Malware Analysis Report

2024-11-16 12:19

Sample ID 230708-w1g9gahd32
Target shao.exe
SHA256 a99cde4467e750e6d5f95b8395f18f5fdc308cff2b120563cb822aec488891d8
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a99cde4467e750e6d5f95b8395f18f5fdc308cff2b120563cb822aec488891d8

Threat Level: Known bad

The file shao.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (126) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-08 18:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-08 18:23

Reported

2023-07-08 18:24

Platform

win7-20230703-en

Max time kernel

84s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shao.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (126) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\shao.exe C:\Users\Admin\AppData\Local\Temp\shao.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shao = "C:\\Users\\Admin\\AppData\\Local\\shao.exe" C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\shao = "C:\\Users\\Admin\\AppData\\Local\\shao.exe" C:\Users\Admin\AppData\Local\Temp\shao.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-264077997-199365141-898621884-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\shao.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jre7\bin\deploy.dll.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10 C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.exe.sig.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2ssv.dll C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\GMT C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.id[CD92DAA6-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\shao.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shao.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\shao.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2272 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2272 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2272 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2272 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2272 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2272 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2272 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2272 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\shao.exe

"C:\Users\Admin\AppData\Local\Temp\shao.exe"

C:\Users\Admin\AppData\Local\Temp\shao.exe

"C:\Users\Admin\AppData\Local\Temp\shao.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[CD92DAA6-2803].[[email protected]].eight

MD5 298e3fc2f416d32d8aa307152e96e0ba
SHA1 7f31d363d664702a38564069b29ec4642e6cac76
SHA256 45eff8941d4369f71baf4650da23ccf246fbd0ea2c379bca27b28de5bfa92f25
SHA512 ebdd15c4101eb149dbfd154dee6ab67b0030a932e086b466b0d364a9d9f280572bc4a254ac4779fe6d006a8627eb283f1d1b384762d1e41ce8611fb18f225c70

memory/1328-1422-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1328-1429-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

MD5 db10fd32bfe67918ed177579d4be9d76
SHA1 44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738
SHA256 c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31
SHA512 bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

MD5 2b62a30906a2b8bf3b68abd2ef9d105b
SHA1 9898d25a214dba04ebd7e3030ac9e2e90ea7a369
SHA256 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c
SHA512 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

MD5 1ef5e829303a139ce967440e0cdca10c
SHA1 f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b
SHA256 98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7
SHA512 19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

MD5 71c7e24524aea1022361143d0a876c84
SHA1 b141efff466f27664599dd2aa91f0b7c50736f1d
SHA256 07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3
SHA512 4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

MD5 985f599bb4b81c01d5b5d16ad241d5ed
SHA1 a90b24a33383273378fc6429b95fdf62c4c2e5d5
SHA256 36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4
SHA512 fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

MD5 0a876dfacfdabc170818581a2e6e6d54
SHA1 376fd52e52867f959cb2076fbbc4d214778a7fc0
SHA256 e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839
SHA512 766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10

MD5 65435a5d117aa6b052a5f737d9946a7b
SHA1 b8b17ad613463c3c9a1fe928819fb30cb853e6b1
SHA256 ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b
SHA512 4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

MD5 eeb20c9bc165677800b6dc7621a50cc9
SHA1 def5026103297fa44a2185104f2ee400cb93329c
SHA256 6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2
SHA512 d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

MD5 335a7c8e767a2dd0ecf3460eaabb0bbd
SHA1 111ffd83edcb095d251067456a3a60b754b4c717
SHA256 a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609
SHA512 bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

MD5 b8d5d64c3ef0b30644898a80682f5121
SHA1 bbc7b3902250307a2cdbb314abe98e34795032be
SHA256 2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759
SHA512 f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 b85026155b964b6f3a883c9a8b62dfe3
SHA1 5c38290813cd155c68773c19b0dd5371b7b1c337
SHA256 57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f
SHA512 c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

memory/1328-4847-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

MD5 a2bb242dc046bacdc58e7fbbe03cce85
SHA1 052ab788f1646b958e0ea2c0ef47d00141fc1004
SHA256 486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22
SHA512 d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml

MD5 118db038cff249fc1b96f7a8f2b27620
SHA1 6f804438c7a4af3c57191138510a644d24bde92b
SHA256 8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989
SHA512 4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml

MD5 ceb1e6764a28b208d51a7801052118d7
SHA1 2719eea8bde44ff35dd7b274df167c103483b895
SHA256 99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0
SHA512 f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

