hxxps://www[.]glarysoft[.]com/malware-hunter/

Resubmissions

09/11/2024, 01:40

241109-b3wjnavbnr 8

09/11/2024, 00:46

241109-a4yjzawmfn 10

Analysis

max time kernel
126s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.glarysoft.com/malware-hunter/

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MalwareHunter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MalwareHunter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	PCBooster.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	QuickSearch.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
3980	mhsetup.exe
5224	version.exe
3544	MalwareHunter.exe
1272	MHCloudSvc.exe
1512	Initialize_Standalone_Pro.exe
956	statisticsinfo.exe
5316	MalwareHunter.exe
5484	x64ProcessAssistSvc.exe
5776	MHCloudSvc.exe
3500	mhtray.exe
5328	PCBooster.exe
1208	QuickSearch.exe
5408	MemfilesService.exe

Loads dropped DLL 64 IoCs

pid	Process
3980	mhsetup.exe
3980	mhsetup.exe
3980	mhsetup.exe
3980	mhsetup.exe
6088	regsvr32.exe
6108	regsvr32.exe
6140	regsvr32.exe
3980	mhsetup.exe
3980	mhsetup.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
1272	MHCloudSvc.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
3980	mhsetup.exe
3980	mhsetup.exe
956	statisticsinfo.exe
956	statisticsinfo.exe
956	statisticsinfo.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5484	x64ProcessAssistSvc.exe
5316	MalwareHunter.exe
5776	MHCloudSvc.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MalwareHunter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MalwareHunter.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	MemfilesService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\closesilentmode.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\downloadsetenable.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\menubtnskinhover.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\CloseMove.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\Tieng Viet_thanhnguyenit9x93.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\chinese.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\polish_Andheppy.lng	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_active.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\addenables.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\download2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\left1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\SettingMove.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\dbghelp.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\edit_disable.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\min_menu2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\contact_us.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\like_back2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\question_min.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\scheduledscan.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\speeduphover.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\StartupHelper.exe	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\menu_active.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\about1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_block.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_check_disabled.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\MHContextHandler.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\data\ModuleInfo.ini	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\partcheck.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\tab_btn_click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\main_menu.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\2-1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\about\feedback-hover.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\about\home-click.png.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_check1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\Level-1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\TimeNumber\4_2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\buy_click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\log_behabior.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\danger.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\downloadcloseclick.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\PCbooster\left.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\1-1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\Microsoft.VC90.CRT.manifest	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\my_user_normal.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\usb2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\quick_search_clear_keyword2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\RestoreCenter.dll	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\close1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\detail_list_icon3.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\setting_uncheck1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\QuickSearch\images\mini_back.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\BackGround-7.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\TimeNumber\6_2.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\QuickSearch\quick_search_history_click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\like_back1.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\MalwareHunterTray\usbthreat.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\StartupHelper\OptimizeMove.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\data\DLFileInfo.dat	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\menu_signin.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\skins\default\Register\my_buy_click.png	mhsetup.exe
File created	C:\Program Files (x86)\Glarysoft\Malware Hunter\Resources\AntiVirus\speedup_scaning.gif	mhsetup.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5284	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	statisticsinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareHunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickSearch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Initialize_Standalone_Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareHunter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHCloudSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SchTasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHCloudSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0011000000023c8e-168.dat	nsis_installer_1
behavioral1/files/0x0011000000023c8e-168.dat	nsis_installer_2
behavioral1/files/0x0008000000023ca8-326.dat	nsis_installer_1
behavioral1/files/0x0008000000023ca8-326.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA70BB7F-6D27-43D3-9348-04FACAE39186}\TypeLib	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\TypeLib\ = "{CE2B987C-8D49-47D7-B0C2-9890C986EECA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.HashManager\CLSID	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\ = "_IIMHDataManagerEvents"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\ProgID\ = "MalwareHunterContextHandler.CContextM.