SeBackupPrivilege	436	SpyHunter-5.11-71-9911-Installer.exe
Token: SeRestorePrivilege	436	SpyHunter-5.11-71-9911-Installer.exe
Token: SeDebugPrivilege	436	SpyHunter-5.11-71-9911-Installer.exe
Token: SeTakeOwnershipPrivilege	436	SpyHunter-5.11-71-9911-Installer.exe
Token: SeBackupPrivilege	2712	ShKernel.exe
Token: SeRestorePrivilege	2712	ShKernel.exe
Token: SeSecurityPrivilege	2712	ShKernel.exe
Token: SeTakeOwnershipPrivilege	2712	ShKernel.exe
Token: SeLoadDriverPrivilege	2712	ShKernel.exe
Token: SeBackupPrivilege	2712	ShKernel.exe
Token: SeBackupPrivilege	2712	ShKernel.exe
Token: SeSecurityPrivilege	2712	ShKernel.exe
Token: SeSecurityPrivilege	2712	ShKernel.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exeSpyHunter5.exe

pid process

4968 msedge.exe
4968 msedge.exe
4460 SpyHunter5.exe
4460 SpyHunter5.exe
4968 msedge.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SpyHunter5.exe

pid process

4460 SpyHunter5.exe
4460 SpyHunter5.exe

pid	process
4968	msedge.exe
4968	msedge.exe
4460	SpyHunter5.exe
4460	SpyHunter5.exe
4968	msedge.exe

pid	process
4460	SpyHunter5.exe
4460	SpyHunter5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SpyHunter-5.11-71-9911-Installer.exemsedge.exe

description	pid	process	target process
PID 436 wrote to memory of 2680	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 2680	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 60	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 60	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3456	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3456	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3532	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3532	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 4968	436	SpyHunter-5.11-71-9911-Installer.exe	msedge.exe
PID 436 wrote to memory of 4968	436	SpyHunter-5.11-71-9911-Installer.exe	msedge.exe
PID 4968 wrote to memory of 1884	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1884	4968	msedge.exe	msedge.exe
PID 436 wrote to memory of 5084	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 5084	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 2232	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 2232	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 4492	436	SpyHunter-5.11-71-9911-Installer.exe	regsvr32.exe
PID 436 wrote to memory of 4492	436	SpyHunter-5.11-71-9911-Installer.exe	regsvr32.exe
PID 436 wrote to memory of 4944	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 4944	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3388	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 436 wrote to memory of 3388	436	SpyHunter-5.11-71-9911-Installer.exe	sc.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1004	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1360	4968	msedge.exe	msedge.exe
PID 4968 wrote to memory of 1360	4968	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

ShKernel.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ShKernel.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ShKernel.exe

C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.11-71-9911-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\SpyHunter-5.11-71-9911-Installer.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:2680

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
2⤵
- Launches sc.exe
PID:60

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:3456

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
2⤵
- Launches sc.exe
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.enigmasoftware.com/congratulations-spyhunter-installed/?hwx=b6015f5a205acb7d10109151a5ba96ee&lang=EN&purl=https%3A%2F%2Fpurchase%2D71%2Eenigmasoftware%2Ecom%2Fshwin&sid=aktien
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8c11346f8,0x7ff8c1134708,0x7ff8c1134718
3⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
3⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
3⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
3⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
3⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
3⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
3⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x208,0x22c,0x7ff64ed55460,0x7ff64ed55470,0x7ff64ed55480
4⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
3⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
3⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4024 /prefetch:2
3⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
3⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
3⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
3⤵
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
3⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
3⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
3⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11207364554959229169,17786779967957049036,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
3⤵
PID:736

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config ShMonitor start= auto
2⤵
- Launches sc.exe
PID:5084

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe config EsgShKernel start= auto
2⤵
- Launches sc.exe
PID:2232

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4492

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start EsgShKernel -tt_on
2⤵
- Launches sc.exe
PID:4944

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe start ShMonitor
2⤵
- Launches sc.exe
PID:3388

C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2712

C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
"C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://purchase-71.enigmasoftware.com/spyhunter_free_trial?hwx=b6015f5a205acb7d10109151a5ba96ee&locale=en%2DUS&sid=aktien
3⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c11346f8,0x7ff8c1134708,0x7ff8c1134718
4⤵
PID:1592

C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def

Filesize
52.8MB

MD5
c341f6279b7d1193719ab2db34a13f7b

SHA1
41874a797e17f773f5db3ac78019bdad90ec202c

SHA256
e20efb50eb40d1fad98808cd48cdfd5682172404a8868223385cd4c636f141b0

SHA512
42c8007dcb7d293bb5877472fb6d54a8fe2f39772a6617a7d90ffeacb8b65b5fc46afe130e914b0597395175c06f58158be44f7fc44aa0b3c1988889d937b281

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Defs\rh\Full.dat

Filesize
60KB

MD5
f414dbebca6dbbdabe36705a5c5e509c

SHA1
2b37953ce5f419dd83b078ab2fc63f0335a3771e

SHA256
53603efc62abc5e1d44d926f09724ae350e1130962a2741c8694700d0cd717fe

SHA512
7d35d8014975980d29f79aa1edca8cebb02277918e39e4581d963e412c7f488443b984b78ff3d42f8a404fce7b4be3c84687dce1f8179a81a943a64000060c52

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng

Filesize
51KB

MD5
febe4aebd5ad7d9eb1909009aa0df52b

SHA1
946a71fa51d00c6dc36269ae6a8594200389f7d8

SHA256
0999b0c9fee242b50d1fd256d159702a76593eca130272abf1fbffdaf5983567

SHA512
0d5d68653a20d9a3ebf348edafd221c5274e9d0094f069a1e4c07ee12d32a5b1db94a6a6999e019a7b2d5ead848b599b128582a47882a7ff155865cbd4dc8376