MD5 2c16868331f82ff43059dcb0ea178af3
SHA1 983589535e05c495ffeae4b0b31ddcfafe92a763
SHA256 be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376
SHA512 184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

MD5 f7c78514872f9cb5585f8d69532cd2d0
SHA1 ff9dfbb62a3b48c85b6434ee831fb33a8dba9526
SHA256 5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965
SHA512 50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar

MD5 8b550761ab80413c9c09f7fb472dbfaf
SHA1 67122822562203c17dd3f762194e470f90ddfa97
SHA256 f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b
SHA512 9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

MD5 a75d7d422fd00bf31208b013e74d8394
SHA1 3d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA256 7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512 af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

MD5 d7d2fed9b7c55fe72a6cda66725cb7e8
SHA1 2cb154a1c4a0553658801a088edf87b5816cbbd2
SHA256 a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5
SHA512 0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml

MD5 437687da72730cf42ce36bd093b78b3e
SHA1 693e31dc362426bc4d7a6b2954f7c80267476d66
SHA256 d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a
SHA512 7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

MD5 48e296d8287ae11c252e4277ee885161
SHA1 8a75b573549c2791d38acb3a4d215fa2153b37eb
SHA256 c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b
SHA512 b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml

MD5 e7b188938a141c90dda76cc258c01f8b
SHA1 fdf0e86d2f90e51797779674e429b6f826107a5b
SHA256 77cf0aa8aa6d73f27ad7faa42f7c9a76a689a60d74483f96050dc1cc0adb88c0
SHA512 b106fa59882b0345ce6885d902317af39a3f538731d100e4a92920ee7895ceab8a62d563c4137f8e3e1c7bd61ad6c017ddb301adbc01c7463984b3b245b3da54

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

MD5 bb95a9de280c528c32806d0d5231de6d
SHA1 bbffb8596f1bc68df5603a10a3672a02ebd3ea8b
SHA256 a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c
SHA512 ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

MD5 c9580e2bd3527b65bf5b812b477ffe30
SHA1 66e921f302739af54e7a991ce38a1d37ead7c7c2
SHA256 e77bb87374bd3a9b3ccdf932d260091a3ffeb1d1ad9d236b54f0f6797585ebd7
SHA512 e86e61aa09e93395f03b9976d6af4f775be3e017ca371a837e538d440e04b7813d2855c3b7c2444aaa357c9d7a3b5ccca7649c6c557bc3f520b953d96aa93577

C:\Program Files\Java\jre7\COPYRIGHT

MD5 2a79a18a4fce30f9d28abe3b0174812b
SHA1 fce91cb769cb486bd59d97a59943e69418c03e06
SHA256 46570844fde2506ac28543dcde5bd20877b0bb2522a0cb11671513722ddb842a
SHA512 4ed0cfe9d66106e365977378a53f7881d1bd795fda7e89bc8e879888b54bae79ce80746bde779c9aad058000f06d1b96d8e0c7bacb0b871d3fc075e684a0f2f9

C:\Program Files\Java\jre7\lib\management-agent.jar

MD5 4eefd60f439096ed98b6d8a585da12ef
SHA1 75cb70498807b0c823cac760e00652842c1a63c3
SHA256 e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c
SHA512 78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg

MD5 d1950d80f172e80f1c48685c51835807
SHA1 ae9fb8e72137c1729ffb559aa5f541bff78661c9
SHA256 523c41464ee47d61350e15bc091bc970d73ae2d00bfe7a88bc7fe00ae6202c75
SHA512 a6af7912278d814025fd2825a16943917461c881a8f2ff1972497a3a9f6998e349c5e375d69bc8697ae7197054083e0988198c4fc57cab3184f98f82a07a1a1d

C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi

MD5 9e0573ecb4a0800788a3aa64ad731bbc
SHA1 fa205d2a65684c6245a2272facf45fb12ace4014
SHA256 136dd1a7d0a62859f2077a62b7673c5c712fb750604a15f5f6140ab2c5112327
SHA512 3c01530d43156962f4a2305472eb5dc77464ae3bd88f932a2f55e72355c4c1db1df050c94951a1375ed6f69bbc4102ef6ea45574f4ca293123685564a1334596

C:\Program Files\Java\jre7\lib\zi\Africa\Tunis

MD5 66663b7d29e1bcbcfabbf26496f44d28
SHA1 652e5ca160b40dbdb15b9a3b89ef967d6d44d455
SHA256 8474486baa45dc211adc58156a75954f3542dc65326d6e5b157288711ed74e75
SHA512 aae76395ca6c3fe5e58a64618fb00ba73cf1198450da008edff89366bb9fb5bb62ad91f06b65a3af57c45aec92a67b2d51075c9438b526f5edc0aa4d4f38e17f

