c47763631d20120057766f2f71f781bf958e22712da4ac933b21db0d615dc93c

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinCDEmu-4.1.exe
Size

1.5MB
MD5

4e53befe779f677b1ccec54b84f60a8c
SHA1

9ff4f2ed41d5bd09496d2cfb6e09c4b31659dc19
SHA256

c47763631d20120057766f2f71f781bf958e22712da4ac933b21db0d615dc93c
SHA512

a0fe06176a62be0c0f0f946ab3f9182f1be1020ca6ab2fcfb855254d77c123f95baa48fa6dc6abf73917103534cca713382f90f440917a2a343d54dde2332e04
SSDEEP

49152:kCFdVNpsRKZdJ0ya6wWfumwumbp/afUD+6EVV4dDD/:kaVNpsIF0ya6wWf32p/69Z4dDj

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETC3FB.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETC3FB.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\BazisVirtualCDBus.sys	DrvInst.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/948-0-0x0000000000F50000-0x0000000000FB5000-memory.dmp	upx
behavioral1/memory/948-1-0x0000000000F50000-0x0000000000FB5000-memory.dmp	upx
behavioral1/memory/948-212-0x0000000000F50000-0x0000000000FB5000-memory.dmp	upx
behavioral1/memory/948-277-0x0000000000F50000-0x0000000000FB5000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\x64\BazisVirtualCDBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	drvinst64.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\x64\SET7A7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\SET7A7F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\SET7A7F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	drvinst64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_neutral_18ec2ff4b04883c1\bazisvirtualcdbus.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\SET7A7E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\bazisvirtualcdbus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_neutral_18ec2ff4b04883c1\bazisvirtualcdbus.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	drvinst64.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\x64\SET7A7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\SET7A7E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\BazisVirtualCDBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hungarian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\vmnt64.exe	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_CN.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.bak	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Slovak.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Taiwan.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.bak	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_ta.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Catalan.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_macedonian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_urdu.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\uninstall.exe	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Arabic.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_armenian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenscina.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese_brazil.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_sr.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\uninstall64.exe	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\batchmnt.exe	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Arabic.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_finnish.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng	WinCDEmu-4.1.exe
File opened for modification	C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng	WinCDEmu-4.1.exe
File created	C:\Program Files (x86)\WinCDEmu\mkisofs.exe	WinCDEmu-4.1.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	drvinst64.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	vmnt64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	drvinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe

Executes dropped EXE 6 IoCs

pid	Process
2528	uninstall64.exe
2244	VirtualAutorunDisabler.exe
1728	VirtualAutorunDisabler.exe
1968	drvinst64.exe
2236	vmnt64.exe
2860	vmnt64.exe

Loads dropped DLL 13 IoCs

pid	Process
948	WinCDEmu-4.1.exe
948	WinCDEmu-4.1.exe
2528	uninstall64.exe
948	WinCDEmu-4.1.exe
1640	regsvr32.exe
2520	regsvr32.exe
2952	regsvr32.exe
2160	regsvr32.exe
948	WinCDEmu-4.1.exe
1380	Process not Found
1380	Process not Found
1380	Process not Found
1380	Process not Found