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BAF0B98-3BFB-41AA-910E-B14CC12CAA06}\Programmable	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\TypeLib\ = "{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\TypeLib	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextM.1\CLSID\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.CloudService.1\ = "CloudService Class"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\ProxyStubClsid32	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.CloudService\CurVer\ = "CloudSer.CloudService.1"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.HashManager.1\ = "HashManager Class"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}\ProgID\ = "CloudSer.HashManager.1"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}\VersionIndependentProgID	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00777352-B7D6-4BEE-AA9B-0F1EBDC1A69D}\TypeLib\ = "{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.HashManager\CurVer	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\ = "_IIMHDataManagerEvents"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager.1\ = "IMHDataManager Class"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager\CurVer	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\TypeLib\ = "{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextM.1\CLSID\ = "{EA847F47-97F1-4D78-AB99-C63CA1C327F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\ = "ICContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1267C653-22AD-4A9B-B34F-E7BE90420D17}	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6D99648-2F1B-4E05-8DAD-7E98D058AE95}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextM.1\ = "CContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudSer.HashManager\CurVer\ = "CloudSer.HashManager.1"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\TypeLib	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\ProxyStubClsid32	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}\LocalServer32\ = "\"C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\Cloudscan\\MHCloudSvc.exe\""	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1267C653-22AD-4A9B-B34F-E7BE90420D17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA70BB7F-6D27-43D3-9348-04FACAE39186}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Glarysoft\\Malware Hunter\\MHContextHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E41E653-D0B6-440D-B4D6-5BE85BB08E06}\Programmable	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB8A1CB-C624-4411-96AE-02A89AF7B006}\TypeLib\ = "{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextM.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MalwareHunterContextHandler.CContextMen\ = "CContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE2B987C-8D49-47D7-B0C2-9890C986EECA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\*\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA847F47-97F1-4D78-AB99-C63CA1C327F0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BABD83F8-E723-4D8F-B5D1-B03E1F1108F5}\ = "CloudSer"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MHCloudSvc.IMHDataManager\CLSID\ = "{5BAF0B98-3BFB-41AA-910E-B14CC12CAA06}"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1267C653-22AD-4A9B-B34F-E7BE90420D17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BF9E79E-B4A8-42C0-BD19-2944EB00E621}\1.0\0	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F1893E6-DA20-44DA-8B77-5E881F670B91}\ = "_ICloudServiceEvents"	MHCloudSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1267C653-22AD-4A9B-B34F-E7BE90420D17}\TypeLib\Version = "1.0"	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99963030-D775-49F1-89D2-04246085A4A9}	MHCloudSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 539204.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
1288	msedge.exe
1288	msedge.exe
2108	identity_helper.exe
2108	identity_helper.exe
4972	msedge.exe
4972	msedge.exe
3980	mhsetup.exe
3980	mhsetup.exe
5328	PCBooster.exe
5328	PCBooster.exe
5328	PCBooster.exe
5328	PCBooster.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5328	PCBooster.exe
5316	MalwareHunter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	MalwareHunter.exe
Token: SeDebugPrivilege	1512	Initialize_Standalone_Pro.exe
Token: SeDebugPrivilege	1512	Initialize_Standalone_Pro.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeRestorePrivilege	5316	MalwareHunter.exe
Token: SeBackupPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeRestorePrivilege	5316	MalwareHunter.exe
Token: SeBackupPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeRestorePrivilege	5316	MalwareHunter.exe
Token: SeBackupPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeRestorePrivilege	5316	MalwareHunter.exe
Token: SeBackupPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeRestorePrivilege	5316	MalwareHunter.exe
Token: SeBackupPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	5316	MalwareHunter.exe
Token: SeDebugPrivilege	3500	mhtray.exe
Token: SeDebugPrivilege	5328	PCBooster.exe
Token: SeDebugPrivilege	5328	PCBooster.exe
Token: SeDebugPrivilege	5328	PCBooster.exe
Token: SeDebugPrivilege	1208	QuickSearch.exe
Token: SeDebugPrivilege	5408	MemfilesService.exe
Token: SeBackupPrivilege	5408	MemfilesService.exe
Token: SeBackupPrivilege	5408	MemfilesService.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
3500	mhtray.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
3500	mhtray.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
3980	mhsetup.exe
5224	version.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
3544	MalwareHunter.exe
1272	MHCloudSvc.exe
1512	Initialize_Standalone_Pro.exe
1512	Initialize_Standalone_Pro.exe
956	statisticsinfo.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5484	x64ProcessAssistSvc.exe
5484	x64ProcessAssistSvc.exe
5484	x64ProcessAssistSvc.exe
5776	MHCloudSvc.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
5316	MalwareHunter.exe
3500	mhtray.exe
3500	mhtray.exe
3500	mhtray.exe
5328	PCBooster.exe
5328	PCBooster.exe
5328	PCBooster.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
5328	PCBooster.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
5408	MemfilesService.exe
5408	MemfilesService.exe
5408	MemfilesService.exe
5408	MemfilesService.exe
5408	MemfilesService.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
1208	QuickSearch.exe
5316	MalwareHunter.exe
5408	MemfilesService.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3216	1288	msedge.exe	83
PID 1288 wrote to memory of 3216	1288	msedge.exe	83
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 1936	1288	msedge.exe	84
PID 1288 wrote to memory of 4004	1288	msedge.exe	85
PID 1288 wrote to memory of 4004	1288	msedge.exe	85
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86
PID 1288 wrote to memory of 3884	1288	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.glarysoft.com/malware-hunter/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff837e746f8,0x7ff837e74708,0x7ff837e74718
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Users\Admin\Downloads\mhsetup.exe
  "C:\Users\Admin\Downloads\mhsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\version.exe
    "C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\version.exe" /versionmh
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5224
- - C:\Windows\SysWOW64\sc.exe
    sc stop GUBootService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5284
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MHContextHandlerx64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6088
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MHContextHandlerx64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:6108
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Glarysoft\Malware Hunter\MHContextHandler.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6140
- - C:\Windows\SysWOW64\net.exe
    net stop GUBootService
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop GUBootService
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe" /install
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3544
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1272
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\Initialize_Standalone_Pro.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\Initialize_Standalone_Pro.exe" /installinit productid=15
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\statisticsinfo.exe
    "C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\statisticsinfo.exe" /install /MH
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:956
- - C:\Windows\SysWOW64\SchTasks.exe
    SchTasks /Delete /TN GMHSkipUAC /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.glarysoft.com/update/release-notes/?p=15&v=1.191.0.819&l=1&src=10000
    3⤵
    PID:5324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff837e746f8,0x7ff837e74708,0x7ff837e74718
      4⤵
      PID:4812
- - C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe
    "C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5316
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\x64ProcessAssistSvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5484
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\mhtray.exe" /start;655424
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3500
  - - C:\Program Files (x86)\Glarysoft\Malware Hunter\PCBooster.exe
      "C:\Program Files (x86)\Glarysoft\Malware Hunter\PCBooster.exe" open
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5328
    - - C:\Program Files (x86)\Glarysoft\Malware Hunter\QuickSearch.exe
        