C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan

MD5 128e5d8a837d1d9b540b96013e4c9f19
SHA1 641eb152f889f8027c1fecec8fd81df2540400c0
SHA256 58bd661ff1a892697366215a8938d1c616cb4523e1ede78b49d155b132430917
SHA512 2a64edb3c126e9d432f8c8592af3121423a93af9d266649bb33b73e3d65a5504db3f00e268a51fb59ddd3e279f03d2048b3b243e9f5602b2399584928ff2a316

C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon

MD5 90c805bcb9fa376aacfb38d598ec7bb6
SHA1 c264d31acdf5c68a97ba444c7fd7e8af853122c4
SHA256 dbcfcc77f5774ed3333f3963eb84a324fd967de4d62c96631be6af1d6b3fe136
SHA512 bdd9bfe471648e8a116ab65d97e56f38b2d7516e0ba522de25b284c7b29d089dc039bb653f1b08e6ea0792150cad576adc48890dd6956a6aa29e5175cc5e2f0a

C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica

MD5 1135e286fb5224ef530f4ce0ec4a2835
SHA1 e1ef9d5aba553828ff9b4ff2cf9c1f25b085c6a8
SHA256 4a93894f08d98d707cd9a0274f4c9a51bcfa27e701359e12befcc78ffb488817
SHA512 f57b77dcd655d347fdcfc3a1beada329998824caa5db061553a7c784a163b4641076ba99677a4e648d0477671aa14da7f883b2df8b9ed6eed3985e7c2c8ca4e2

C:\Program Files\Java\jre7\lib\zi\America\Matamoros

MD5 93a2fdbfe3bd18cfa0620f2632efa4d4
SHA1 c0b705de8aa572a851737c34f1721c501473d31d
SHA256 3e84c247e11701fb5451865acb6262c8495d47c5f397a772a7bc01c9ce9f5b12
SHA512 1e5454026ba8100ebf7a32dbdda862c9c315b1f6a758242a7c451ade0ff87ef3757fd8caf58c96a0bd63e7bde72217b9664edfa2bb426f50a9ca9cbc2dde655a

C:\Program Files\Java\jre7\lib\zi\America\Nassau

MD5 4401d715587a3bcf3830b14dd764a25c
SHA1 33117586fe2f2cbfde2a7ff3b1fbf74927a65e42
SHA256 8b3827b7bae22f976e2a59e9957ba8b3b9cee57a4cf923a4da970a8f3c1e79c5
SHA512 7b63cc90c5cb65c3a54ab7249b67d9f12eb86237410eb51e961bd39777f517d65b62a08f018e8d8ce89745c2222b2302a9a007c88771968e81e97a60ce037def

C:\Program Files\Java\jre7\lib\zi\America\Noronha

MD5 527e3a39bc066f9dfcc85c57acc8d262
SHA1 aed5fa100750d77de0ce7e7c2e6d7a322131c910
SHA256 43c2ae1019ad57912662c9bd170d8d6986299bad4ec76811e70c98c4a1ffe3b6
SHA512 a1a0266e0c1b0e8b33e4dd242be63b258df4f2d1ae748583649dcb22ba82c7cd27c4ed12f632f7fd745f484621a303f8ace8c8f91646c74ffc71cf0ab12275a4

C:\Program Files\Java\jre7\lib\zi\America\Regina

MD5 05640f18f5c0807dd96697e31fc5d8ba
SHA1 659edaff37a05ac603d08c90d2b5d26d9c90c78b
SHA256 86fbc959c7ffdeba173fc2baa99a8a93d75ba5d6a83a3e3300bab1b0a46b1d42
SHA512 000113934c92690a06eb580a6128941aef65c5d9ac043811627175332a0a6aaa4f55bcae211aafed8c5a7cba9dae94a162785c749c08392cd42978cef1771b48

C:\Program Files\Java\jre7\lib\zi\America\Resolute

MD5 cb97b848abcb6376d491ac6bd9cbeadd
SHA1 3800020090c3bc180b0cf63fab7b39905680453c
SHA256 d6369598c0846422df1f6e1029041784e34d3b6fcc12a3ba0fc1613a0f80530a
SHA512 5c910d7062750c5f76f87e174eb0b1225453fbf36ba072d04ca025579af6a051c7af85c7772a4756876659ab6f8cc4429c11b3620c3f5298e0599ea4f8d5a644