Registers COM server for autorun 1 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\LocalServer32\ = "\"C:\\Program Files (x86)\\WinCDEmu\\x64\\VirtualAutorunDisabler.exe\""	VirtualAutorunDisabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\WinCDEmuContextMenu.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0333ECC-5824-4AD9-8365-CCDD20184674}\InProcServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\WinCDEmuContextMenu.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0333ECC-5824-4AD9-8365-CCDD20184674}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\LocalServer32	VirtualAutorunDisabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\InProcServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\VirtualAutorunDisablerPS.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0333ECC-5824-4AD9-8365-CCDD20184674}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\WinCDEmuContextMenu.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VirtualAutorunDisabler.EXE\AppID = "{6C50E507-74A2-4434-95A6-53563A797FF6}"	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VirtualAutorunDisabler.EXE\AppID = "{6C50E507-74A2-4434-95A6-53563A797FF6}"	VirtualAutorunDisabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\NumMethods\ = "5"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{918988CF-2AFC-404C-90F2-5443D7A319E7}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\ProgID\ = "WinCDEmuContextMenu.DriveContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{918988CF-2AFC-404C-90F2-5443D7A319E7}\ = "IVCDImgContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,11"	WinCDEmu-4.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IMG	uninstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu.1\ = "VCDImgContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorun.1\ = "VirtualAutorunDisablingMonitor Class"	VirtualAutorunDisabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\TypeLib\ = "{D2243491-B0DF-40CC-9973-9E401631D770}"	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\WinCDEmuContextMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\ = "DriveContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorun.1\CLSID	VirtualAutorunDisabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092}\1.0\ = "WinCDEmuContextMenu 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x86\\WinCDEmuContextMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\shell\open	WinCDEmu-4.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd	WinCDEmu-4.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{918988CF-2AFC-404C-90F2-5443D7A319E7}\ = "IVCDImgContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe	WinCDEmu-4.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\VersionIndependentProgID\ = "WinCDEmuContextMenu.DriveContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ = "IDriveContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D2243491-B0DF-40CC-9973-9E401631D770}\1.0\0	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{901EB7D4-307F-41A5-BB63-3070FCD11914}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe\shell\open	WinCDEmu-4.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D2243491-B0DF-40CC-9973-9E401631D770}\1.0\0\win64	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D2243491-B0DF-40CC-9973-9E401631D770}\1.0\0\win32	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu.1\ = "DriveContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.IsoFile\shell	WinCDEmu-4.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CurVer\ = "VirtualAutorunDisabler.VirtualAutorun.1"	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\VersionIndependentProgID	VirtualAutorunDisabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CUE	uninstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WinCDEmu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\ = "DriveContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\CurVer\ = "WinCDEmuContextMenu.DriveContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{466A44DC-AD3B-4573-BDC4-0686BBFB7A23}\ProxyStubClsid32\ = "{57C052A7-AAD7-4230-860D-F6768C8EA59F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.CCD	uninstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.ISO	uninstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.NRG	uninstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu.1\CLSID\ = "{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x86\\WinCDEmuContextMenu.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0333ECC-5824-4AD9-8365-CCDD20184674}\InProcServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x86\\WinCDEmuContextMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	WinCDEmu-4.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinCDEmu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu\CLSID\ = "{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cue\shell\Open\command\ = "\"C:\\Program Files (x86)\\WinCDEmu\\vmnt64.exe\" \"%1\""	WinCDEmu-4.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WinCDEmuContextMenu.DLL\AppID = "{901EB7D4-307F-41A5-BB63-3070FCD11914}"	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	drvinst64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	drvinst64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	drvinst64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	drvinst64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2528	uninstall64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeRestorePrivilege	992	rundll32.exe
Token: SeBackupPrivilege	1132	vssvc.exe
Token: SeRestorePrivilege	1132	vssvc.exe
Token: SeAuditPrivilege	1132	vssvc.exe
Token: SeBackupPrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	1820	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	864	DrvInst.exe
Token: SeLoadDriverPrivilege	864	DrvInst.exe
Token: SeLoadDriverPrivilege	864	DrvInst.exe
Token: SeLoadDriverPrivilege	864	DrvInst.exe
Token: SeRestorePrivilege	1968	drvinst64.exe
Token: SeLoadDriverPrivilege	1968	drvinst64.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeRestorePrivilege	2368	DrvInst.exe
Token: SeLoadDriverPrivilege	2368	DrvInst.exe
Token: SeLoadDriverPrivilege	2368	DrvInst.exe
Token: SeLoadDriverPrivilege	2236	vmnt64.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2528	948	WinCDEmu-4.1.exe	28
PID 948 wrote to memory of 2528	948	WinCDEmu-4.1.exe	28
PID 948 wrote to memory of 2528	948	WinCDEmu-4.1.exe	28
PID 948 wrote to memory of 2528	948	WinCDEmu-4.1.exe	28
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2244	2528	uninstall64.exe	29
PID 2528 wrote to memory of 2992	2528	uninstall64.exe	30
PID 2528 wrote to memory of 2992	2528	uninstall64.exe	30
PID 2528 wrote to memory of 2992	2528	uninstall64.exe	30
PID 2528 wrote to memory of 2992	2528	uninstall64.exe	30
PID 2528 wrote to memory of 2992	2528	uninstall64.exe	30
PID 2528 wrote to memory of 952	2528	uninstall64.exe	31
PID 2528 wrote to memory of 952	2528	uninstall64.exe	31
PID 2528 wrote to memory of 952	2528	uninstall64.exe	31
PID 2528 wrote to memory of 952	2528	uninstall64.exe	31
PID 2528 wrote to memory of 952	2528	uninstall64.exe	31
PID 2528 wrote to memory of 1728	2528	uninstall64.exe	32
PID 2528 wrote to memory of 1728	2528	uninstall64.exe	32
PID 2528 wrote to memory of 1728	2528	uninstall64.exe	32
PID 2528 wrote to memory of 1640	2528	uninstall64.exe	33
PID 2528 wrote to memory of 1640	2528	uninstall64.exe	33
PID 2528 wrote to memory of 1640	2528	uninstall64.exe	33
PID 2528 wrote to memory of 1640	2528	uninstall64.exe	33
PID 2528 wrote to memory of 1640	2528	uninstall64.exe	33
PID 2528 wrote to memory of 2520	2528	uninstall64.exe	34
PID 2528 wrote to memory of 2520	2528	uninstall64.exe	34
PID 2528 wrote to memory of 2520	2528	uninstall64.exe	34
PID 2528 wrote to memory of 2520	2528	uninstall64.exe	34
PID 2528 wrote to memory of 2520	2528	uninstall64.exe	34
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 2992 wrote to memory of 2160	2992	regsvr32.exe	35
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 952 wrote to memory of 2952	952	regsvr32.exe	36
PID 948 wrote to memory of 1968	948	WinCDEmu-4.1.exe	37
PID 948 wrote to memory of 1968	948	WinCDEmu-4.1.exe	37
PID 948 wrote to memory of 1968	948	WinCDEmu-4.1.exe	37
PID 948 wrote to memory of 1968	948	WinCDEmu-4.1.exe	37
PID 1820 wrote to memory of 992	1820	DrvInst.exe	39
PID 1820 wrote to memory of 992	1820	DrvInst.exe	39
PID 1820 wrote to memory of 992	1820	DrvInst.exe	39
PID 948 wrote to memory of 2236	948	WinCDEmu-4.1.exe	44
PID 948 wrote to memory of 2236	948	WinCDEmu-4.1.exe	44
PID 948 wrote to memory of 2236	948	WinCDEmu-4.1.exe	44
PID 948 wrote to memory of 2236	948	WinCDEmu-4.1.exe	44
PID 2808 wrote to memory of 2804	2808	firefox.exe	52
PID 2808 wrote to memory of 2804	2808	firefox.exe	52
PID 2808 wrote to memory of 2804	2808	firefox.exe	52
PID 2808 wrote to memory of 2804	2808	firefox.exe	52
PID 2808 wrote to memory of 2804	2808	firefox.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WinCDEmu-4.1.exe
"C:\Users\Admin\AppData\Local\Temp\WinCDEmu-4.1.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files (x86)\WinCDEmu\uninstall64.exe
  "C:\Program Files (x86)\WinCDEmu\uninstall64.exe" /UPDATE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe
    "C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2244
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\regsvr32.exe
      /s "C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2160
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\regsvr32.exe
      /s "C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2952
- - C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe
    "C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:1728
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1640
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\ssi7752.tmp\drvinst64.exe
  C:\Users\Admin\AppData\Local\Temp\ssi7752.tmp\drvinst64.exe instroot "root\BazisVirtualCDBus" "C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Program Files (x86)\WinCDEmu\vmnt64.exe
  "C:\Program Files (x86)\WinCDEmu\vmnt64" /uacdisable
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0738e05a-6684-69ff-23a4-65726e39007e}\bazisvirtualcdbus.inf" "9" "6aa431c33" "00000000000003B8" "WinSta0\Default" "00000000000003EC" "208" "c:\program files (x86)\wincdemu"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{0473bcf7-3c43-4354-6e7b-bb38ee0b9a69} Global\{14b2cc77-ef9d-4216-5cf9-a9359255356d} C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\bazisvirtualcdbus.inf C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\BazisVirtualCDBus.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\SCSIADAPTER\0000" "C:\Windows\INF\oem2.inf" "bazisvirtualcdbus.inf:Standard.NTamd64:BazisVirtualCDBus_Device:4.1.1.0:root\bazisvirtualcdbus" "6aa431c33" "00000000000003B8" "00000000000005A8" "00000000000005C8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2596

C:\Program Files (x86)\WinCDEmu\vmnt64.exe
"C:\Program Files (x86)\WinCDEmu\vmnt64.exe" /settings
1⤵
- Executes dropped EXE
PID:2860