        "C:\Program Files (x86)\Glarysoft\Malware Hunter\QuickSearch.exe" /Mini 66902
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1208
      - C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MemfilesService.exe
        
        "C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MemfilesService.exe"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17354032440938156301,17917979617060264624,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe
"C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Glarysoft\Malware Hunter\AntiVirus.dll

Filesize
1.2MB

MD5
b7f3ae85295f4ca116ff9d63a1f8db3a

SHA1
aa060b543068833c5bb1b0008db177622ae4cebf

SHA256
d539de7fcfe7d196ada34e0dcbe157de7ee57a6572dec392b5677d30d96811b9

SHA512
0da2e823e40e88bd4a42b4a00b22dc619f0d1540268a000161621dd7c4a56b55920da4f1e5389e5410db7fe9c5f2718c8539c2a1d4d63d00eb79cf0eaf2154bf

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\AppMetrics.dll

Filesize
110KB

MD5
6198cbb5ed246dfc272d2b70c44a2b5f

SHA1
e7b1505e347e53761f1eab9e1b4357a8d0741844

SHA256
aa463af11719cf1e771178808928c8c1a539671ec79fe88a1e46319270d459fe

SHA512
8094daf5cdeddcb2065163becff706532dbb66f35bc1ff00e5a31d9e233eb1c0e5657ecb87b70fe8cdafedc7733eb46a60986bd32425fdbe8014b1945ebdd6f0

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\CheckUpdate.dll

Filesize
698KB

MD5
bd2f3006617acb27e454e6c887e69b6e

SHA1
e66bd62a6129a7d549a2fb70ae6200a77fb9b331

SHA256
450f736c08b1783d7d2e7fc478d6008087df9dae81c19576de1970a39d1726fd

SHA512
2aea82fbfcc312c5a150cb63195b315ab0781244b55f7d57092ca826a8c15f5f407785991729da48c0cb042464aa25791e36d8d7246469a8db4b18cc88fa7a81