C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund

MD5 81ed540e1204e3237f63da49df05a7d5
SHA1 88176d30b1bf7d6f87f1ba92dac451b883dc1432
SHA256 256fb9c4796b15a7ec4b0d5319e9e493ca4cffda658310420bdfd31e1c59da79
SHA512 92b183b168ad7cf33673e688094d8199cff7c3063aa3e2b83891838f02ac1a79291e6a36e8216040c588306191634cf51484c79f56106492408dd09079e0f807

C:\Program Files\Java\jre7\lib\zi\America\Whitehorse

MD5 1036f4aae37bd39b2ecc451c487e33c1
SHA1 8d60a72a4873cf55fa7bac47dff692303d17d157
SHA256 b61465acf0031e6a4cc34a66d568bd1735668abf591a6badb1f5f5bc20bf9919
SHA512 3ac2c8d3259ecbc41b186c2861ea6be3e6f9cc6b673a2ef610d42c91b359f31e941aa7de1d6ae801191870acdd6590ec788839cf9c069a7fc658d84582103a62

C:\Program Files\Java\jre7\lib\zi\Asia\Amman

MD5 227fd460860a3ad1fd2b245793c07f95
SHA1 71d8da21d4bb33f4cc32b70b174815e40eda657e
SHA256 693195cf289838146418e1bd05fd1a482c36ff75a77874609d615247285d5b99
SHA512 ce035dbe02b8e15091f7fee997a823dc4a0ef12c14e4f7d8441b9d3d9878bd17036db61e24d4e67db2a6e1f8b50168f6f03311b19713c688691ce4298b1deb2c

C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka

MD5 709c6a80af0276b170c521117ede47c6
SHA1 8e6d9001ca20e76482e1ab88d54d47c65c8c7836
SHA256 d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b
SHA512 bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe

MD5 0d4ec840c1db49efd9ea0f2dd0a7c66e
SHA1 df44812586d12298c713564804b42142fb68a8c9
SHA256 2091501cde52f2dd75b74ad947075b6381c5f503af97a66b592b7caebe9e36cf
SHA512 85585ff43a93051adce2aa4f7213bb5a8e4b4160bc1ba20eb061fe1b7d489cc07676b512e00c37ec63d76e08cc98598901ae6babaaf57a0c59eda9f621c1bbfd

C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta

MD5 5f54d1240735d46980b776af554f44d3
SHA1 acf7707c08973ddfdb27cd361442ccfba355c888
SHA256 2c80619d7e7c58257293cda3a878c13e5856f4e06f6f90601276f7b9179c9e07
SHA512 b1f542f68a48608ae53904fbe2105bd8f3e544941abb38ec9d24cb7a26f916ef94cfb431cce0c64077dc2934913130d78492914a5e9ffc52f311e68217caef15

C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem

MD5 433b6e531d44ca54bab63198a3f6b388
SHA1 f1dceea33541fd68c8e9caaacc76f062da393a90
SHA256 c00b114d3e1a4d978c0051e7e8503f7fd30dea142240d6b950164a37cce3edaf
SHA512 ca77aab2370179c0f5eeb6b8ed8b56eae5c3083860f51eda2031f7d5772e2018011ad5b004b1db1e1b5bc2e4c0f300735eac814cf913f54791fa26375d3eaa11

C:\Program Files\Java\jre7\lib\zi\Asia\Manila

MD5 38397588c4d02f8b95c263852e9aee7a
SHA1 80691ad30930c04fe1bb2f645f9c6c0548ece80d
SHA256 42d699d9e89e439804c0981f96b1a3fa7dbe42c6be1dbca6211c6faa4e0e2463
SHA512 e46b5c1865b53513bb10be9e3a2c2a54ee9e88f83e8802e85e728a2364ab649ecd4af605b41d7583688f8a78d1b49e36f1ef5b8824ab89885578eed8ebdbfd15

C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk

MD5 88a4ef65b666e053c28c9e023d8579f5
SHA1 4a9c1d641605648e7e0ff0f87d1ea6d21ff42a06
SHA256 88d5d20f83be8b19edd7cf53771fa94c1a67429f7bf9cec90822dc84a3a434a3
SHA512 9ef796e128b899f33feb0fba39017a0365e6289c3249ef6d2aae61c6c0283febf89626323bcee6e1e3fb9e80c4908c2ca09ddd53396ac41c78ba2e5c47500f0d

