Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-pdnpeasrw7
Target hjsplit-3.0-installer_RN-hkU1.exe
SHA256 73ce5730dea408cc582c76d901d19df1fb8158a5309e0bd82a6f014bd749c896
Tags
discovery spyware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

73ce5730dea408cc582c76d901d19df1fb8158a5309e0bd82a6f014bd749c896

Threat Level: Shows suspicious behavior

The file hjsplit-3.0-installer_RN-hkU1.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Downloads MZ/PE file

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Program crash

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:12

Reported

2025-07-04 12:13

Platform

win10v2004-20250502-en

Max time kernel

15s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5728 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp
PID 5728 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp
PID 5728 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp
PID 4872 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe
PID 4872 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe
PID 4872 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe
PID 4872 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe
PID 4872 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe
PID 1728 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe
PID 1728 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe
PID 4708 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe
PID 4708 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe
PID 4708 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 4708 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
PID 4864 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe
PID 4864 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe
PID 4864 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe

"C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe"

C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp" /SL5="$501F8,872750,867840,C:\Users\Admin\AppData\Local\Temp\hjsplit-3.0-installer_RN-hkU1.exe"

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_b

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe

"C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe" -ip:"dui=7a4d93d7-64f1-4cca-8000-ca415943782f&dit=20250704121321&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=" -i

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_b --server-tracking-blob=ZjViNGRlYTFkZmM3YjBmOTczZmI3MjA1NjU3M2U2Y2E1NmY3M2QzZWRkMjUxODI5YzUxMmZlZmY2MTlkYTkzZDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3NTExOTQ4NDYuMTUwOSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiYTU4ZDRjOTMtM2QzOC00ZGUxLWE1N2MtN2Q5YzBkZjdmMWUyIn0=

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=119.0.5497.141 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ffd27f3a108,0x7ffd27f3a114,0x7ffd27f3a120

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe

"C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe" /silent

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4708 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250704121332" --session-guid=01ff45ec-b7e0-4c2d-8156-c5d00f5ad77f --server-tracking-blob="MGI4NzcxZTE2NDE1NzI1OGViNWU2NWJkZjQ2YTliMTExMTFiNDNhZjliMTMwMTNhNDE5ZGRjMzJhMTg3YjAxMDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTc1MTE5NDg0Ni4xNTA5IiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19iIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJhNThkNGM5My0zZDM4LTRkZTEtYTU3Yy03ZDljMGRmN2YxZTIifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=119.0.5497.141 --initial-client-data=0x26c,0x270,0x274,0x23c,0x278,0x7ffd271da108,0x7ffd271da114,0x7ffd271da120

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\UnifiedStub-installer.exe

.\UnifiedStub-installer.exe /silent

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 908

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 908

Network

Country Destination Domain Proto
US 8.8.8.8:53 d20rp3wwf0n82p.cloudfront.net udp
BE 18.239.216.88:443 d20rp3wwf0n82p.cloudfront.net tcp
BE 18.239.216.88:443 d20rp3wwf0n82p.cloudfront.net tcp
US 8.8.8.8:53 images.sftcdn.net udp
US 151.101.129.91:443 images.sftcdn.net tcp
US 8.8.8.8:53 gsf-fl.softonic.com udp
US 151.101.129.91:443 gsf-fl.softonic.com tcp
US 8.8.8.8:53 shield.reasonsecurity.com udp
DE 18.172.112.22:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 autoupdate.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.123:443 autoupdate.opera.com tcp
NL 185.26.182.123:443 autoupdate.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 api.config.opr.gg udp
NL 82.145.216.58:443 features.opera-api2.com tcp
US 104.18.24.17:443 api.config.opr.gg tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.117:443 download.opera.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 pac.rlinfraservices.com udp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
US 8.8.8.8:53 update.reasonsecurity.com udp
US 3.171.214.100:443 update.reasonsecurity.com tcp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
DE 65.9.66.71:443 pac.rlinfraservices.com tcp
US 8.8.8.8:53 electron-shell.reasonsecurity.com udp
DE 18.66.102.5:443 electron-shell.reasonsecurity.com tcp