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\Cloudscan\MHCloudSvc.exe

Filesize
352KB

MD5
7f4a0b2d600c8df2450d87ca69760485

SHA1
976d5c4838a2703bee1064a3f368145b1ba63433

SHA256
3ca41f25bb186ca29370771273f8be72444f82ddaec604104a7d41e78ed8749f

SHA512
c5a450db93e5ff1f21466e8acd774eabe47d9977dcb384dcfc85ef490a42ba2639836b11ee84489049148ca33930a4b80d50072451779ee4220aeea0664b0804

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\CollDLFileInfo.dll

Filesize
38KB

MD5
5ca3d1a0fe9cfc25b70b9318b740682c

SHA1
4b9ebedaf3d5fb6a4a0fb32e330b5dedfc41210d

SHA256
68bdf0b5eb151f2047b5d0e6db56605b3982e4530c5c400517ea925f44b93683

SHA512
68ede84d89dee87fedbf3948a2253a4af1adc20a1e8dbe23736c6e4bc7263a69e8b0eb39df0227bb171a83b3ce59d29c0f2a33532e0742b3308d4b886fa373b3

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\Config.dll

Filesize
277KB

MD5
d478c989e59240739c82dfa81fa836c3

SHA1
3d970b0ba65811ffcd72e03d402e1b34a6b973f3

SHA256
a4c1d9251bd2f2f01b026d9ed3fe75074064d6fca1331b61288c7796408f4b18

SHA512
671014788a02e72e5212e0a2a2d8d001bd88a17bbba446c1d5b98c3f3a31dfdd31118234b78bf4df6d66952ea509d48ab0d0f7a1df203df65b1e90855f3b019e

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\CrashReport.dll

Filesize
300KB

MD5
2cfecae183cce0d6b5833b389fbd9fef

SHA1
f44e5837fe91753eed4e7daccb077b3c240574e4

SHA256
184392ed58c9bd651646497c2167adb5498dedc28d6be38329d4b697be34c282

SHA512
91e20d64779db8fe75cc45320d46b91f4e11ad8513391260820821a30ff6fb8c9ff8e10d4136ad4227e5763d53fb102c371fd82cfd1b60e8d581c4d99bc21ce5

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\MHContextHandler.dll

Filesize
139KB

MD5
d0cca1fdb1cbce7d84ba4dcfb24712cb

SHA1
2226ac399924fec7378a06a05e4896cd6c0b1f35

SHA256
6598a2b62daa5b178802caa455eb4ceb3ba9c93ba6aff62e71f29b8584095cd1

SHA512
f45322e22b2b5bd7383bf6e45b6856df294551b65349301bf43d14b527d7e312cc50e58327c3dc1be08dc5741d80c15576203722e1ea541c0e220396516e1294

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\MHFilterDll.dll

Filesize
65KB

MD5
a669ca32c961a7bf3a562877fd83adab

SHA1
fb4d310588da0c8d4b0969655e6d938616fd36d9

SHA256
be22237a25127f1bec32fc5786ecf411cd1210ec55f8ce459b4a98fe489e8cb5

SHA512
3e16d8d8ee562f14786318dd2a4146f2a34b6042e49f88af2d0d51b6d108e1830973e86c49a7a020506f6106afdf6105adb6d885f14736e14cfeaa8ed7836cac

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\MachineCode.dll

Filesize
322KB

MD5
92a8ff05621a0ee2555611e6b1b37f32

SHA1
4a04d7b89dbdcaa258b61e0e60d9f10014ff57a1

SHA256
00d24b51be533f323c91b9ca0e610f7744e54503c801e166a8babc6ae377aa55

SHA512
28cf419d84204e590a403e07e54e18266fe4a9adfd14e33ef313bfce1439793d476ee8ca42fe1e7cc17401ad5db95192669836095ff15cc52a2e0fbc24aa9a4f

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\MalwareHunter.exe

Filesize
1.2MB

MD5
1fd500b562e739955b3cce61eca09c64

SHA1
f5f17c4dac2c12aa4962ecf164aa5f5d46421884

SHA256
cefe988108860464ec4dd50c16030f512dc38ba6714f36129854801a496b6f4f

SHA512
f526e3f8747703f19be9239bf4c6bb457430c12c7f57f7260b095e93fc1924453d1c99020510735ac5eb182234a1ef4bf41a5e514a29fe48117660d63735f94b