C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda

MD5 a1534d6e98a6b21386456a8f66c55260
SHA1 c7239c0fe3b7a00d812e548f4cb9d8d863e8c251
SHA256 4c555a3d8b83f80c2e0d0b647769e82148ebe7e27811d0a63277d6f61abafbbc
SHA512 af0302203a3ccb765aa4ce1b1ab524ffa500d62e179ffb527b76d2b62f5ba31b037902d8d46278378e7255a91251f06c0779fe4940d47a582415a201b0e401db

C:\Program Files\Java\jre7\lib\zi\Asia\Seoul

MD5 64321e9c7da09049fe84bd0613726226
SHA1 c2bed2099ce617f1cc035701de5186f0d43e3064
SHA256 e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b
SHA512 4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

C:\Program Files\Java\jre7\lib\zi\CST6CDT

MD5 359a1339722ce22ffdafcf70fb387a3d
SHA1 a958f03b193b09efcd8d35934c33b524b4e0cd7b
SHA256 fbb4fa31c3fa0c14ccb3fe426e39dcad529b17e379309c0adbe27fcc93feba50
SHA512 4a90df2fa4bfee474f9e79570ae05a26b6752f0244ab755a49ac0d38f69f28ed97b134092f353ded2c968a3d9baf2d08a73eee2943e8116b65c4c8357bf2dc0b

C:\Program Files\Java\jre7\lib\zi\Europe\Oslo

MD5 677bb0dcac881a5a4638ede690ca721c
SHA1 ab8e52e9f345d8152a39110c9ebbc07bfe37b182
SHA256 97d364e2d3d35f030a038c41bbadc42d0c15fa8d79ba569987e19fddb2e80f9a
SHA512 6485b77c5bd7581ba0f80318493879df55d29606e30bd8a609f18a94da581c46e2284287869d3d1b7dd2857a5388fd97c87070279305b66e10d67430d5c96a06

C:\Program Files\Java\jre7\lib\zi\Europe\Vienna

MD5 fb4aa89fb89bf94d0590a3174d1193ff
SHA1 c3812f2105099071c24141a994a9d5087199dbf7
SHA256 655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273
SHA512 a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius

MD5 515d8db6175667b02ed715ba8aff0b2a
SHA1 44ca509396091b269d47da24e3d7e09fd8da7268
SHA256 d50e2d8474134908822ade46e27717d1a22aaa2d4ebd66ee14c988ecafc01461
SHA512 b0003c56ca6ca6789847ca2d75eb762a7da8870cde67cde39baa6d8a50c0a4c62fa1cf67bebb892ea50515ea7913209bdd0ae946b76ddbb1aef46a8f9cba5b8b

C:\Program Files\Microsoft Games\Solitaire\desktop.ini

MD5 22577911e88af39f79409e6de8eed4d9
SHA1 93436ea60c5dcdd2e9893a025f560ab72422ae8c
SHA256 e08dd9962eedb16e12840ea2a977cc07bc5fa8d96259682edaa080573d525e4c
SHA512 2db5f3b0000212518614c74c73dca3205cda5751aa2504ad9bf9b98be46e98143c064980dce9a8a6372305840946717c38e244d9e1f2ecbdff683fc1f0a8fbb5

C:\Program Files\Mozilla Firefox\xul.dll.sig

MD5 69016e6a597d194701476b8e04d4e028
SHA1 71a24ddb0c5bbd321d3f09d7b322c3655fb5e129
SHA256 4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a
SHA512 a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png

MD5 6294c74db1a4aac788765b4e0a0278b5
SHA1 81e9bbc06946e3c078d1c1aa150ca93e501ace6d
SHA256 ab3df617aaa3140f04dc53f65b5446f34a6b2bdbb1f7b78db8db4d067ba14db9
SHA512 a4a83643031063cab4226cef7e215765e6f997ce7719173632a66a45bfc0a710b3e6bc19a590108bda91576030e2e37f77e339a3f4e71478d96dafb0d46d2941

C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac

MD5 c3e4eefedd55eae4334456daa4aa0ad7
SHA1 ba9abe2d4d40bbd94530564b6eb178ec02a47204
SHA256 7081ba3d8887be22551f56b5f50da675bda7dd02f40e9fcb150ac84fccbe387f
SHA512 a302516427a81e59fe955f4316fd56b8e5207542b1abdd7eb3fc2e9dbc669849dce90d12d9160b59d45af233e63e2156f3a3f1e7807b7ae1b1225a94d472cea3