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ShowTrace.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.0.455450338\1685027679" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1196 -prefsLen 20600 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d9de0bf-b0b5-442f-99eb-0b91241ef7d3} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 1304 f005658 gpu
    3⤵
    PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.1.1169968045\625673407" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 20681 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {013a8c37-b6e1-450f-9898-38a25ffe7376} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 1480 d71058 socket
    3⤵
    - Checks processor information in registry
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.2.371120898\127185115" -childID 1 -isForBrowser -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20719 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0381ca07-fde2-497e-ac33-219adbe907d4} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2360 1b14b258 tab
    3⤵
    PID:1540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.3.527800622\869496146" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2732 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2745d491-d1ae-487e-8614-a0a82c11052d} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2752 1caca058 tab
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.4.2091993451\503390261" -childID 3 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a0a18f-f1eb-419a-8797-3d20c5aac24f} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2956 1cdfbf58 tab
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.5.624309725\585872330" -childID 4 -isForBrowser -prefsHandle 1764 -prefMapHandle 3876 -prefsLen 26248 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab66b73-8095-4c63-89e2-6753eaf0f0f4} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 1804 1e911b58 tab
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.6.246592781\1303845534" -childID 5 -isForBrowser -prefsHandle 3900 -prefMapHandle 3908 -prefsLen 26283 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aec02cf-34b8-4d76-9766-96d821ef9c68} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3904 1e912458 tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.7.112517709\1899307174" -childID 6 -isForBrowser -prefsHandle 4080 -prefMapHandle 4084 -prefsLen 26318 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b97861fb-a3f3-428f-b9c2-8add5982421b} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4068 1e913058 tab
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.8.1374660916\1630667608" -childID 7 -isForBrowser -prefsHandle 4424 -prefMapHandle 4400 -prefsLen 26477 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c4de0e-6a25-4998-ac94-87be6bb6f22a} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4488 201dc358 tab
    3⤵
    PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.9.115126310\1632653877" -childID 8 -isForBrowser -prefsHandle 4596 -prefMapHandle 4600 -prefsLen 26477 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3e7f5c9-9fc2-4308-8b4b-6771b8dbdbe7} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4584 201dde58 tab
    3⤵
    PID:1200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.10.1269466405\327277702" -childID 9 -isForBrowser -prefsHandle 2856 -prefMapHandle 2780 -prefsLen 26477 -prefMapSize 233275 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ab6c548-07f8-49ef-b39b-0fad3c6b02d0} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4620 1888e958 tab
    3⤵
    PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.11.1667160612\505746899" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1920 -prefsLen 26652 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd740b49-4784-4da7-8580-d7efa441b6b6} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2684 24b42358 rdd
    3⤵
    PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf

Filesize
1KB

MD5
9a41acaf308273117f12253119753cd2

SHA1
de3da728432c61be2c8684670997baa8eeb36934

SHA256
bb36739bdbbbca8d445bc0f79a6bb286f374a12b7ea06d5f6904068756b4c801

SHA512
51edc19b7bbaf365ef8528603120efc56cca5c768a1054b79c93876bb042dffc2999f2ec0c0dc1547a4e0b90e7b8b8281f27fcfa80f276fb991e7cf5ec01d8a6

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Arabic.lng

Filesize
8KB

MD5
1c177fb48474504e2a12e135da569c89

SHA1
b23ec0113cfb893de01059d9ddd5398a121851ba

SHA256
49057e02a613243b138ea30f697e5de68a8ce68d9f48c2119aae33347711f474

SHA512
316f964df85cca78b795f070545ef032aa0e4ade623ba06db9cd50fc2df0ef0cbb31375424c8dd4d431312a5e9fde1f716b33241a9e7f51757d4c86bafe0dd23

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng

Filesize
1KB

MD5
d23c884983acdd3e39d905b456a93810

SHA1
c2ad7fddf65db7c6efcd3e52ef2d3ad6c09dd7ef

SHA256
a7f22ea0bbbf9c22ac7e3b6f72785e41cabeab35a762a55cdd0782015a5dd029

SHA512
f1e8a3ea4b735bdda303c4102a6d9c40b31b72ebd0328c7ec3fa6bb77ad08dbf9f9c9858cc54016638160a517eb4e20a400ba6c085c5fac96f1520b0d986bcc7

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Catalan.lng

Filesize
10KB

MD5
ab6b693ab0d2e076f38c5a1f66f0178c

SHA1
395cf8aa6e72da78ef409932935001927382d50f

SHA256
46a16fedda9ae1f6a80c932abe28e883ba87dd475e84ced6888f2b49a52866a3

SHA512
8201da84c0ceb0b1bf3ee23d3cbf797f0dca84aff02d682498bd3f34e8617d723bc13a1abd346565be006c4d686f331cb77062a0dd3d35bd4fe904c4182ee7e4

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng

Filesize
9KB

MD5
e27be5a5e7121ed58e8127475b3acf33

SHA1
3991dcf763f81ccd431d8a963df126f1e1b79fbe

SHA256
7375e41071f2417035608d01c516e0957c4d4ca4824ea6fcc44e12349a4581ce

SHA512
898f36d4a1df4c8da2baa3ecd30ae635f7eeb9def345566934f4edcd53ff03f36049c41df62d098a3c2d64c054a98a63734fc8345ced95263478846ceb604c30

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Farsi.lng

Filesize
8KB

MD5
5ae5ac5c2ba4b2788c8dada8091b17fc

SHA1
8024a1aca0596dd33f81473feda6a562d486a655

SHA256
7481ec639dafe58ef68eadafd22c45cc35ad747c764fbcbeade8d18fc7efba2c

SHA512
a1cd356fec376525e958d80f8671d979d40316af71862820fdb629086b0831ab0f78135d4361bb8f5da2a13616af42038df5e173f205396422c4e24ea9e408db

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng

Filesize
9KB

MD5
2e0fc52d313032a4626caa4be6ba563c

SHA1
fe6f4bfd32cd05eae926a6e6db99929f3a156e2a

SHA256
4f2d907e3d960617f93cbd14fd44913e1b1c409c8a5c8160bdb6f4eb1d736f13

SHA512
303ee6b5e144b693fdfd32c96ce69be29e827ea104347fe100f9f83cf13ccd51c0740fb0e0d14ed50c30ae3db7a88d9aa9f329d2be90cdb8b8d8bca3f58807bc

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Slovak.lng

Filesize
9KB

MD5
2cebd7a662ff4102436ebda4d8b8b33d

SHA1
b0368e7c1dd54676d4a788ddd76e004c09e19d03

SHA256
cdccc857a73c01c62446c858dd10fdf1ec7e75fdf9ea9a21d210740482a0f001

SHA512
985c251b7c1e3f97de6cc746fb0993ddc19b7c8944bf7bb50aab685c179699ec83aa8b26619ad34a4fdbe3aae59234f78bb1f9f7e05250e015254d88e1375936