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\ObjectAdmin.dll

Filesize
80KB

MD5
120813ac5d6bc96233b6a6b97131a64e

SHA1
4ecb7afc6d1dbfc0fe51616a0d237fb3f91362b5

SHA256
0bb4d331a3172480ac39a36001c88015ab48e2022bbf17ae8c586adeff5d4f2d

SHA512
ef9afe73d2493546c88f8954e0d14a6758945df10fc4de3b42b35ca3e868a547d1c4010f2789a5b16790c5e883ec3ddbca4623298f3e693b748b925d5d7e5802

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\ShortcutFixer.dll

Filesize
341KB

MD5
987a6bbf86f28bc34d15c89204a2fc09

SHA1
f0d48ff296a4831ab7216beaf1f1fd9a1af874d4

SHA256
3dff514bfee1b9f5cb40ed142152f33f4b9b97206ad6d8f24763ac265dbb4cbf

SHA512
861ea6d5885fa36a881c47a42482feb079eedbc70d29457bc3bdb69bec7e154485668b9680eb0e1e8cd8923caf59251d2b2e6816aee88f11680a9177b901ac2e

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\data\ModuleInfo.ini

Filesize
14KB

MD5
8a10968310e4d45b6f7b99915d62c5ef

SHA1
6f8deb93635eea7f8317aa0c7af775ab5f69d4b5

SHA256
7fac6288c276578259665ce2d304dde65311f39994821d1f33d40b0312dab015

SHA512
426983f93c4e5d735b167aa6eb280f2d8ca1014015cac0112dad3cc80771321cd6023b9af1b078d54cb8208ef740bf1097a5882c15285fa5067a7b3ed1fecc7a

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\dbghelp.dll

Filesize
1020KB

MD5
74edbb03de3291fcf2094af1fb363f1d

SHA1
16b5d948ed7843576781dc4f2a391607ac0120a4

SHA256
dca9f45efed8eab442b491aebda3e3cce7f5f9fc5de527d2dbdfd85a5be85dfa

SHA512
b08eb03c54f25979c5aee745530ecd51c5761eb99871b867ff84e14590b32ef3247e17cf63bf953ee1efcb0fda8c4540191b9280db33359fdca352967e42b289

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\languages.dll

Filesize
53KB

MD5
38137d130aa1972c8db066bbc62303cc

SHA1
d3771a93cac022eb2d9af1ec85b892a121f00019

SHA256
89c871343a782fc2ff42c271e6d4b4a055713fe379ce7ebbf96230d2c0c818bd

SHA512
eb6774a3efc4187f872c3a56d482ccced535077632f3545c6ff501ef684bb8ec708512ebe8da846e9f89cbfa085ec2795de362a3b83cdab4ef6b6210885158de

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\languages\english.lng

Filesize
93KB

MD5
cab79a23842e2854b0247d8b6b953127

SHA1
b7ebaf7afc24192f59d2228c88e4309163397084

SHA256
34edac350196c8c38be74f0bd4a21d6373443e38f20e83ec80edb99cd28f62c9

SHA512
0d459202a05101545ddbc52c8355dd75dcdba2db7b1b86132304ebeda7707bff94f0de59b83ec16b6f559cf5e41c9fceb072eb6de4a38910ab8d4eb6bc06ef01

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\libcodecs.dll

Filesize
970KB

MD5
f1ee85ad0300197ad100d77548fcd08d

SHA1
6262894dbcce5c7cd4bc86485144d6fffd8f5cd1

SHA256
efa9e7d310810da57f30a17ddfaafac84069bd8fa26d124b2d0c6755367d0cbd

SHA512
d5ee6ec89693f61714cc3836b215c14d149ec338b6156176fcb87b64289e161709a2badd13072f3fc8d5b13a82c33e3a18bb6d35434878a5ec2ec48d095e3740

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\settings.ini

Filesize
75B

MD5
2f1c64011dff825daeb1fa438fe85c1d

SHA1
e5163f8fd10e8e83409567797526f1bcf8f342a7

SHA256
d83d6e4cdd34ac2e34409624da1d26d7ce78337642f7128b288720d8b3647dfe

SHA512
0482153c96bc32e1482e4da30c9978c9c618936bf8a15230ed7b7e176e65c4e9a969485c95363aece768c42cf276b710e32370817a71b4eec94dfbd6de7e1f49