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng

Filesize
56KB

MD5
279c872157e2cae2a1a9b5311fa57fe7

SHA1
3923198379c500a6482a2b380d255485f191eff9

SHA256
8f1294305de83eaba22c28e2d857aa8fae654fde2915556ce21d7ef614220b21

SHA512
7f81cb83718e18f1de5f90e05477e0ae5298f7495b8a9585c76dc0cee7a11e428b6f4391f9fa7ef82b1a33bed4fdcf97e2a805df0648a5f3a27ec165045c036e

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng

Filesize
44KB

MD5
f7135561d7ad999fe40ef6c27e3364a7

SHA1
004ab1f57a642857520f00960fd373eec45470d3

SHA256
b81a57a68f395d5f1eec7f7596325f6210564fc681c7f6a3e5f9b93a8ae5c212

SHA512
5b7bd630076194d72364a914cb22852183c48a4e63b3e7ab02bb5249fc06ca8e78535f2fffa2123525699404f8ca01c808db1271022c7b1b8ac469a551c1628f

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng

Filesize
45KB

MD5
99f3480cc489960fdbc1c313201e2f31

SHA1
dd2f4a564201d0a72908266a62d36b26f5ab044d

SHA256
8ffdacf83a22590446c8f64d638f3c45a6ec4df52f542a86675636499d2efdf8

SHA512
c55956860dbb4b2d0ddccdcdd863ae5d1d0916d0fbb69267c045f762f28c0e78379ff221ac29a643b1e080e27a7d6b54dd026bbc577019967d2ca81a7002990c

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng

Filesize
49KB

MD5
c75d4942630c06778afdb96f496edf7f

SHA1
96e7e1c38a03389da78989e0c871a8cb627b548d

SHA256
b33829a3f398397743c112f1ad9ec78783ea1669b7a30cec3ec7169c09747af4

SHA512
70e6ad1be6e8c68f446e50867d319c23cd3d995b044e2a6c5bcddb6a1c81c04bf7872129112a1097b4c99cf096e0af0d6d77931a40582017bce44c2a519945a6

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng

Filesize
51KB

MD5
225afbdebcb6fa56a44c623ca0e8f81c

SHA1
c4ca592c3915842c8e0d8f6643016fe89c24036c

SHA256
021aa584753883d9ab8ce3c94767dbf235d0147a4f66f07ac00b35198fc522cb

SHA512
fa2c442739f7045d37c7c5f465dd4126815009f9520e730048507d89864366cfbe5d71cff69b8bfc309422b1745f4d5fd7ee2bd39bef314d9299828cffa964b8

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng

Filesize
47KB

MD5
ed75839820c2c88e4704cacda6ccb206

SHA1
563471f945e3e0f8f7d48a5b9d7ac0e7068fb835

SHA256
25771964220b9a336add497ff731d92682870d4a1b795a5c7d91ef6e2112e4f0

SHA512
07dcbb51bab8fb2fc7b956b13354cdce6ca1ec93eaf4c212dd8e1b2aba9525d9deb2798bec17e79c5995115875c16a94694eecea2f0aa91652c93b7409a002f3

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng

Filesize
48KB

MD5
fe6684ffa08cef12254777153860be3f

SHA1
c966c20b743de2391b8af88a3711fadb304c0771

SHA256
b12f79767a128efbf8b62314c6ec5c59092fa47e0e470c98bb0095ba56e3e6b0

SHA512
b757e7b9f6126e981dac8f032562f82513076ac571e69e18c013627656314887e51676ef33aadd98086857c5dbc4509731491d7d992d22a36e90f2af2ca31f05

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng

Filesize
42KB

MD5
aab8b10b250b0eb7e3378b80e3961d3f

SHA1
8391991e52c20df2447d0b0522373d7a40d92346

SHA256
4b3c928451d7f396b5a50d60ca417763d0560bc713e22b915813ff2905330636

SHA512
9e08a813fd29749ff5e277e8fdc3cc885fbab024334f925db4be774f11e1355f4cb1fda8bd4b0ec4269f0452e50aafe8e9cd24ca41bf3fa202038eb8c61828d5

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng

Filesize
48KB

MD5
68afc29adb443869c540d7557f06e7cd

SHA1
91141c7e3e0cb1272b375407376cb59ec4b51288

SHA256
0721ea01ddd8754950935ba6e0a27af958bb8d7451c4e278d1df6cdf2d91cfae

SHA512
77c28003dd82ac218712c56f22b04d7829b3527969a55f0adcaf687657dd62c9d9066c867d09157dd3166d377b4faf75c4709d04e88866c22f69008ae4e7da13

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng

Filesize
48KB

MD5
91d34e141bc1c5b30c6ebc6fb0232ace

SHA1
3c62a44532a28ad416bb684fce4229553f66c011

SHA256
c03a2c3b69c0aa8c87000a798990f95cf2627c2856c476f1c0023e3fabcae848

SHA512
b9f64af0c9a1dc5bfcef5f910ab8c2534077a4b312c76eeabea2d96bbb1eee00e61ee6337f74a9d903a7be0f95250af50862b35bed8a4e9bb77f7ac4acccd751

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng

Filesize
49KB

MD5
3ad146d94e3badce7f3072d797622077

SHA1
d3db9433f6102aa6d784862b833f61a5b0241da6

SHA256
23901b6fb690ea48723ae8893853605b385e8129c5f65b785fca096c0c8a1c30

SHA512
f4c97b15ac61ecca2fb981386fa99b716bd5de439e7f6d9d0abadd09ee19b5c2b528fd2c1923368e22e9ff664505aeff21b30d6acfb08652285a557c0e28755b