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Taiwan.lng

Filesize
6KB

MD5
5839297f4c3b5aa339b91ffd4b05760d

SHA1
2ef21231a90b9a9c99d26969ec1a23003dda11c0

SHA256
9d5d8b200ffe7d61bfdf36118d1cc1991d1afb3cb9461ebb4473816c0b254861

SHA512
20c8b95d6fea2ae65f6ededd990518d54ca8810ac69322c6b22f3089aa5a9b3b70ece51d378f785ed20425e13faee26ddc4080c8ac7cb98899b9b0dc0d864401

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_armenian.lng

Filesize
4KB

MD5
054bc47aec44bc24efb7fa2d3cb4d16e

SHA1
067ee15600f3b9e4377ca159936d0980f5adbcc3

SHA256
f997cb43c2a5d3bb937e7966757f913dc2e4a4781723f45a5e93cd63d213c2fc

SHA512
77c29a5994c9c03105ce3ed939c1118f9480618e76241e1e43abd6327744e3edb298b35f75443aebc2598435b2ac1ba5ff4afdd70c7e97e2f4887dff44b3ccea

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bahasaindonesia.lng

Filesize
10KB

MD5
ee1b69ad806dc238cdb3494d15edafab

SHA1
b79626fdec8ad97cb19f51ee871d06cccef08c16

SHA256
42c1ac4600e24bf102d4f1abe41275b275bf9a10196219049eea33f1b21de40c

SHA512
97ff640661fa8201e1d38014460022dfd9069ba1a8d9993a419442b4c7266aaeea15d22638fd1a035c2fca0d78c8072511903f5261a23ef4d78ca529e0894b21

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng

Filesize
9KB

MD5
bde8e065b9964471a94577abc273c6a2

SHA1
fc082776144313236794f54ab2f7c5e585b7e18a

SHA256
2ef90cafdf86fd7f9ead5278f8a089048c3fecdf17c7f92b8086c12e73d3ae7b

SHA512
2fdb47ad4acdfc280aa6440d6a80a19227dbc94d3d12dbcfa416159830a79c5b08a0c41a7bd9c464bd3af48a0bb47d1125b9d9ad6a4c01246b1ccc93032523e7

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng

Filesize
6KB

MD5
eed99027ce8d0bee9393df2e42368d56

SHA1
68116d787a56e8c32edc02f8a2f2fa12b46eb66f

SHA256
7f48f93ab032fcfee1212afe9fef30a7d0b764313cb3f45cc76ef08ff00979db

SHA512
00ece9ee22f1b579eb7b542832c8861063f14892625cb5a5e82f14ca72ae595faef314d587ee14812d47dc081a4ccbb3065c9f1f63771abee623914f0f41281a

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng

Filesize
9KB

MD5
6b77c85bc096643f2211edf35623c759

SHA1
4b9c26cb14e8e4f915d83f70643cd0213b952f72

SHA256
fa4dc5bfcb8cda847512761126b9945a658ca58427ffe2c592acfd50b67d70e0

SHA512
ee62e79ee3fe9bbe746181823c59311c8e6e6d7f2dce65062dc43f895c889d48d0342cd64e25e073f8fccb54f6436b5ad1a19471eeef888af769d2e22e855549

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng

Filesize
8KB

MD5
967bc885f19eb2ca9e036b9367a7392c

SHA1
f475436dc03f06d82ea1cb5d25b75650c5d4c1d4

SHA256
9c2e62d42e0ac165c79c0ffec1c90111a36f4f34fe565a1991659fd8f256fe42

SHA512
beb26660a4138e2bb6bdd564c78f9d7c1206170812d62820abc5493a0f5c4f75588aae9a84e5b3d432a8d9158fb9ff70a11101646bf708f28667064638135e15

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng

Filesize
8KB

MD5
b152548b47c0efec3d22d557e1725096

SHA1
ea855a162866318a557b09302abe46276ee212c8

SHA256
15274e12fdd6477f96fceb50ef5f4cb26e05caf7ea7ed718f071eb924b4ab501

SHA512
044a76b0cfc45ddd0255075f0506a51a6fa4c45d02d6085ea0261b887182cae8257d700cb744be51a2ab8596baa8aad073edd949dba1aab5b6ac069636945e31

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_finnish.lng

Filesize
10KB

MD5
4457fde782feaa959d141c1e3880f4c0

SHA1
9181bcea80530f2700d02856862ec87c89744afa

SHA256
37d2482d63a86de5548ac52ab6912ea0a3d4feba790de0e9f89f62835f30ca3b

SHA512
0ad86b9c83fd973030a13d5e297368d59769081bf8a1c12accf0aec762f44c251e190c9180bbdc09da26eac5d653b0342708e064294a5154944ba15fed86cdc9

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng

Filesize
9KB

MD5
95031e630d34940cbb9adc61760d225f

SHA1
785f3299ef54e63a6050d1c39d32514c0df6dae2

SHA256
d1a8937a47460cda3146c45c004a8ee5a4ae0cc8913ff26658a01f89484d2be7

SHA512
f5cad9908478bf891462bac240dc8de18657f5421b08bf02492befeeb45f96aa4a63e6cf058df02f2edd439946c19e2c455a5f582c59f40af48c080f989fab1e

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng

Filesize
10KB

MD5
093783d763f020e9c5c6e9746a5abf92

SHA1
96a368c8536873c707ec2dbdad6e92016dbecb64

SHA256
a7e021618a74fb1e3beeeeeec03e0d753ed55ef7473983ba3e6092ed3580771b

SHA512
e6a85b5fe05fb81b1108b799bde35f6ae62159474fd4967466fdc2405174ef37edd61b1ffb073f754e3f092d07762e60634144b5ec7c6600a31887de0de83137

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng

Filesize
9KB

MD5
1c74eb9bf2f9fbe1949a6bfaa0497e28

SHA1
dbf92890b79070efc332e46df9ef320c4673ef29

SHA256
8f7e082d879ec597654879d595f3da167ca41365b57efb69d22d7d34a1eab83c

SHA512
ca987f57bfc276797da2e4c67481d14936463a2a79fe07c844f220434bff021f2c6ab493206425852c0183f83216c6ce745aaf6cce2f972bba17954a4aa7b1c9

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng

Filesize
8KB

MD5
ffca959029f8e28c160535ea7b38ee64

SHA1
746a280574bf225fd17b20f38bde268a9ac982bd

SHA256
d2328f3de2bad05251bc8d496afa1eb619a5351fd93485c612d8c8de26fdf395

SHA512
385a0f7bc9bef8f805aef37de0ffea3df86e420b218219b59cd70046eb9cf830535b1c51a5430d6703bee3a802cd5a3399da0bff35027216becdc48911a6ab51