Files

memory/5728-0-0x00000000003E0000-0x00000000004C4000-memory.dmp

memory/5728-2-0x00000000003E1000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C911K.tmp\hjsplit-3.0-installer_RN-hkU1.tmp

MD5 84fb9d7a19c10c983120fed9dfde6d32
SHA1 ca4a3c229d02855eab2ad3e2b72989b069667d32
SHA256 30ce7b43bf3544184d4549eacd952ef59af7cfd71399258107ec674202edb801
SHA512 6424ddc684744b242cbb74953b6b0a2bd369cd363ef9d104150ab15c65a6479baeac0be6da8392a4f4079af81b4467e39ed0787633b8ed00878c5d9c3b230777

memory/4872-6-0x0000000000320000-0x0000000000697000-memory.dmp

memory/4872-14-0x0000000006FE0000-0x0000000007120000-memory.dmp

memory/4872-15-0x0000000000320000-0x0000000000697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\100.png

MD5 2c4e7b108bb9ef62624cf41ecdacee13
SHA1 9650d119f8adaa8e9139c2f62632e46e3257eacf
SHA256 3d212b04f3361bbd2f23db55163b1be73cd23aa0c73157b1e32712365bfd1839
SHA512 18363c83ce954cc1a75da2a89c2eefeab4056057b1b3bd67467c782a30c417b25795946b7ce968cbe10b9b8a47b898854d71721ba3e4cd118aa365a6cdf50e54

memory/4872-19-0x0000000006FE0000-0x0000000007120000-memory.dmp

memory/4872-20-0x0000000000320000-0x0000000000697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\101.png

MD5 4167c79312b27c8002cbeea023fe8cb5
SHA1 fda8a34c9eba906993a336d01557801a68ac6681
SHA256 c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8
SHA512 4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

memory/4872-24-0x0000000004ED0000-0x0000000005010000-memory.dmp

memory/4872-25-0x0000000000320000-0x0000000000697000-memory.dmp

memory/5728-26-0x00000000003E0000-0x00000000004C4000-memory.dmp

memory/4872-29-0x0000000000320000-0x0000000000697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0.zip

MD5 9c862c6572bb289e48e97e6d7ff1dec2
SHA1 70dcafaa90d6d1c3286d665a4f225358886bc9f6
SHA256 76b8d331a971bba902255797d235dab0488de87ce9e4786f919459f642ba21a8
SHA512 ca9269e6d202ae3daa3a753357c76f586c328593ce6e54ae4d129c8bf09ab302b9d824c557e8a5d29ab7f40c4455fd1363eea2fb0903eb0070559408ee2cc446

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component0_extract\OperaSetup.exe

MD5 a04a8f40681ac4f26e94fed2eedcf57d
SHA1 c8e0a3c764b1742a5e37ba6cda42b886744bafa9
SHA256 7f8921a03d763cdfa3e4e775b7e527ea2412bb1a35a02a29d3eaf01115636f97
SHA512 08b86d00e928542429c27f9e9de600914ab40d11b135d33f78d81aa002845a469983eb2bd9df9258236e3c5d4966f9090ebd594a6d7e5da2d9a634a6e7eef6cf

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\component1.exe

MD5 6d5ab55b01bd3470b621ea524cca8718
SHA1 0b41532df90f73ece69279e20b955223bbfa7ea0
SHA256 9e3b28bddf8267a41b4acce7ae82dec05057951d4a992a61fae10caa8fcc47e6
SHA512 c4fee966d699b9d6afc91867cbaf142e108b09eb856166f1d2020b1e94ae014db0ab5eea7df95edd2044f3a9f9f0ee5e7f94206bcec0c768f8bea95a8cdd4a62

memory/4864-78-0x000001C875CB0000-0x000001C875CB8000-memory.dmp

memory/4864-79-0x000001C878650000-0x000001C878B78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C6896D7\setup.exe

MD5 87bf1725b3000a6ecdf13311ee84c309
SHA1 6ae16f7820b26d5e64947c768a7e26335bf3b8d6
SHA256 64dd3c24b6d4ec90c9a41c3e0cb4259489403694462f7b9af32bd5639f89b9c8
SHA512 90fd3b77741376fb71beb742512a8fc30d8fd6a36d3e7976ebd290878f2f27341890cb7dbd98b076fcf8cb7f899272c157cd53281faa79f0ce3c235ec0502f63

C:\Users\Admin\Downloads\hjsplit-3.0-installer.exe

MD5 3101bcfab575371d297c7490418614c6
SHA1 56604d00b9565ac4782898df40ce49797b3c5205
SHA256 4f184654df72a63066367378faac9b71b364705a69aa0002dcf4dc63d5b7c705
SHA512 05f96a893d80f5a0d106ceaf2e070ba02a090021b3e3ffc95f34a12e9e46fcdc297d767cdfff8fdd01c8c5b57747fa81da0b31e146ca2d396b305e0c4cc4311c

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2507041213308344708.dll

MD5 2b834b274908a2430bcce47999d7e563
SHA1 767bec23644f8d426afb1c67da46dc0b24e21d09
SHA256 0598bc898a637644e4f3f09f1d0a0e4eb7dd7d020a7455e732c6d4c1cc3662d8
SHA512 4dd95fdab87d23994fa70f97b55e14642f92e5f61d400d84f97e880c75a60df3a8e1034075b08b5a10bc9e034255e3f8bf9da7aa9d2e14e1df050222339a6cb1

memory/4872-108-0x0000000004ED0000-0x0000000005010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cigevpu3.exe

MD5 b155d75268acb9ca8536cbd5392665d1
SHA1 c03e82265a5898df4e77f9bcaf15ced5f4bf46f8
SHA256 b0b131c6a67b2d48dd49e7ee4f4c4f08789b7155c8ae6496a22ae2ca96eb32f6
SHA512 330f74df3d3b0cb7f0dfb942fbacb1e1db5049b5e93482b09a67cb9d9df5c9ecd55dbde32eca5ef52a8359f3a1413e8795fb92c27ee3c6aaf90a6a2d3d0e0372

memory/4872-111-0x0000000000320000-0x0000000000697000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 c4ea7bf4463f47c7b9d084469cc09d5f
SHA1 4fdc041ee0d482275edc1927cc3f0fd6b8db2c37
SHA256 c49e295165d9505cf75d04b894d7b5ddf42f3a4daaf5e2dd7694b78caa4267b5
SHA512 4ddd5522aef862b944af2ba122c2b0b0fa75ec7592ce6cb2a9471375c93ddaba8854595092094193661b00248e189208766b15dd39c9be26d0ce5fdc11f41b79

C:\Users\Admin\AppData\Local\Temp\is-S1TJT.tmp\Y.png

MD5 c199687e52f7393c941a143b45d78207
SHA1 5aedbdffea28ef6af64101d9244140519f18c463
SHA256 0eb767424750b6f8c22ae5ebb105c5c37b3a047eed986ffa6deba53efdc2142e
SHA512 51ef05c620d0bc4179189ca081e6bd63c49dad5f4aff7d273f0cdb9603cb6ebbcb4101e110c3fe769439ea1fc717ea7d56679fc776d2582643a18ab48cbdfeff

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\UnifiedStub-installer.exe

MD5 2dee8fdc13496591f9a6062716713da9
SHA1 98635af8dda9ce103f0e562ea3f74d3894208eae
SHA256 2656bc7e9dc763723185b043bd2f2d34520802cec40f8284b23a92b85bef9355
SHA512 7f370e6a65461bad1ff7e6d20c69dc3a6916013b457892fd7ff733dd96872e2012f6cce8d9f2c29c71341b70504cc74072747c656bd909508caca96822e95119

memory/5640-285-0x000001DBC8B70000-0x000001DBC8C7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\rsStubLib.dll

MD5 19ea24b275cf176f635fb2b827b9eab9
SHA1 ed0171bd2d3cd0129e34aa8181ed31f7cd18e66f
SHA256 820fa960ae79423dba007f2c15610fd398c213de2be1d2e12c25f3f2f6208a9b
SHA512 5901015f86cd6c05a1eca43c9d29815aaec293e5831221af957b9655e9b1253125631d4e1ea8866d2b6aae8a05fcb386fa548d1e7150be53ab30b00784fded72

memory/4872-289-0x0000000000320000-0x0000000000697000-memory.dmp

memory/5640-288-0x000001DBCA930000-0x000001DBCA978000-memory.dmp

memory/5640-291-0x000001DBCA980000-0x000001DBCA9B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\rsLogger.dll

MD5 300d10b8ef710d8dc2c027f5a68ef2a3
SHA1 726912345e215dee4a21e0dde4ceed6e7148a4b2
SHA256 da49551cae8273258b40f74549a12a5d619fb97fd99c0213faf592e48fec2105
SHA512 9e15252cecd685cbc25213d561996e8309f98bee2f772ef7aa493ae6f2b2512409eead8da06f1a91bcb42f929c0e73a040f252a7e7b97bdd6efa65189918b410

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\Newtonsoft.Json.dll

MD5 2f821ce92925150de35a305bd73c461c
SHA1 686f1e7d271f1d5a60baab86fa0d767cd93871a9
SHA256 70f86c1eef5db20e0656f4de14d0d7fdbe63e4685c0f4beca75acbdb567201e3
SHA512 ac87c9e73e75ad2c38d6b4cf8f17d2970acd1c17b36c1c1f213ea6cc2552dc6a3639c48fdcf226622b4d7831ceed84985c47cc191053c8a8a4daf871e6db0e19

memory/5640-293-0x000001DBE3360000-0x000001DBE3412000-memory.dmp

memory/5640-294-0x000001DBCA9F0000-0x000001DBCAA12000-memory.dmp

memory/5640-296-0x000001DBCABE0000-0x000001DBCAC10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\Reason.PAC.dll

MD5 21ca59f72398c27c700124a27e59a7d5
SHA1 14915346f33d306c072749dd19d86b0ffee28b45
SHA256 9373220a0f0c7685c3f7b667267af74bfdebd215082cc64d5ed4983a5c186da0
SHA512 125704154d61ce6c4c7e09b101add44dd89a6364dccc727c91fac70c4d453caf08c9300dc3542e4468eb9f3b4a03db14556de85a4437e4b0a457fdd29ab0c27d

memory/4872-302-0x0000000000320000-0x0000000000697000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\uninstall-epp.exe

MD5 667b2fa48ae25bcd62542cc10e9bb350
SHA1 530e51f92728a0ea9042b1b6198ccae31867f26e
SHA256 bd22c0369e317836ba565278e97cebc14fef39d2701b39b4c1f77a80881c4d55
SHA512 d630f961ff98909a01df691bef6943ba01110d69ac8fb1fd8cb9d3b0524d1dc7b32a24480e754ec0df32b9d73b6f18f31ce84692a96a49b3732c49af5e475621

memory/5640-308-0x000001DBE3620000-0x000001DBE3678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\Microsoft.Win32.TaskScheduler.dll

MD5 afde76aecf36e38c43793614daeaad84
SHA1 23722edc87e40a1c30b6d5f8ac61ac3c1c5bca68
SHA256 5206ad344b09ee1175362030bb8527b704341aa7d64d1dd74d37e4f574c34f0e
SHA512 6641d46b6aa3201f674d9beacd40f189ca87116ce9fd4ab0e96b28f17645778123ad1f179fb0e37a5565d66e5d0a873664d80abe487dedb12063df4ce7cd5d0c

C:\Users\Admin\AppData\Local\Temp\7zS49DD71E7\rsSyncSvc.exe

MD5 f2738d0a3df39a5590c243025d9ecbda
SHA1 2c466f5307909fcb3e62106d99824898c33c7089
SHA256 6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21
SHA512 4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

memory/5728-330-0x00000000003E0000-0x00000000004C4000-memory.dmp