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\x64ProcessAssist.dll

Filesize
51KB

MD5
08d87e5e7bd40d71d47ceb2982ccce8a

SHA1
30769e7ba07ebfe6449d005dbbc0194d277a0f05

SHA256
9021406853af458f1842d5711f29e3a104dba4f531d03819606f5d656ceaf289

SHA512
132d0091955f97ca8da363a3b8261690167deb4db570910b3c0bd582b9015c1755be7c9968cb4cd08abf02a63f7e9b00dc0915b15309369f625eb7598ce344cf

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\x64\MHContextHandlerx64.dll

Filesize
163KB

MD5
e52f0419d1cc3aca3be8a4f2d2dadf85

SHA1
41d842ea47c20de6cdace870de7b6731cbbdac44

SHA256
c15328bb8fc88c4ad315fe44119689c0e5913423b310feb796869fdabf158ece

SHA512
4c88ef5d5698281d50543cec2041e03042c9e4ad7fdddee73b259eb556993ce9737320c1f52e6b28d648b120e35d9ffaff1ace01cff3d9d6f21b0b0fb438963d

Download Submit
C:\Program Files (x86)\Glarysoft\Malware Hunter\zlib1.dll

Filesize
92KB

MD5
5f2765bc124bdacde245a16ae23650ea

SHA1
1373b03c4e9c96afee8fd73f7dd25e18a22cb3fa

SHA256
4205bad10dcf7c5424bff9fefb03af2f63e0ab904dbdc6fc343eef4ceca497c0

SHA512
297ef41131044fcf87bbfe3fcb6d3c8918aa749ca04ac5414f063f03a7bb2db2435ba48ef2533aa2e73a502af1008e708e2f847b6275ec5789c53784bcc8d3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
00329f2c3fc12dffafbb0300419b456c

SHA1
0928c4773284f750620c8741c56de85208492757

SHA256
7312ea146d00fcd4c5335aa7b8467b51d0fe0677320223269446b801a7953ea5

SHA512
8293b09ca545d454b9fe6554c7a11c77a6682de9f93a8c558aa4814c774edefadab81bf05795c25c041c051298b90fafa86fd176f3fca98c0578e34425bfab87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
5b2088ace43bbb32eb34171c258916b9

SHA1
bacda44f95fde3c8015302937048b915f016d282

SHA256
4347c9c096e7903f5be9f7225592fbc5c9684fb4060226212ea9479d5ec47c5b

SHA512
2f3bdc5192c01f8a07a5948255a7e128eae81e8ec15633d224a3b845c7c4f5d4596021aa1d95836ef527f4987f1ee7ea6dd3228d0039b0168d52bdb99b9c80ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7373810c72db678e7a42a2568a397685

SHA1
7537e6c129b6102cb20c9d3e29c08977b3515b9a

SHA256
65bd1766607303b12206196db523d65d821c41a09ff8b4c843a5b23c7307402c

SHA512
b19f52ff68d10a1c2f0bf96935801b2bba7532df9e81a5598171d645bd2d4072dd72594c2bf5b5de60f4fec7913d6556271bc1c4d0f49388856a2db4e1c45ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bc294006c0acb34a1d8c6e034c321a13

SHA1
599734fc14ca87487714d5e299dae232baea3809

SHA256
03409d770e3c747b7a68283c8044be2715f595939a32ed59f394e9f877a3b227

SHA512
920cc1177df897a4984a281d2e5c4f848fc0f4b1bbc54194286610185e2f47536c8a53e770bd56f2ba397519ee09c259f8c435fa4a4b5e042f22104c0ef1e599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a4d1dffa42a3946c772d0e746761856a

SHA1
fa84a1fe66a0a94a3485005f4579b594f3ded890

SHA256
647c2763d465ae5cc86f356336572e0512d49777f016c4ff1d3a84c0312b3a2f

SHA512
b63d3ea1cd95a94b14a13a73e053ef690af55ca05878fd3877eacbe52a46982bbefa71db368d31dc12478fe908f7044a1bad571651eff2db5d014a81b0066700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3fed0bdd7c3cb0fb86691b442d25dd9b

SHA1
97038bdb85aed7bc067404b678ddfc36348cba24

SHA256
870d71694c1ec33f041aa642be7e5040a716d82e42a579662ea92f4e1a13ab19

SHA512
c8a1d1fb4415fe6c076569646fdb8f98a52e66fd4ff0885605b7ac479ae47db0e76b3d0ce1643807609bd85a95fee6947ff5038475ab8b9b49aaff80a5eea6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70e8f80168da4ae400cece895b529d12