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng

Filesize
60KB

MD5
88459eb2a8a8f93e1e9a7834946d3810

SHA1
3ecc85eaf28953bbfdba9fc42dddc02f778989df

SHA256
46e894079d6d987e0886836b836ea354e591b035ad29feadcf249175c3156261

SHA512
b28c5f5d1a8be8bb1dd776d75840a31e86fe4e3975aabcc497536ae2c53f8d8f450175078e1f2194928089806af83cb1562ce702096d4508bf7da4b31696ff82

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng

Filesize
51KB

MD5
e5416f1ec8732777ef7c479b638ad3b2

SHA1
f01ee362df93c945c27ca4d4c7710b92e4d91f8e

SHA256
c0b4f14df3b92b37a4f6b9b938087b7cc43f5d24b90a4c4e6db53e1eec59302f

SHA512
20f889b3ceb04234b78f65b485c3c25e614b19893fe2656584aea82fb01b2558e4d682dc5de827ca3f047a59e3fcd9b3a8e7e64ee8be6c7934436aa6baaeb137

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng

Filesize
45KB

MD5
6d0de84da5f4e3383438775991ba0a1e

SHA1
defd28d96b3ebb481af8e7e04a0cfdee3730010b

SHA256
9113ec204a04d892140c5f5ca577d20d4ab571ceb4c899a846b6dbf8eb9cb701

SHA512
5a34612a39c74df034cd3b7378b22ef08b079a028653bc74b7724ab2bcee422b2a9d287b5cfe03b2ac48cbe077528c6bf43f1e04679eee9831fc4610a4826276

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng

Filesize
48KB

MD5
e7b648da2c69d49f4bc2c6e7b4f4b349

SHA1
d2042c86f34a45e13bb6769b885f9e34a619c3f8

SHA256
97642571861952c4ba4538eb793fb7ef2826e45989ccb907249532b55d6c26c9

SHA512
c40a1e479df8987763baf215c6b502b172f29a8f518015546029091e151eb5c708fe761d15e3794a039658911a08b50a7546145efee9870f81109c3bc8b525cc

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng

Filesize
50KB

MD5
a7de22d66f1854186c29a64d4135e095

SHA1
c1936683793ed04fc7d49df382c1c63299be3abe

SHA256
400812367e44eeedf8b02dc641f7f047c2948889b5a308a703186272ab65c27f

SHA512
fd31a8d23b56683c2da50f166c593bc1d11f2d289655d9f9060c781bc2529371f900e65e379fb97a89228d2f337db8ae38fe5f2d582877915c6e744dee835586

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng

Filesize
47KB

MD5
3ec4f70bdf98054ee893738e9d25ed69

SHA1
f47bdff913a018f681afd78a38f29076bc915fb0

SHA256
e9b17a080d66b637c4f262c6c3684f739398e877059dedd41f5a4a9944291b7f

SHA512
f2165f92ac9a46b12e5c049982373f86c5b5f9b82b891a0cdceec95acc4ad3d880da7f21cdda4f41cf376cf7a3c6a2fcbe5dbbfe184ddf93f54dce98bb3bd4dc

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng

Filesize
50KB

MD5
6e1554aba346b8694bab5e340077914a

SHA1
5ca61b4f088946cd17f827946ad11a82c9f8bebf

SHA256
6e249cecee8f801326458b115d86ac885b2982616d23b8a06390f1d8b579aabe

SHA512
866fac2e1548fbaf1223d4c0c2b5ffceeecd8897a9acda215fe95879ad4ca0fd5539b6892d6514728d72d66d47dc7723bb06e4f0a9009de5d22e99e98556f20d

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng

Filesize
46KB

MD5
7096bb5172ca5a0648bfb9ed09216b07

SHA1
74487e136b994f2af7611a43a7cbdbf8eb9714d4

SHA256
c70ae330731b83cf9545395f702d045c1c8ffedd7ae89dbd8153315cba785948

SHA512
8c6a5365babaf175561224d4f1f41bf4c060949b8c200ecc1a17d00ecf6fb06951fd2b549baa35d49848400169f772763e521b6894010ec69742e7fa35e258c9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng

Filesize
50KB

MD5
05d8e7e277e2fb5d6b74902f51008ac3

SHA1
3e908beff0658c1d8f043d07d2ca4f69265c046b

SHA256
04c31c78b9a153c9d39843a78ea451f77ff15b02d135e79a05c9a887d26cc309

SHA512
67b841ce90589e7db6ba64263267f4ccf2ea06142999fd9b9864ce4fd7447adbf1cb6c066212026b1ab7e9f5229e141056865c6de57b1c31839384f533604676

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng

Filesize
48KB

MD5
29b88d916646a82c0ed7878bc825ed26

SHA1
42e673472ebca0ceeea704f4a2ed6d7fa8687cdd

SHA256
a6ea033d84d47b4974dec05b1f036460b929e16ed298233c1a01557996578242

SHA512
f3d8b570982f6af313a8b66d67286d4f5a5beed1ac8cce02688d8872932d6b367288500b763f6c7efbace75195ceafcb7853699610e191ec16dd5f05f66a94a9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng

Filesize
48KB

MD5
49d7386b9ddbdfabdf3621d595d651ed

SHA1
ca7f95a8e6063167f9930d1474d65f29c38eae75

SHA256
599ded37004cf8c03c78962de2319d213d04d49d8c8d4ca85e38079b83c27c65

SHA512
b193c41146722b51fd6ceedd46b39250c1078f54f0e135b9a5adf8ade254ebebce4fd7698cbc8806e34aa2675b6442a58f9fec95807a8589f8e812b16ff18def

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng

Filesize
49KB

MD5
2fc03a032f128efdefd147a1d244050a

SHA1
4e092c866ed25d29624df6289fc97204993ab93e

SHA256
b61e579af46077b65f5bc7891b79f4b8af89a57352f39af09c885959e25ee646

SHA512
c234b6acb47a5cfe7173f9743387e1c9bd8aa2a7976ad93fa9f372e7cd0df074c471785724d3b439f7957af7a77e023c6ac59117fd28d31288a2195b5d3003b2