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hungarian.lng

Filesize
10KB

MD5
b272fd93de261270406b3ccd237c247d

SHA1
7182a744c7a047726e355c6eacb299a2a2a225cd

SHA256
ba6fed75872822cc1fd7135598dcb1718b07b7eda049c5f7c3ed5df8751c2abf

SHA512
3897d0f2f30bcc810fae9d0315fa75ccf77485dc0939dc269285372e8f887a8b30d1252d63dcec6ce2b95d6f3ff2ec7b098fe1090766936956d3b49ff67eefab

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng

Filesize
10KB

MD5
63111c9d894811d7fea24687f0dd35b0

SHA1
31b62525e23e7cb1be17d35318c51073b64490dd

SHA256
ac65fa205b9d336360fa752097b83347f7b336cb799af081ed03b5667bfb3f3b

SHA512
dec15591ceb3997c265ed5e92e7971df26b71d045ae1f2efce0922d53410591e0c140838d28570f88dcdb250c04113b65dea8d8bc300db4b742726d67a20c040

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng

Filesize
2KB

MD5
29d6e5181d9e3d1bcad83664c12b8185

SHA1
65e5bb3b51a6071ad0dbd40accfedf3ce6b2c621

SHA256
84d7be0472bb27389ce21183f1aeea56dbc18bf0d65c19505e1b5c11a136a575

SHA512
31f385b94efabc9b23ed52118d7aeea5c5c046f295b61f59415ab6f8f3ecde0339f358255a932bd500af77a93d20636dd862aeff06876726bb5b5d1b65a478ff

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng

Filesize
9KB

MD5
f941d8e5277fc7711e0b50622030a055

SHA1
0c1005634358e564bd973f16c9b9d65d4e0a49f1

SHA256
43be088c70fee45ffe8cafb921cc3a5b8adc276c15c473d029ca4bd10fbcd954

SHA512
7e44b9f682111baf1c081f7328ce1d99e6cc11adc30f470021f92bb8703907d7ebd36d963b219e977fa5c568a255e595fa8587ca7326ee1800287de8b0c2dfaa

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng

Filesize
7KB

MD5
fbc2fa5fc31ab329bbcddd5d58585c43

SHA1
7731f8e4d61b9cba15419068c1eeb1bd509ec59a

SHA256
e5a506356bff4512d63ac0ae39bd6bad5c41d15091817f4ec1fd30e522f79dd7

SHA512
56c710ab51275717519a5d2da0e852dec6aae1e28524e488f73026d91917800625fd10b0b7f8d78d72e586b9e0cea990416d919394e88dedd47ee3e0e18b6f4e

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng

Filesize
4KB

MD5
12690623fc8eb82f9a47b5296a8141d9

SHA1
c9664880e5ac9b3ad1c9c76d5f9bc742f785f119

SHA256
b778c00789fe073b8ccd247254cc7f4f4222f003e36555402bd437e1cdd7a4bc

SHA512
0c863e235465ee4c147f79736b5727e33d43928733b0042908afbd75b5c6b2fc5380923782e928d32dbdb680488cda441e1e4990787529a40662806a11f8197a

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng

Filesize
2KB

MD5
7d1604fd2688471758b2e8fc31726828

SHA1
2983a67d17d7e3d0b5165ae87c0608a2f80b8d3d

SHA256
92eb2867b681b25c3e5ab669d4228089a55fb61b1817e96c2bba8d2b2762b92f

SHA512
afcf5aa77147b08c5bb039afc7239814a96dd8e013838e6f5b5286dbb0d533e4dcb04e3f0cc106802b3faeb60e2529c865a4557e2e26d7957f4b0661bf5f25e2

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_macedonian.lng

Filesize
9KB

MD5
83e846bb5a229272dd01418b25faf0b6

SHA1
3f84dcc8ee0f6e4095fa46674e4631088e4e3f9a

SHA256
e08a61f1d29dc6881ba000159fcbca2cbe92d5754031525879aa046f853764ea

SHA512
e7de565697fa3c2074c1c1452695aedbce9356fcbc655ef4987555bfc9d09a94df6694f338a317a3abf7846fbdd5d93742ac23bba504efde6f4079b096355aaf

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng

Filesize
9KB

MD5
febfbed2ae83a7165599d4fa99c5603f

SHA1
6928b24865b8d581175c94eb011654dc47439318

SHA256
05e2760e8a093a4e71680daa14b15de8fd0e2ab25a0e8474d80da47c56ed0b7b

SHA512
5103b02e9236e57ea879fdcd13e39f9df7b0e272b4ddd41effaff9eef57d013a916663b71d4efdd4e8d27ef337391793d16805af44808bb5d031e8a0313d8e1c

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng

Filesize
8KB

MD5
e87826e3ed5c16da3284d7930d419251

SHA1
4843ff853581e67f80736e71cb46dc05d7002596

SHA256
1ae9195876886ac68d1d6ea2c5d7d3c4d8e28accf97327b7c684542d176d4213

SHA512
c70dded68e9e1cdfe7876449709bbe23d88ca7bfbbcfc82ec5895b590673e6a3139747f48baa7ea23d7c01e967915efe30bb3abea9f973ce9d6f8ef0bd4f7ef3

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng

Filesize
9KB

MD5
970fa1701f771ba7dc04bdb6988fa9c9

SHA1
45d21a31753d1289a68a720359a3ab9bc4021924

SHA256
acf442f2d45a93690a9d31e4c574a206c69af9653c9911bb13c3c99e45f42a5f

SHA512
56ffd95195d01430907992bdd1c3bc9269ea6fa9a2d60fdbe86b5ef5e6a5eaeb9b02d1a0aa5dc55bffaaa6dc5ccb8098221db658b3e5028e5909d2acfc0f4fac

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng

Filesize
10KB

MD5
58324f09bdbb950df0f773a121f6037f

SHA1
2b84006abec8b4728cd41c19e205fb4ec76d078d

SHA256
8bdbd44053b3267b5377694088b54233dd75bdfa8786957bf8290192989b5762

SHA512
f2ec89ca70f1441cbdb4e29d4072a08dbdfcba2b3a2780fb371d8995a9125a22cde81168241febe6e1c2969a8c70899a1bf638187583b5b096da059876a03ff1