SHA1
efcf688e12d489c5e7f97568e71bbe2ceb678304

SHA256
45533a2d08d7d69a30f9541dd683ce73ee76875fe4f962ed62429a72f5924a71

SHA512
60b01a40327ef02ac169f13a0fb0ef3cd2686c38d9557858cb0ffaa6ef967f8f8557106cc5ce781ac8a0d1bc90c879192a2d2c694070c85c376512c023c13820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ba5c2bdc1e0953b73b66fe232806220

SHA1
3228e6612b67e4338035ff1b866742193a166d5a

SHA256
5f6b8076a3773a68e32512bcec70ca786dc9eec683a3d719a8cc2933b024e04a

SHA512
0cdf8bbd0f924aec27f0d442cd80b34ba5d4cf125af89b48227e60178f52a6ad12c4ec3365f5bf93c7de6a9e87e5ae602005a1eedd72b1ee00721c890434ff5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ccfd958825c9c913ee14807bf7535df7

SHA1
dac5f3c9c8184e14692115938f91531a0ba32118

SHA256
945c3bb0bdebe22f496b39f289a8a114b0f0ea233c65af82d3133c89830aee26

SHA512
06ff5914c6730f47d0f4aaeac0f340f87c24055dfd25ce6040f58efa1955ef62ac237b5798b0766eb0baacade64b73e4e6d997ead068e7a0c8a5e1624f313583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51724e5822b7ef8db04f23dad60763e2

SHA1
8f7cdd3071042702573b589cfbf632952a93ec89

SHA256
72797b4aca87e560629f1ba37b3a984b568c7386ecd335dd51a33b38869b92e7

SHA512
112c7a95e4769e555d4592c97d6ebd22b4c5bfe9f00134a9ac5686908af35747638a19fd22d9b07734a33dc2d094196b3e4189b23b82b3f3123cf003d27d884e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1d98872066ac3d3ec27cc3dd169f3b0

SHA1
3e51308b64d0edc5b65feee4a3a662d1f20fb861

SHA256
f9b3dbd870a970be4f18e2fafd376a37fba3f5bb62de92c451777429a1a761b9

SHA512
c09696f044da697673acd2e5fb8afc4541b99e5117aab69c3a22a644ac241c58c39b2808d2035502fbfbc6e92a1f40d069fda2545507143c6c49d2993b713e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3695b9ff91e3e7f29a0f2c30e69c8616

SHA1
744c37b5cc7f6c765c7fea1e2cdf4f6a9aaa0d57

SHA256
cf0f561d8be04df31e5cfb753bdf943315e2aed1d58bbc9660ae74a0f8bb0623

SHA512
ead67b6a969be16a61618c718b00e92593fe994d8008f6b7ffa368be5380e62f997abf36b7a19b5d0597ead70368617d8898716bab6d353b853c2dde07a4fe63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0ceacbf90098232360e602dceaa8bcf

SHA1
fcf11f337cd48c753d5ee016fc36fcc576bea862

SHA256
4b9a023246f9adfa733ed0cfe43c90d03529defd05eee11f71f465bf00989fe4

SHA512
b17989ee45b8069b685813656bffb6354b66395e69e998c57c4354e27c589cb63905792419f060af2860b681ca83344359c471b480e29a947dcb9c0ac531a321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ebc9631090fa782398ead622baffee81

SHA1
3bcf5bcc98c457c24e1b83149e27a6fad1db355e

SHA256
7ca721e8580da63d1898cda94e8ac2df7046c396f363ce48873d4cfba728d736

SHA512
aaed1bd8350cff37ecfda4afe44299d2f257ac6193b79edafd214f6cf3e6833754a2e4bd1bfb14e4cfbb55b5c8c2bed7506b0147599ae3ac95a8e1a1c7b3ba6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dbcb08e25654b5d8cc9992811f658446

SHA1
fb1015a168f8cc10a56693c3ea41c2a730fb4fdc

SHA256
083c3dc4d674cc9b468f135757ef47409b72001629195a0b6bedafdb7689d58e

SHA512
0f803d62d3afef1bdd6bfa05675ef25bef3ab2e15206b2eae29510b3fa720707b0843b9f4b904859f6c520815018548ed4449f19a41deec8b50be7041208cfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp6A6E.tmp\Inetc.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp6A6E.tmp\xtInfoPlugin.dll

Filesize
160KB

MD5
8f358cfd9f9e30e64c536cd7dc5ce415

SHA1
cbca484d99ce8da6badebfb507550974af821c21

SHA256
6f12201a1c80198b9c9a6667c459c348230c587839a1f7b1133e14720b708aca

SHA512
14c69403c62ee82b5357980f0c76a4d9b80c7725790e0b9691a60394efc2787361f6b7dee83ca62f1b9ef6eae90bdf7d033b8c4ba6bacd51403187004b944c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\InstallOptions.dll

Filesize
14KB

MD5
5f35212d7e90ee622b10be39b09bd270

SHA1
c4bc9593902adf6daaef37e456dc6100d50d0925

SHA256
31944b93e44301974d9c6f810d2da792e34a53dcacd619a08cb0385ac59e513d

SHA512
7514810367f56d994c6d5703b56ac16124fab5dfdcfbe337d4413274c1ff9037a2ee623e49ab2fb6227412ab29fcc49a3ada1391910d44c2b5de0adeb3e7c2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\KillProcDLL.dll

Filesize
14KB

MD5
2f8a43c3581af1f31ce8d9da0c03465b

SHA1
3cce52e1dd53191127a98b324644c5cc581295ca

SHA256
97b5b3985736cc0f49ceb2da68b01ce51fa821b6da3cec69cfeebfba8d626845

SHA512
fd4ffab70048664c2f9aab375bb4c5cd89b3ff525335633dfd895dddf2be0791c56f585a9675f0a91be0d20882260709c847e0c8757e0fb49f80a932b187eab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\MalwareHunter.ini

Filesize
834B

MD5
75fced26b0e827fdc6f24278835dc605

SHA1
e90e18094cfe672231f80de2e30ae5d73c842b39

SHA256
c5a1fc4e1dc8dfb93a193b35464db54ec961154129ac243d7d79e1c9dd061613

SHA512
8623da8906257f6d00bb0a2034aafcaf10d66a5d9bdf1f24c9780f4a8bfc2ff81d9e77ccefe9a0487ed8e3be71bbba7ebff4c56ee7521a42b573a214f788d631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\MalwareHunter.ini

Filesize
921B

MD5
8039b4cfe10f96c6820138cf5b45cc84

SHA1
5f45a8df461053f762acfa3e7e977f819a72a345

SHA256
9c8e61b9829e49c3d48e4d31782dc6159bcb5dab3b6fef1be6c34e3a27f4db11

SHA512
934b97801503f9f35190e093efbe57015e496480bccadd4b97e16994b58d3f90e7b60431e960a327b736cc6bc0dd568f160b397651b654f37ecc93cf34cecfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\modern-wizard.bmp

Filesize
149KB

MD5
ce70354c0c90d16bdc0eecee08adf1a3

SHA1
963985fc48b10c1d2bdda20d44d75e76e08309b5

SHA256
f17b5e4b527bde239c096f12fa44b90745268f75cff5f84ab999bcc9f9611e02

SHA512
82f78905010a00c3e93cacbf8603395ac57466381b875d4b4842ef1ca0d3a09427194be548279ddf73f85342a3e0c7eba41c35965b733c3e358120c4e54af696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\nsDialogs.dll

Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv124C.tmp\version.exe

Filesize
147KB

MD5
553c5027c9af59decf9db2e9f661a145

SHA1
d1abf0e36f42021acd4d981ecd03091db0f9333f

SHA256
0dd2f4dbb6a68117d02dd7ba74d2264ff4112077f75ccf80aa473e2ec26ba07c

SHA512
08c460c809ceaca36cfad2b1402b31a882de57e06c37cae2502395b91783f714b880538eb546901a1f6eb8ef8a6f684f792931daea4fdc023eaefd28855c574b

Download Submit
C:\Users\Admin\Downloads\mhsetup.exe

Filesize
49.3MB

MD5
f5836e44f424e2c12562a4cc90ff4e04

SHA1
45dbc73b2267817155272520d040c054bf42cb9b

SHA256
60df5b1acfc5632c68ed8139718302d32bfad44f437a63dd4aa40357d43b4f4e

SHA512
27424a86d7335cff2c294986111aef663eb8e80b08fd3124f788490a0f51a9a43a9d9cc04fc6876b224782e3a64806b0ad38d4e9dc590b2ecd635889604ad618

Download Submit