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng

Filesize
57KB

MD5
52716d2ba5f96b43ab622b7f56b3b324

SHA1
0da26b9282f818fa8644eb1ba6155f26ce4e0af3

SHA256
ee232770da43b3466aa1a3cf0cf33c0105ffff98b286b19d871590b95a39b64c

SHA512
3d8854a3dd7b9b4544aa787ec19b76a0ce8dba377a17a82e108ac3e81cb538fa905f6d71b8409101c4db9fe627c5234e0ea88e6e0a3c355b58496f79fad17156

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng

Filesize
50KB

MD5
d68fec7e0ed9e52cef2938cbed9ff66b

SHA1
39f4e182814b35a1059629977a862279e165f2cd

SHA256
e14cf5c83d23c6e64f05e41130d49ac760a80f5bf83ceb2f76f5c8dc545ee746

SHA512
5a4bfd96d974a6092351e290ff692526ce8ca403a9e20e3a56814110f66c094c8b089d3b63ebf8dece2a385c14191dd3c4a8739b21b55b3bf37b5bb295db5cd3

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng

Filesize
49KB

MD5
0eef9137ce7afc2dde59cb4d460d7a61

SHA1
d362fe9fff82337f0549256ddf18b09debae5d34

SHA256
4c1fe17811934ff05f53c3c83cc1e45d8f583acaca49e1b75f2ba4ad550ba078

SHA512
c182b9daa28be79ec2e784d02a52813bf02c5e0577ffccc701546d7bee92a99484c6f56451a445d209af3d5031e7fd9ff16930769d76aee774ef959e640f00b9

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng

Filesize
47KB

MD5
68ee970c9ac215e8937b52572fccca3c

SHA1
870da128c3138094f56887fbad81fcc6c3767623

SHA256
71cf4b86cc2958abb61b1fe668f1881abd159274ace5840c9de5f58072893e68

SHA512
ed4fbaadc2d89b6ba5595a8424d498ea2dfd5aacd9fac80470de52c1b00166a87fd5b68183049753c96b45c762fb2adfb97d88b0d36cfebe88cbb3a80ffa29f0

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng

Filesize
47KB

MD5
42a924c6851fd76695f19428ecbde540

SHA1
0c04459ad9e46a20f4e3a8b0f568fa09833897f1

SHA256
21aaf4dc6bb8babee5d49ae6d8219a78edb1ddf1ce8c4e9f3fc9874279751ba7

SHA512
444a3cf6c6325a7567e70e080184c08892a3e2a80ca8c901af89aba76a4e9b8d054d57bff0f08c1ee3b1868467a991a5eada62492232256cf0263d0c59ca2f63

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng

Filesize
48KB

MD5
9a6fbbf4b85cf760544be0675ed67df3

SHA1
4b36870aec564e595054bea6813b38dd8217457f

SHA256
1a4be5f8b2e844d6694912494a7294a7cabb96c85a495d9e08f1f867960a0380

SHA512
0f866c84d79d63d0d8a6b608d802d59a4cf03edb69113f24e222415c29dbc68ad05d19a5bfba836e48af1928fff76c245bc3fc0c660e4726b161e8a7a956acc4

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng

Filesize
56KB

MD5
70a2c16dbe98612a6add64952c60b3d1

SHA1
481fbdf87b168523e5e67fbedc2716e4dedd94a3

SHA256
06850d3b163fb09b1d5280a3d48cddf9f4248481840e2660f0001c05b830b26a

SHA512
6efd6eb4e9a38cc0beb4c7207ef1c769dea7a2f9ffe0c57506b7e606dac1e49950e0ffcdff87d084ec50e56a07dfeaaefddd6c4f3f4c906e1758ca8772e5240a

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Filesize
16.3MB

MD5
42136d28ea16e4a4cc096e3c6678e73c

SHA1
faf97a5474793a522fca688060b82571907d9e14

SHA256
30f84afbff901e9fd55ccfcbe677b0c8bba59c60ce2445331f10ce28862f58b3

SHA512
b0d76aae5bd0a96bebcacabda8dfa66ba67b67c945714477a2ebe1754ce9f7b492ea2746f6c73701338a81dfc4ec29161dfdabde4e487fe2dd41af738174e683

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Filesize
16.3MB

MD5
42136d28ea16e4a4cc096e3c6678e73c

SHA1
faf97a5474793a522fca688060b82571907d9e14

SHA256
30f84afbff901e9fd55ccfcbe677b0c8bba59c60ce2445331f10ce28862f58b3

SHA512
b0d76aae5bd0a96bebcacabda8dfa66ba67b67c945714477a2ebe1754ce9f7b492ea2746f6c73701338a81dfc4ec29161dfdabde4e487fe2dd41af738174e683

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe

Filesize
526KB

MD5
23deb72373d223dfb5cff0aa05e49bae

SHA1
93ae5dbefaa2758594546ef8b9cb98a280e88664

SHA256
75252e27b717ff6e1b8a014b68a2bcb7e9282cf46cc30322fd3af2d7ceeaeb8e

SHA512
664b7b7dcb73e23093d5fb26c2058a5fc3b3cce7eeb6caccbe6c0c83bb9a5e01fed7b103dbbee291e9a5296022c96608560e6eecf949b9b10142f0db3c1f5cef

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe

Filesize
526KB

MD5
23deb72373d223dfb5cff0aa05e49bae

SHA1
93ae5dbefaa2758594546ef8b9cb98a280e88664

SHA256
75252e27b717ff6e1b8a014b68a2bcb7e9282cf46cc30322fd3af2d7ceeaeb8e

SHA512
664b7b7dcb73e23093d5fb26c2058a5fc3b3cce7eeb6caccbe6c0c83bb9a5e01fed7b103dbbee291e9a5296022c96608560e6eecf949b9b10142f0db3c1f5cef

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
830KB

MD5
b220d62d020b1c0b85434dad709cb757

SHA1
c9fbbdc1fcc0a201eb2273fbfdc49f8abe62bf6a

SHA256
b2c057276676f02f2bf27b8fc661dd63efc6926765501a97bf72731ca4cae0e2

SHA512
5507d45464e80aea320a10db3bd9ba14f4b9d95a2ecbf6b0cffac745b1322f51473e0b664d1e0242e2871cea0975bbf81133cb08d7eaa7c82f5e739eea156aa5

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
830KB

MD5
b220d62d020b1c0b85434dad709cb757

SHA1
c9fbbdc1fcc0a201eb2273fbfdc49f8abe62bf6a

SHA256
b2c057276676f02f2bf27b8fc661dd63efc6926765501a97bf72731ca4cae0e2

SHA512
5507d45464e80aea320a10db3bd9ba14f4b9d95a2ecbf6b0cffac745b1322f51473e0b664d1e0242e2871cea0975bbf81133cb08d7eaa7c82f5e739eea156aa5

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
3c1d0fdc0973729fe73bcab09ed6ce4f

SHA1
53fa769e38ebb731f1c994157616f0a1b8956ecc

SHA256
ca1c3b521aad5884f848d696a2e7a1c2f56812732151f2d60dc05f20de0e8652

SHA512
21c42354bcce34663df26edfac72a63f674acb5e55912d663a672fe12d5c7c315d32ee0931138438c344f633003aaaa15851a69e7aaad1a4b7b401b7f6248295

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
3c1d0fdc0973729fe73bcab09ed6ce4f

SHA1
53fa769e38ebb731f1c994157616f0a1b8956ecc

SHA256
ca1c3b521aad5884f848d696a2e7a1c2f56812732151f2d60dc05f20de0e8652

SHA512
21c42354bcce34663df26edfac72a63f674acb5e55912d663a672fe12d5c7c315d32ee0931138438c344f633003aaaa15851a69e7aaad1a4b7b401b7f6248295

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Filesize
17.2MB

MD5
3c1d0fdc0973729fe73bcab09ed6ce4f

SHA1
53fa769e38ebb731f1c994157616f0a1b8956ecc

SHA256
ca1c3b521aad5884f848d696a2e7a1c2f56812732151f2d60dc05f20de0e8652

SHA512
21c42354bcce34663df26edfac72a63f674acb5e55912d663a672fe12d5c7c315d32ee0931138438c344f633003aaaa15851a69e7aaad1a4b7b401b7f6248295

Download Submit
C:\Program Files\EnigmaSoft\SpyHunter\purl.dat

Filesize
160B

MD5
99f9a1d4ce6c4d46faafdb4330a1e4b7

SHA1
62700b91f16f5accaf174bca192d739a6001bb84

SHA256
c870b1888a3a67c2a704153eea497aa849a0eb4a8fcd15b7f52f881b8e2c9c71

SHA512
c9a7b2f6708155d24e1126fc2f84b66ca69c38b4e67947ca42aed711772446096495f1c67ec41922e09894b96a98ec9346212c675f6475d7535be65de8dc6500

Download Submit
C:\ProgramData\Start Menu\Programs\EnigmaSoft\SpyHunter5.lnk

Filesize
1KB

MD5
b232982459da9b0803242e5d7cbfc04a

SHA1
ba485931d37c58b2301d0e40566381c5a4905520

SHA256
cd8cb73dade007dc9abacfce4872d722c9ff4b43aa9331232836e0dcd381ccf5

SHA512
ebfd4173057fc36b025c30fca652a5e8f6311ccf3ea05aff6dffdc15b9d528f4fefd68f6ebd939d4efd58315bb0efa6ab17687af9637054fd544b07273b6bd45

Download Submit
C:\ProgramData\Start Menu\Programs\EnigmaSoft\Uninstall.lnk

Filesize
699B

MD5
c08c660064f10a88a1276ab26d020d20

SHA1
75c99ed08455b1a570cdcd95be856c3249904a11

SHA256
31fca4c6fadb51aadab22ae9c3e81d7bd85346f42b5da1825e1c72cd9b3829c9

SHA512
f6c07febbeffaaa26966fd882092e35e8b4457e70363e2641442b4b2412e881b0aab3f75e2d0ac192722f422ec8eb3ff865834898adbac2314ef223c75ec90dd

Download Submit
C:\ProgramData\Start Menu\Programs\SpyHunter5.lnk

Filesize
1KB

MD5
a66c148ef994bcea278e8d5ec08c6a7a

SHA1
7ed3cb852005a7210b74552667a1176850e6622a

SHA256
d296ec2e58affccfc22e107acb5ce10617bde1d00fbc0bb30ec1c78e68875f3c

SHA512
641e7d0f7aeeb5c13cb6e114b8242dbced8c634230781b49ec7ee574429700ab8635f7b01f23735207ae484d63456aa8417adfa96bf8bfc38e5d5de061a7e48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
17KB

MD5
c4615400969ec98859f4269cf49a9686

SHA1
6c998ee48f7afbd4a49d4f01ef5157e2e81aab09

SHA256
d8c4d5419e0f8ce088e69e6217216b980f3a97371bf2d3beefc234dd976215c8

SHA512
754eca5466e22b47ca2da1ca27c97568c0c6882dd65bc0c20f4175f500f8f844eca994221fbe22b46368721c0a7b4b472d2d221ff11869e6826fd4c46a48f8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
afcf449ae1a007a6c895e91d2a7eac19