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng

Filesize
10KB

MD5
5bcfc4450928c8afb5eab66b8062c6ef

SHA1
291cf726f84ac51ba9ab61cd37b8f21c1a74a13d

SHA256
94c42059850b6f84727beb3842cdd9aae9ce75478f68bf9ea2f5bc94992fd67e

SHA512
a521ad420a25419fffa3cefa599b3cf77a4e321174446372576bad27cda2a5aa7e8dd6ce667a48fb7b2d11d6cc2921fd4139eec6dc0299a632d980558adfe594

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese_brazil.lng

Filesize
9KB

MD5
ba61bf688521d5a7721ff9f6628c444d

SHA1
1bcd34d6cebeea09d15ea5ae70d512345911d495

SHA256
5a79a0a8419b7be7e2990d708c592976599ccfaa1950216874d92fcceb2ab75b

SHA512
3363a96ba0474c5a17f3eb6b836460c3aa9fe6b2e134fc489843495ea89b18e9b0b610457d9e72af86737310385db3a8c0134b3fadbca52eeb07715403fd233c

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng

Filesize
9KB

MD5
5159a7044993359d360b6506219978dd

SHA1
1bb44e62d8bb180fae2fd92034649150a06bc709

SHA256
ba65d6c19799e7c6f5b5acc91f142e48f2466915764606ae431b9ecfd010f578

SHA512
561becfe19905a592643cfcaeb7a791ee39dd224695540c2b42d8ce2f8ea044413c1edf76858c9cca180ec1cccf998d325f8d26a89091dc306ccbc51ccb76cc2

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng

Filesize
8KB

MD5
05e875a13ab0424d01699d02289c9420

SHA1
341bca8effbab74434f19ba87575e469fe08b1bb

SHA256
4eaa04b538aa2ee1a90b49ff9171f4e1a111efb51dc70d326883a24dbea6bc7a

SHA512
9290767649785cda962306290f2c907a5e283f052a68484dd97e971e94d86dc8be4ba87afc0253b023dc6006b19e306ca87076ad9e3c5f2cb6601b77043c56e0

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenian.lng

Filesize
9KB

MD5
08548b1eae4c26e930cc45104033e5aa

SHA1
6887c635f050381e050505b9ce3260b6edf9cb9b

SHA256
f457fda47abee08e4cd76729176cc095e559f944ff83863efb810224d2f81725

SHA512
d8550881b1f68a1cdfe64a5659ff27feb41de8a9bdd8535a49af8843b209e033a7bdbc5ec632216595c7a3ad7b719ba2ab47a18834bc92031691061c8889ce27

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenscina.lng

Filesize
3KB

MD5
09d289a231a1f47d2dc3fe0d826edd27

SHA1
405fecb4b50eddfc7ecedd40130dcf1e95135cf5

SHA256
48dbb4a650293d9f987065bf7030c0365dc8ea43509eb6ca43a891a6db8ec370

SHA512
993ecbac8f6414da130240b4fa9bff8fb4e0bf904b372abdee2e195e3b9e92c8a2177afbc79e2106fe8439d396f46b8e06b24cdc61eac7189bb47b31399694bf

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng

Filesize
10KB

MD5
4bda51ae6ec0e55f7ccefd42a21310d0

SHA1
bc04db252a40d1c51f24f9a2faf1d69cc76d848f

SHA256
eaf9faee910f613411afe0580da58dc9405b142f5693f82e03a873434e109e92

SHA512
0e0549b8ce02f7911d767f2876689f7b2efaa658653a9eb3077db935fcee03d2cffbe09c51af45a63983e5183301ec52cf483e197978bbf2c6caabf6a223001a

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_sr.lng

Filesize
9KB

MD5
059000fe86691136ab905886d1ae23b9

SHA1
61fce8339e2626069e928f02bfc632e0d422fd04

SHA256
2d280ffacb4891bcda35b631d01e90cb07eab607447cb9680c308cabe3c1a47e

SHA512
82a5eeac2bb4198bab2d314fa56da83329c065e8bc3906fe89ae196487280923fd3f7b9b36ea42a3e979933614818bf9a069aa5dabf0d541ec1c58add79cf436

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng

Filesize
8KB

MD5
5a5b952e17ea5027575c09131b97bbda

SHA1
bac079fa874be8f8f8ffbc52a4be4591a7163c4e

SHA256
11eed30ee47f4a72f71ea865a0851926cba271f1c9375013d2f12d269c364b83

SHA512
b0aeca5cb3bc33db1618c2a0a2609c7805cfc6182e13df641f1a75052f60ef1b8252ec8680ba674bfad993d7aed86947a4157a664fe72558b789746a80471cc0

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_ta.lng

Filesize
9KB

MD5
809380356b7fe2fc2d35b948d8ec6de5

SHA1
be34f39fabe26e5678025d3b636b68cf50be42fa

SHA256
6ecd6b3cac5076fea1cb044fc76f91ebd95c2304e97488aa7bd7b4017236e079

SHA512
3363579407bfa448577c789d9f90d1643f3a5b507b492d18ac2e78be5952ee9b2bd147fd5ad16090f52f4897fc1333290963217874f09e09f7cdfbe00ded6e4a

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng

Filesize
8KB

MD5
1d638adbdac9fef7f062ed66f36672a2

SHA1
881ac42d22480368f307da1b75a3d73b24ce3241

SHA256
0790650e0b7fa237fc34ab6331128336a52314c3d1e9e7b91c2723c7d98c924b

SHA512
63592b0ecbb06f1156f66b9ea544789178eaf15c87d38303dc77692dbbba580c17148cb26f957169eec156f0d2fdef529d7dd27db75efbf5ca2f2e41cd4a4ed4

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_urdu.lng

Filesize
8KB

MD5
b4b5fbc4b54ec5ed4458b53c043892f4

SHA1
982279d3638b3a3e806488fc37e9c39ceb9c9d67

SHA256
1cbbaf64fdf3d98b44f788fb236ca7e3c89c4b7927a87bfd8f88a445334868b2

SHA512
3854061ef01acd77e9ed05c2a334826289f190b0393948d2f761357c4aca9457550167ccabbcb0283b3f36c1c11d0aa3ccafa5d2d11151b8ce5793df9606fe82

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_uzbek.lng

Filesize
8KB

MD5
0c074db45972542f28d9c6efbd008f52

SHA1
2fefaf360e0254159ed536856b0a1034673b529a

SHA256
32d4a67a1ed748ed685844844b46159764cc76fa7bf88b618a838a7d6ef88101

SHA512
a52c8051e617936abb9b075b1f622405d4b7d397ddfa2cc550437d3078721a2d13fb05e3b180caabdbff47934da6f56c0931312793e70bef1165810db23b8388

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_CN.lng

Filesize
6KB

MD5
40789c69c026f2100f86e2b1a7b7a7a8

SHA1
9d1d8c3530fad5648edf9a08c2d6e82d26e5cb45

SHA256
11308a9c7fcac27ca6685c06a3bb0f743411e84306159c1a2ccde1e5f7379f12

SHA512
509ca5820b5a21285e9874455640807adff9e049973e6af2c3fea406423bcf2b100f9b52150ed6447f699151593fe389740cacddb066499c6366448b1ac71243

Download Submit
C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng

Filesize
3KB

MD5
f4c9f78ea2d59c281d78d89f455d2328

SHA1
849508bef20e90d737372a04116c98ce25496bfd

SHA256
cba9899af4db048a7aac5f3f7064e8e43e7c0edd0e46c89ebd9ab407ceeb3622

SHA512
9009be7a2ede390b2c0c7cd714331a5627fc4cf57ca59ddfcbacd32c64b33abf03d59546453182eb7eb0663e09b425109ea77051d1b7bfb8114d2bc7c849d8d0

Download Submit
C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe

Filesize
99KB

MD5
6f587118eb5b019f61b864faafd6ebcd

SHA1
6b16e90262161f4a8bf7f7ff66547792281b660e

SHA256
2606d333535bf625104d881eca62043c431ba3851dad29edc5d090ed7ce1509c

SHA512
62934e76393dc0da1f7722677b96d23461e2184f21863f9177048c104a19b88c0a0181d3bdae84ef48b9bef008216e871d07f5403261a238820e227f63ad6731

Download Submit
C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll

Filesize
40KB

MD5
7d20f582e32cc6d34e633928c5564f65

SHA1
1349883aec255b9d54058002644c8d2adf014a91

SHA256
b8c08185576d7cd5749c94d792b35f5ede59885be89f26f980526b7ab47cb534

SHA512
58fa903add1788dc0bc27b19d5c0f145cd9f043932c39882408d5cba1f196a590824a5c9d95b23e4b3d61246c1f936dde7fe67ec187842199b6900953532b92c

Download Submit
C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe

Filesize
85KB

MD5
98e22c7cd9baeca08875eafd182c13fc

SHA1
253fc7f9165d173250bc5fba805de2648105e948

SHA256
06969d6f39a5c181580c7a418d1795cb1a1d890eba07e8125f18a58fa8476423

SHA512
3c2e807ce20961af454592a04f50463483a1545bd36706d358c1204277c70b15bfdff58ecd629c67224c4c51830e39d8ca100bb609f2ea9fa039cdb6e793cf86

Download Submit
C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll

Filesize
35KB

MD5
e3bd21095f8d0017e2073d53e68f7509

SHA1
215dae9426e57bbe3f68ec5c194eeba3fe26dc63

SHA256
f7dd93bf06c41897d8ea789f7b9b358547576f30f1d93abcfcc421ba50c89c69

SHA512
24f8e5fb284bc911261f9d2549959fba5d4e8ccf7a8289d2a9ff2f2b3de20f58f5b7cce55e3cba36246ebe0298bb27d1dbeaecef252a54862f074155e0646721

Download Submit
C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll

Filesize
217KB

MD5
c36fee011c683583ec2d7f81dc53c348

SHA1
3998739c21f267760e6744ebd3af15c2a8e65754

SHA256
51659adddec203ee06bb21ba263e1bfb7eee990648cde127628e2c963f53a8c9

SHA512
3f68387beb72c540c549c553e80f4dcea72b33058db2c00e6e7dd0a15f25d4c645d349371de26f5c69ff8c4cdf610a150b29b7fd1848467311a61f27ab48ad06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
3a0c60f795793fb03e1272eb9a4b7667

SHA1
e21dced084609ff0a0ec122f0fe46e908749f02f

SHA256
01e1c332d361526e8ff6e17e47f075c8dd48580be512ad0156e0d6e9a109dee9

SHA512
06c6da0a7ccc60c39626c5de59d1341e525fffd6c15f1242d5b0be8223ad343c032ed377cd99cd4b50299cf35cfa5d4fb48766f5ef386bb25a537ab248e2bff2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0f7fc1d6428040cb2f13b6e11c703a93

SHA1
efd048dfa3875e65b9f707147f1921d8e84c39a7

SHA256
5c2f990a795e88d2971d99d26a0140dd8f29d09d35534ded2e8d7061f72761a8

SHA512
a66408c742a90976e8ea938f96deb414b3caa23949a7fe2e3dd675fe00cce9354f674b7a5ff69fb5be3ece617b1ef31605767669403ce374e4ebd9105a6574c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\1b8757a4-95cd-4076-8e88-9f7fe51c9990

Filesize
11KB

MD5
9d21840c8e4386b5353993018a150322

SHA1
99e082fec951636b5361b28b63a93d8907e8db71

SHA256
046cb2bacf32cfb9f5ddcb91a38fca8951c2d78ca3468b64c15692c3ea342c3c

SHA512
d43ab68d02d222e8419902d2ef76dd32297b9d8c885fc128f65aa66ee482459280bb4e3c12c462aacf84fef9026275042d7d35ae2c2ed1bd2aac7b261d01a7d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\fc0feb1e-0af4-49f8-8a4e-5c3604b1045c

Filesize
668B

MD5
96cb5d32215511327cc7d49a16a8fc68

SHA1
9846531fe4ab02f4db9da1fb9e06271c70c86f3f

SHA256
143cd238c1454c51a4f94feeedde957289a8880bd73b46c1c536956a23576911

SHA512
0462f9c2c7e7ce6b1add58222969c3a508a8c8702421568dbb4055c9506377298212a6df7e66a40a99bd83bee52c11d0f5f3da9a524eba9b23113bb2233cb24c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\extensions.json.tmp

Filesize
41KB

MD5
7e4a00a876c135c87095276c00992c35

SHA1
c1c10bc0dae16b87010e31a6e314435646399ec8

SHA256
bdf0c505f9ee15163dcc88fae7365509434e41adcc25979db44d25ff01b8acb3

SHA512
d74432f7e16d2c5885fcc9bcae64904fe3656332ebd157b3dfab693b555a42dd71ffab6ed880252754d5b42400780ff794a198cf3325b91d1bfc1d950d72232b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs-1.js

Filesize
6KB

MD5
506e4f6ea49ad78bac0e1568717e80a8

SHA1
696fd5b3c7f644842d6ea7d75cec23e284cabe8d

SHA256
1625935fbfd770ba7fd927833e96817ae77fe4b64b5f58db824549a05c2fca68

SHA512
6cc8eaa3df9b15a4579555ebbeaa0883047f48ea382e9e8f593a0b3ca15d164ea46dc5decf380075ca43a482747f2ca58878f15a35a10769de3f1fbfc9adccc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d21293a8454ac298fbdedb2008803be5

SHA1
227a85cee10815abcfc62497e86ecce79caae362

SHA256
2ec0b9a3255e555d89642afe8b74e5620575c46a211ee1d59184ff6e8f26f449

SHA512
5220f559fea3380b5fca9c4cad739bfb4bfe2a6e88207692b47ef1a0b70eb61384efdd744a474e58c203098bff7529d42575fb69936d1fba894187c30983988d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
f1700aab6f01b0a443a45ae5d0fc3d6e

SHA1
20b38fe6a374306fe42c7749d05c2beac81e4c60

SHA256
388346cedf8435e1501d79be0d902e1993c5b43569f2ea26495aff1df6cd893a

SHA512
c9846b21d536bd7e1ed20394f80612b6cc03b2b7e481529f65f2f7df1286a7cf3510a41f66e6daa9efeba9e2ae79012ef53037f4647bf5c14f1fcd22af893208

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\default\https+++www.reddit.com\cache\morgue\240\{5cd931e5-3200-4750-b422-109a03cdd7f0}.final

Filesize
2KB

MD5
458d2de1b15816375d733955774b54f3

SHA1
1eef839cf4ededce91dfd4c2890e3dd5e795c7bf

SHA256
19f27b07f1dc509e9bc7f854c5cf98be7d226624e9ebb5d831310ff3f6c4b80c

SHA512
570e5086008092479008d6dce7a32d1ed7dacdb23d9f63f36ed0cbedc9f85c70c5523c6d70d7c4aa9fbdea139bdf48ca37a84226b526136f03c6058a23744261

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
160KB

MD5
8131528d7796510073777351ba65c8d5

SHA1
6c3aa7a432daa6598465dd443737c4d5641f0aad

SHA256
56334f316383659230f98d522668309dd44e7bf699aa788892c4893fff57f6eb

SHA512
e3594b2eef19972f421463e0ca7c0a1880c1164a1da0a12d08fce0f01bc3b16ba4bda0032f952460282b0f29895a20e7bb6c91f5c79ec6d949e677117a4bac05

Download Submit
C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\SET7A7E.tmp

Filesize
8KB

MD5
1a7ae9457824c66cf047a95f1a5c4629

SHA1
4d9c13618e5d1a998df6b299d7ba8fdb45012eb2

SHA256
63a80143e6394bea74a798481f19056d12f67ab4910758ba2fe4f499d1a8698a

SHA512
c5f802236507ba252b0ca632c07e6a08dc2c9820adc4706cfe04a781eef4d010fa8e6d8ec9df7105d64db2274c2342fa97161e4b774b2e0f0b906d956ff814f6

Download Submit
C:\Windows\System32\DriverStore\Temp\{6d7d14c9-2187-367e-d982-124d92a54d38}\x64\SET7A7D.tmp

Filesize
168KB

MD5
09391ba416aa29682298a612fdfdd7b8

SHA1
a936409d136b10cfeadd85ed40607a359077da13

SHA256
d889679c25da37212e2e0e08e4b2cf774fff395e83bcd168b240a59e74204070

SHA512
079b04575f746400fa0f8e50587dbb03d4e25af79dc771da5534e9fa81c46a02248a491d3c9216dc9a56914b3712da3a88c27af70588c41041218521259b6867

Download Submit
C:\Windows\Temp\Cab7A8F.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7AB1.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\WinCDEmu\uninstall64.exe

Filesize
165KB

MD5
2ed433c12cfa75908eb790fc8b23ea9e

SHA1
f77025bf81731265507217f70e9f24d1b689cbc2

SHA256
9590ebd10c8cf1d58cc7ff543923e22dbdfc901ea5643f0e59670ef911694c90

SHA512
9536de079b77cf0ab3610abcecffb4000033cdab42fbe94dab92e3981cb355ad78b327c173442f9bb82e2628d444cb01c77ba4b331d35ec736266c162c92153b

Download Submit
\Program Files (x86)\WinCDEmu\vmnt64.exe

Filesize
396KB

MD5
bf26c935ffd4c25fff6731dbf73d2212

SHA1
b5446ec4fd06a17022e2f9a5345cde131fe4e5e6

SHA256
40dbcf0ec787455837ec5d7439874b1ce6f586a570af8d5132f09cec531b97c7

SHA512
b2327cc42649ccb2f7040889c5c7912258d5ae876d32b492765bd9f62d93f2389917aebe6b65a1e9cd3c62545e3b59d16e2de60e081136cd6f41d0e46d96ae3d

Download Submit
\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll

Filesize
249KB

MD5
e3526f364347d94c329a8ca6d8df17da

SHA1
dc7821d81e7e5706f853ead288007920b714587e

SHA256
0ca454fa57a90a4d899e0797d0aff5364260f3649b963d21582fa7010e419c2a

SHA512
a5e9c0f83a69ff092ef2603b417f7242ea7681a9bd2b0d77c2c5a89702db47994ff873e1547e07725c62e2b08bc1eb998aff3a93e543a87a0abcb95704c007e1

Download Submit
\Users\Admin\AppData\Local\Temp\ssi7752.tmp\drvinst64.exe

Filesize
6KB

MD5
731a3ce577b0a406723b4405fb4cd2f1

SHA1
c7f8e61d894f7934df428bbc7c19ede847169997

SHA256
7a0a25ab8a255739ec21fe2acf6fa0809ac313460e09d10688ed84fcf296da72

SHA512
894af9917cefce119c63bd67eb46df391ad753de7d4a40f6d0e34d2fedb0d915b8b0bf48f43a7e696de8e7ed5303e0d928e143006fdb869964b5838bf95c7019

Download Submit
memory/948-212-0x0000000000F50000-0x0000000000FB5000-memory.dmp

Filesize
404KB

Download
memory/948-277-0x0000000000F50000-0x0000000000FB5000-memory.dmp

Filesize
404KB

Download
memory/948-1-0x0000000000F50000-0x0000000000FB5000-memory.dmp

Filesize
404KB

Download
memory/948-0-0x0000000000F50000-0x0000000000FB5000-memory.dmp

Filesize
404KB

Download
memory/2624-298-0x000007FEF4E60000-0x000007FEF5F0B000-memory.dmp

Filesize
16.7MB

Download
memory/2624-296-0x000007FEF7370000-0x000007FEF73A4000-memory.dmp

Filesize
208KB

Download
memory/2624-297-0x000007FEF6240000-0x000007FEF64F4000-memory.dmp

Filesize
2.7MB

Download
memory/2624-295-0x000000013F3A0000-0x000000013F498000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads