Malware Analysis Report

2024-09-23 07:02

Sample ID 240617-aqc14svgrd
Target 9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262
SHA256 9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262
Tags
azov discovery persistence ransomware wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262

Threat Level: Known bad

The file 9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262 was found to be: Known bad.

Malicious Activity Summary

azov discovery persistence ransomware wiper

Azov

Renames multiple (148) files with added filename extension

Modifies file permissions

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:24

Reported

2024-06-17 00:27

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe

"C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe"

Network

N/A

Files

memory/236-2-0x000000013FB80000-0x000000013FBC7000-memory.dmp

memory/236-3-0x0000000000120000-0x0000000000125000-memory.dmp

memory/236-10-0x0000000000130000-0x0000000000134000-memory.dmp

memory/236-5-0x0000000000120000-0x0000000000125000-memory.dmp

memory/236-4-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/236-0-0x0000000000130000-0x0000000000134000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:24

Reported

2024-06-17 00:27

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe"

Signatures

Azov

ransomware wiper azov

Renames multiple (148) files with added filename extension

ransomware

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\System\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe

"C:\Users\Admin\AppData\Local\Temp\9f118f55da238fd05aaab0f2e313899563863786a7208d3488262d128ffed262.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Files

memory/1416-2-0x00007FF79E7E0000-0x00007FF79E827000-memory.dmp

memory/1416-5-0x000001E027330000-0x000001E027335000-memory.dmp

memory/1416-0-0x000001E027340000-0x000001E027344000-memory.dmp

memory/1416-3-0x000001E027330000-0x000001E027335000-memory.dmp

memory/1416-4-0x000001E027300000-0x000001E027307000-memory.dmp

memory/1416-9-0x000001E027340000-0x000001E027344000-memory.dmp

memory/1416-8-0x000001E027330000-0x000001E027335000-memory.dmp

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

memory/1416-141-0x000001E029030000-0x000001E0292A0000-memory.dmp

memory/1416-457-0x000001E028BF0000-0x000001E028BF1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 049da44c9824843de60447dcfa539048
SHA1 6540f12cbbfdf47a84ece219bc18ae1ba4291395
SHA256 6d46eb9d7c38b3826924f45df8a799e3df5ea3059a3bfbcd29f678e618476ca5
SHA512 57014e19d1e1f68bee2c4e12a7324e7de57a2db9a847cc56042cb0b8ab4579cd11b2076f1b86ed0145fb7e2e36cba8d84a894168c1320e76cd3408bddf02d184

memory/1416-474-0x000001E029030000-0x000001E0292A0000-memory.dmp