SHA1
d43b4c4edd17dc94fb6c966ead12c1a64fc41407

SHA256
888f24af12ac6a3c6789063ec7a05753789003c32abeddc97c5ef63839447d0c

SHA512
d2de546d3148e41df42ba5bf2918f053d1715b1ff5070df66e300f58f48676a42f0f39185882767914695e0c899f9eaa4453fb4092eeb0e55c93bdd70e4b34c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
f3e330fe3e77df91fbd7010521e15bc6

SHA1
acf810e407b69bb0fb95c1de3fa835601c711343

SHA256
0f51aaea6c5e76d36c1b2ddc6ff1dac2122b547f2ab06035c9873dd229324e0a

SHA512
ff76d3095798266a485ccdd53384b0d40308df14bbf3abad62359e6a199f3b7df603d3873fdeaeb37ab90f66d55d7929808c764e04c193f2beb93e1ceca14aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
dd4873752708f50bf37d8e643a87987a

SHA1
4f04f9c44d66203de42945010e85723b927d4b32

SHA256
aedbd9851b81b0cb5a38bd4618d39b188b6aeb84100f10bd1dfc9c3cbeddc797

SHA512
aaf2e93fc8efaf8939d32e004b84897224add94919ac59b53a31128305a0f23c1f6ef14ceb66a328186c948175b2ec01c59036a94a2d1b800cef64e3fd5f6459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
15141d196700ed890630c88a516c8477

SHA1
06b36bd1bb61e96120eb297e6cdf7b9280eb6a68

SHA256
de00b009ff48cf319b4f3d60a2f92929dc444e473cebfe43bc9a6deaec0e8b87

SHA512
a5df336d3bd74e232c415511769212fe3db30dceb4455ab56b6c9a3478ba456f7ab5ad880d9dd8330e4e0daa1cf1da0d7e3546a5b77f95bf254996dc4872f916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
cb00a076e7bc996bab288e3ce4407cdf

SHA1
d72dec49bed07be33967d1b9588a51eb44976462

SHA256
e6c369daf424a3fe5528004e7e3be3a041804ea9f5a0cda2682da66ee3a6bed7

SHA512
f77eeefeefd27681dfa03cf3b76a776a11e352ef609a1a2231e3f256eabf4f5a424d704fe5618cd480638c547b4d2fc3f5520292a2ae3ce4a5b3004e386d85c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
38bf8d1f54bae2d43d283847883bd384

SHA1
e04b2d569dadb58ff37309f23806290b2c4000de

SHA256
030f7e45cd941aa6d7c1d072ba8107d3ef453f9c8925ef4cde06f9ddd2bd2046

SHA512
c8175acc98845bcef00695cfb2bde2a68fe44772dab38a319d17319337361b206b096b1056e375b100cc3b08b2a3b5e8262315e4fb4aab579bed6d96e6dec1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
9fa1a712332326b53ca4c78f085c04df

SHA1
2423118046fee1c818705ce7e1deb32a48facabf

SHA256
be4c94c807ee9f224cc25f8cfd7970b663ae645ba1d4f9f626eab02145b5db3b

SHA512
38b7d5f2faf2f8f0f036eb21d4c84a98ef1526ab7cc5bedb2f17e4d4f85177e2cec9a18b0535ae86c791ac2f6522558b516c022db0f310188d7ce11fd1018d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
afc2f32a5365a9f5251c3177480d207f

SHA1
af4adcbe20a4c349e0969fb00b268a3202c28918

SHA256
5ec0a675a312d994bc910a825eddcb5d3012f99c84e5849d0045185435a2bfe6

SHA512
cbf832d6c70de6f2f70a4e94359256ce16374e458f4f86db71527f2cd6948a10983e743808eb92959fdd996bf5308ee8aed74f64b3286ac90a6bcf1b2d8f0453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4587adbc35ebc8106f1ad7085b86a127

SHA1
19d33e60da30277e0c2a81afdd3d1553a76ef95b

SHA256
088e96b622fb1d0036f0719381bfce1ca44b0e449ead1f3974246ecca36bb6cd

SHA512
d21e3c5d702857b39f2d4d30831a1262ba71b35bc35872dc76bd5acc1e9dccc13c24f0e1dbaf6c6fd9dc71aad777b2c20b36d31970ee6dfd9b8301bd705c4185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
6994cc1a2e454584e84628256b032833

SHA1
f04afb42f063308cdf6a659ca69a42352ea6aa6f

SHA256
6d7332681153727384615ff5678d13be8fa93a69db23502220b4c9cc4c07eb75

SHA512
9616308faf24887b36512b7feefe0c7831c18162d0187d757cb5c54a4acec60cc6271f17509a6f195d9c43c98d46abaffb19227b4938febce78677dc8c79ddfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
21ee3a885e6a88b661a5bf47c9142914

SHA1
b816431f79f9534b92d437db920dcdc8300a1c9a

SHA256
bcddcc6f7d07d96533d9193aaa1e60ebb90113e1a0504fce37629aea4723f0a5

SHA512
1d575443602b4fdd0a9ac40d44a6ebd44c37fbffd3660e16d6c5cfdb2fcf7f0965aa96078f08963fc2ab9877ff2eb0df80c10276d20ad881dd87fef09c60b211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
42e3a964ee663a5424ca9541af42f39f

SHA1
b873f1e224a9bacceda8f37b506b2a1f30260785

SHA256
fbd5f815f2bc78775d6bde75451d489a9c81dd98f8317ddb32be60a033b44f2e

SHA512
1297d79b5895e62a8ca27efe1731e283012e48be1b7f4b84a117d2337c95c0384a2d67a2160accd1e02420703f0caff4a8b2a11c9a63445114c42f78c9df0be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2a1e5246f9b484655277e8b6cce8079b

SHA1
068441a33ed5912dffb655991029da75982690c4

SHA256
64ea3725e2dc536b003d912742ef5858f5f0eb00d5da0ab5ba5f6a758d4e651c

SHA512
a8fee510f7f96331336b5117290c4f46d7153bcb69cac8ef81d33343557068db861dd3531a4100590d6ab2e9fa1a98908524ddc8e5963be148d7863546537d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
050079f8b60d3cd4f22e8a5aacf5cbfc

SHA1
34388797f55a5428b7922a8652a6583ed0e6bc5e

SHA256
02770841d9c4f72d537dbb9491f45971815bb78be0d3b7155d98a527f1a555ab

SHA512
9312a9600ee3daba07816c6c32b2f76c684cf8e7303fe559db3fcdac645cd2f283a9570286443d78b8a4b6186b7fc198ce735f5b0d26dc8cb97bd2d90ec3a7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6b18e6e05de7ee34699c4fbb6c5c0e54

SHA1
237280b740782693bfc1b082c7e34f0781752c2b

SHA256
76a0af76e2a1617a3f4cb17c69c800a8f6ecb411c1c17d0f9d5f5f3018490374

SHA512
1dcc3eeadbed8c759fb11d2c9ade93fa40e293270df614152f6c76de89d077aabfe228dafda627097bdc9efc0a2e0a4bb2811101bff052537f23d00a0cdf1b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d9b468c713ee042c3008ad72d574ad6e

SHA1
9ae033cb069201250fd9f6630704803b53a19896

SHA256
43b806f60d02373e9c64dd9455ad0e9d746c256b4ca2527870df1c8768fc6b72

SHA512
19d4b6cf6318848f3a1a7a960f3ce8f0c5c9f36506dbdd8dda14c0e654150495949d5507cf9c6f04fe6dbbf1c2b4a91d3dcbceb43ca5db09bf7e753deb995669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a86d7a8b1dd06a4097346659303dabbf

SHA1
7f4f5df118ac53f64d3140aced62d128af12303a

SHA256
d62aff44d4c369063f559784618f19f167ae7c13d84b0b3e4fbfdc26249c3491

SHA512
1fc4fadb00c78f34ae516d6bb3465fd5685644a87a2a5f4a71934f3cec304b94986507e41321ce326fc5a29d9829647b9a67a28c11c7c1fb0ee695a82aa20211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\408d30c7b4b693f9bc899c71096ec02fe6a05fe3\index.txt

Filesize
98B

MD5
6e3f101395d97f79e2ee9756706acc47

SHA1
876fb1521711115bd24a247a4b6c7bb0c19a1b15

SHA256
c4a650f905ff8d5a148e05c641eee6b7e0d0ec86f2273a34932af38e88825763

SHA512
e4f4490c4b5d801c3b298d8d7da8848c6424750d9cdb097c47665f90450a80f05a2435e3257f2d92f102133d8cd92f37594a59143fb6f2b448ee1a231dd3b674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\408d30c7b4b693f9bc899c71096ec02fe6a05fe3\index.txt

Filesize
105B

MD5
e76aaa567330d9c558b2d48815c10400

SHA1
5b2aa835781a8ad4420e6e94ecc46a60fabc9c43

SHA256
a2ef99097dd8927dfd49a214f3170cfa928331529b1457d4c36f553eeea78556

SHA512
5a90de6aa5cf691c98110bfe7e267891a604bd92fa7ef4ced616ade81a1d5f320b0b9be7b99f4473d628c7af34a45c2236ff746fb7ceb973b8ca27b12f9aa934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86185f0e3a6dc518e74df258e3b25531

SHA1
281123e9b39462d0ea840d4b59245db6e3079ac5

SHA256
999d8d87f105d91bafaea8537c9c449615ed021b19b5062440d057bae0529cc0

SHA512
217e7755d0418d21003cdd99232326de23dd5f4c3edf535bb47f60564c72c75693e31d06eb686f9eede3afb39743e0e941e150669ec61dc7c8f31000446e0049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
50cd0e755b9e3ae879bc3127190bab81

SHA1
9f4b2085e61d0e32477705a549a0eac34b340802

SHA256
66173056c27d8aafefe19fee699472bcefad409aaa74d750d76872870aaf0ddd

SHA512
ce314fedaa52339146b95393a406224cbfaa9fcb62a2c0367ac7829b46689d993c38ebc9893aadd48be4d62a05d9430d1bbad2ca686b4a8da2640877c8eaff0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fbc97c620b6b014f0832d51daf31debf

SHA1
ab604cd89eb32dd7ed7b906a6f20bb98553ef951

SHA256
e658818c7a407df5dfb298c17724d7afab334c58e73e1562d9009f9d14af573a

SHA512
4319979f8eb111d29d3def228340f2a7cffe77b45926eae12a9667d3c8af13c702aef8275cfcbdf9702ec12d8c5d456b0ddcba3fd51e959477488ae65bdb9c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
09915610a02b23ac2f43f775cf26f17b

SHA1
dbaf4818ab31d2fd4dab5c5d3eaaaa0433e1bb05

SHA256
780ecf64df1e3f92f9a2ad6defb7364e011c04cf3e87e551ed5d61380cd8e226

SHA512
033c070ae731e5c10d3e05a349a31608308cf412e02ab1b0afd5d565463dd46792479b4460e0b0cb8c1207ce8ebe00c3a53571deb9eccd414cca239dbfe2afa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
f84ff5e54294dbefa1c12914b8fb7316

SHA1
408db4b8d69f6e4b4ce879ebdaab62424f8d5159

SHA256
6df3f69f6bdbcea7686bd3b73c39f4c8ab1c585547ea85a0a0957c8478855303

SHA512
928afff265372e18eb81dd935ca47fe5424ea923c78dbc71bc252996fcb87047b3e195287336ae28ebc217f862b2a2cd7ba8927e20d19264c4627da6b9464055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
247fd5a00d864b0da23753d2e1e58634

SHA1
d57dd250535fc8cdccd8126fb6a5c76ee47cbb26

SHA256
b91b3765d14d94d7848ecb0785f60185af574d7b236ca812bb3681ab8efe5e94

SHA512
dc4f5274d6997a0bb66a1f23f4dd3aab87868646dc2ab828f4a0a02a60811650d14298b5e5a3cb1bdcda05ce00663052e2804996ded0ba9095e5b480c582a861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
95ff807e217b8fb2ee40e8b8422492b7

SHA1
17ca76196648aa9a85c6679f7aa44fc08a1bc29b

SHA256
e81502522008d3587d701ca2e27cfc48a9f92cd50c05de27f92994ee1ef30453

SHA512
65036570ef4c9c7f986b92d624b61d3802e6b24915a7af9cbf4ce02cd4e9b654ae39bf62a626e8ac55c9850ec313e19e085a121405938d79d9bf65b73181cf9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3aa7d86760a7fc2b73f92e7ca5529496

SHA1
fb47a6a44e9962726d156d2bb96645d6591998f1

SHA256
cbe1b20a6f42345ab3986873c31a5850d30bf5ebe1b9c29004dbfcd679c98be4

SHA512
b7e72e2c1f6a1fff039d2519fd99b1a8304d7e567803c4a9fde2f574b930f203795b35abb190abd09f7561c47e992e22fc7f3d4c432db039769ccb79b3add221

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
55f68951425f2abb84337559bf20a986

SHA1
e7ce3497463bb7ed88503ee9f3fdb6bc9265203d

SHA256
a028eba606bec43475a0491292857ca86709687374c1207de9a6028fc980ca6a

SHA512
3ef2d5bb27ccccb5fabb8c70f33d9c0d1eb10ca234232b4e4d5397b42de352b345530f89fa26d2ce01979df504b526da128c6d13470d70bbe4661d3c40c794e3

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

Filesize
2KB

MD5
0e83deee788c0d2c0194807a1166a86a

SHA1
9fe69924788befd1a30fad5ba39a9748821fc567

SHA256
e1a1ce8aa4ebc1167aa326b69825fe7a50c71a2b5f53311a579aa9adb0bdf394

SHA512
3ae5241900579a5c39723587985590b3ae4c0d450d49a8db33bc500f61bd413cff4f4d5f923da7d2c97205d808042c8c36bc542fe9a86da671d2af43514814e2

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
9fa1a712332326b53ca4c78f085c04df

SHA1
2423118046fee1c818705ce7e1deb32a48facabf

SHA256
be4c94c807ee9f224cc25f8cfd7970b663ae645ba1d4f9f626eab02145b5db3b

SHA512
38b7d5f2faf2f8f0f036eb21d4c84a98ef1526ab7cc5bedb2f17e4d4f85177e2cec9a18b0535ae86c791ac2f6522558b516c022db0f310188d7ce11fd1018d37

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
180298e9d34e173765f3c564f3c2a821

SHA1
2c8ee21942fddaa0d8a91151772e0c44d8f6b2e2

SHA256
44544285707c2ffb58bb3f574bfb3da244f152d57a61db981511096cdaa4a9e5

SHA512
56986d211134c3ecdc0fa2dc7553cd237d44b23decefb5a5b73ff70db42f9d28be701a3b4b9a76b2655d71b85575eeba1bd811492062ce9f7bedb2a0e353e822

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F7456FD78DEB390E51DB22FDEB14606

Filesize
2KB

MD5
d5fdb0116438693f39c5513192bba793

SHA1
6ecad673f347ae217d03eb58f1a8507d650699f4

SHA256
471e11444ab5e4efda80eb35c3a6cee58b4de81c5f11de56485cfb3ccf7b44e5

SHA512
50c5536c5f5eda4c5aa0c4c79210783e43a78252590f01ea8a27829d98ac5904d478f66695ca8755d1dc7615372e559c1109ea23a8b1b3dc1d7088c824008471

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\EnigmaFileMonDriver.sys

Filesize
82KB

MD5
6bed4cee4117f47e2ef797da56935c04

SHA1
34ebf65a197f4bd8fffe891130a0b0cb903f75f6

SHA256
0bf9f7247339c1676f6f59ee4647a6266daefa74ca00c7f1ed608bdc3a0ef693

SHA512
8faf611dce276b4877463847248bc7a4f41aa1032c679de55f650536858993c9ec4a8b834017c0c23a5d20e7efb0eb63aadcf94b1df49bd2541413f4448f1ea3

Download Submit
\??\c:\programdata\enigmasoft limited\sh5_installer.exe

Filesize
7.4MB

MD5
911736872bcb9f85b9181c7d785ee032

SHA1
806691ea5f3cf3cd335b00e436c51c9cb85bc9a4

SHA256
46dda74095b229c3724b4ef7e5f4c05b0b0e15426ca76e9ac947475f21459d19

SHA512
016c73a7e8ecad84ba73e220a37869bdf8465411a2085133112ba1215b92553c3ff7194e425b94b13b43f0152a0c1194376c87c5ffbd2441df0f3236d2b8fda6

Download Submit
\??\c:\users\public\desktop\spyhunter5.lnk

Filesize
1KB

MD5
db03b820ec1746c9115ce0e3d9d20f4e

SHA1
1e7ffea79521e56a7ca3b629bcdc93739ca20594

SHA256
0e9873a0a9384f85b953dd70c351a60ea2ec1fcfc5d46b3e8389038db9424c20

SHA512
838c638b0c6b5b7041788742cc5a147ebbce1811ac63c7ce07b60c0c2ec857e6ff2ed6597ec898aad7c889a0381d2779406264344be0f73cc12b9c171c94d411

Download Submit
\??\pipe\LOCAL\crashpad_4968_SQSQJSWNGXCACDKS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit