Automated Malware Analysis Report for Wincdemu-4.1.Exe

ID: 130798 Sample Name: WinCDEmu- 4.1.exe Cookbook: default.jbs Time: 23:16:32 Date: 10/05/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report WinCDEmu-4.1.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Spreading: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Lowering of HIPS / PFW / Operating System Security Settings: 10 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus and Machine Learning Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 15 Domains and IPs 36 Contacted Domains 36 URLs from Memory and Binaries 36 Contacted IPs 37 Public 38 Static File Info 38 General 38 File Icon 38 Static PE Info 39 Copyright Joe Security LLC 2019 Page 2 of 93 General 39 Authenticode Signature 39 Entrypoint Preview 39 Rich Headers 41 Data Directories 41 Sections 41 Resources 41 Imports 42 Version Infos 42 Possible Origin 42 Network Behavior 42 Code Manipulations 42 Statistics 43 Behavior 43 System Behavior 43 Analysis Process: WinCDEmu-4.1.exe PID: 2284 Parent PID: 3704 43 General 43 File Activities 43 File Created 43 File Deleted 48 File Written 48 File Read 81 Registry Activities 82 Key Created 82 Key Value Created 83 Key Value Modified 83 Analysis Process: uninstall64.exe PID: 3692 Parent PID: 2284 84 General 85 File Activities 85 Registry Activities 85 Key Created 85 Analysis Process: VirtualAutorunDisabler.exe PID: 3456 Parent PID: 3692 85 General 85 File Activities 85 Registry Activities 85 Key Created 85 Key Value Created 86 Key Value Modified 86 Analysis Process: regsvr32.exe PID: 2560 Parent PID: 3692 87 General 87 File Activities 87 File Read 87 Analysis Process: regsvr32.exe PID: 2944 Parent PID: 3692 87 General 87 File Activities 87 File Read 87 Analysis Process: regsvr32.exe PID: 1032 Parent PID: 2560 88 General 88 Registry Activities 88 Analysis Process: VirtualAutorunDisabler.exe PID: 4348 Parent PID: 3692 88 General 88 File Activities 88 Registry Activities 88 Key Created 88 Key Value Modified 89 Analysis Process: regsvr32.exe PID: 3104 Parent PID: 2944 89 General 89 File Activities 90 Registry Activities 90 Analysis Process: regsvr32.exe PID: 4852 Parent PID: 3692 90 General 90 Registry Activities 90 Analysis Process: regsvr32.exe PID: 1144 Parent PID: 3692 90 General 90 File Activities 90 Registry Activities 91 Analysis Process: drvinst64.exe PID: 3340 Parent PID: 2284 91 General 91 File Activities 91 Registry Activities 91 Analysis Process: drvinst.exe PID: 4356 Parent PID: 724 91 General 91

Copyright Joe Security LLC 2019 Page 3 of 93 File Activities 92 Registry Activities 92 Analysis Process: rundll32.exe PID: 3820 Parent PID: 4356 92 General 92 Analysis Process: drvinst.exe PID: 3160 Parent PID: 724 92 General 92 Analysis Process: vmnt64.exe PID: 3300 Parent PID: 2284 93 General 93 Analysis Process: WerFault.exe PID: 4864 Parent PID: 3300 93 General 93 Disassembly 93 Code Analysis 93

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 130798 Start date: 10.05.2019 Start time: 23:16:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 56s Hypervisor based Inspection enabled: false Report type: light Sample file name: WinCDEmu-4.1.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 21 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal52.evad.winEXE@28/83@0/1 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.5% (good quality ratio 81.5%) Quality average: 63.8% Quality standard deviation: 38.1% HCA Information: Successful, ratio: 69% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 52 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Rundll32 1 Startup Startup Software Input System Time Application Input Data Standard Items 1 Items 1 Packing 1 1 1 Capture 1 Discovery 1 Deployment Capture 1 Encrypted 1 Cryptographic Software Protocol 1 Replication Execution Registry Run Access Token Disabling Security Network Security Remote Data from Exfiltration Fallback Through through API 1 Keys / Startup Manipulation 1 Tools 1 1 Sniffing Software Services Removable Over Other Channels Removable Folder 1 1 Discovery 6 1 Media Network Media Medium

Copyright Joe Security LLC 2019 Page 7 of 93 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Drive-by Command-Line Modify Existing Process Deobfuscate/Decode Input Capture File and Windows Data from Automated Custom Compromise Interface 1 Service 1 Injection 1 1 Files or Directory Remote Network Exfiltration Cryptographic Information 1 Discovery 2 Management Shared Drive Protocol Exploit Public- Scheduled New Service 2 New Service 2 Rundll32 1 Credentials in System Logon Scripts Input Capture Data Multiband Facing Task Files Information Encrypted Communication Application Discovery 4 3 Spearphishing Command-Line Shortcut File System File Deletion 1 Account Query Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation Registry 1 Webroot Transfer Cryptographic Weakness Protocol Spearphishing Graphical User Modify Existing New Service Obfuscated Files or Brute Force Process Third-party Screen Data Transfer Commonly Attachment Interface Service Information 2 1 Discovery 2 Software Capture Size Limits Used Port Spearphishing Scripting Path Scheduled Task Masquerading 4 1 Two-Factor Network Pass the Hash Email Exfiltration Uncommonly via Service Interception Authentication Sniffing Collection Over Used Port Interception Command and Control Channel Supply Chain Third-party Logon Scripts Process Access Token Bash History Network Remote Clipboard Data Exfiltration Standard Compromise Software Injection Manipulation 1 Service Desktop Over Application Scanning Protocol Alternative Layer Protocol Protocol Trusted Rundll32 DLL Search Service Process Input Prompt System Windows Automated Exfiltration Multilayer Relationship Order Hijacking Registry Injection 1 1 Network Admin Shares Collection Over Physical Encryption Permissions Connections Medium Weakness Discovery Hardware PowerShell Change Default Exploitation for DLL Side- Keychain Process Taint Shared Audio Capture Connection Additions File Association Privilege Loading 1 Discovery Content Proxy Escalation

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Spreading:

Contains functionality to enumerate / list files inside a directory

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Drops certificate files (DER)

System Summary:

Contains functionality to communicate with device drivers

Contains functionality to shutdown / reboot the system

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates mutexes

Deletes files inside the Windows folder

Detected potential crypto function

Enables driver privileges

Found potential string decryption / allocating functions

One or more processes crash

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sample reads its own file content

Tries to load missing DLLs

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

Creates files inside the program directory

Creates temporary files

Might use command line arguments

Reads ini files

Reads software policies

Runs a DLL by calling functions

Sample might require command line arguments (.Net)

Spawns processes

Uses an in-process (OLE) Automation server

Submission file is bigger than most known malware samples

Contains modern PE file flags such as dynamic base (ASLR) or NX

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains sections with non-standard names

Registers a DLL

Uses code obfuscation techniques (call, push, ret)

Sample is packed with UPX

Persistence and Installation Behavior:

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Creates an undocumented autostart registry key

Creates or modifies windows services

Stores files to the Windows start menu directory

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Contains functionality to read device registry values (via SetupAPI)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Queries disk information (often used to detect virtual machines)

Contains functionality to enumerate / list files inside a directory

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Checks for debuggers (devices)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Contains functionality to register its own exception handler

Creates guard pages, often used to prevent reverse engineering and debugging

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Contains functionality to add an ACL to a security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Contains functionality to query local / system time

Contains functionality to query windows version

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

Behavior Graph

Hide Legend Legend: Process

Behavior Graph Signature ID: 130798 Sample: WinCDEmu-4.1.exe Created File Startdate: 10/05/2019 Architecture: WINDOWS Score: 52 DNS/IP Info Is Dropped

Antivirus or Machine May enable test signing Learning detection for started started started (to load unsigned drivers) unpacked file Is Windows Process

Number of created Registry Values WinCDEmu-4.1.exe drvinst.exe drvinst.exe Number of created Files 14 91 1 14 Visual Basic

Delphi 4.1.1.0 dropped dropped dropped dropped dropped LEVEL3-Level3ParentLLCUS dropped United States Java started started started started .Net C# or VB.NET C:\Users\user\AppData\Local\...\drvinst64.exe, PE32+ C:\Users\user\AppData\Local\...\drvinst32.exe, PE32 C:\...\WinCDEmuContextMenu.dll, PE32 15 other files (none is malicious) C:\Windows\System32\...\SETB17B.tmp, PE32+ C:\Windows\System32\drivers\SETD6C6.tmp, PE32+ C, C++ or other language

uninstall64.exe drvinst64.exe vmnt64.exe Isru nmdll32a.exleicious

1 1 8 Internet

dropped

started started started C:\Users\user\AppData\Local\...\SETAF0A.tmp, PE32+ started

regsvr32.exe regsvr32.exe VirtualAutorunDisabler.exe WerFault.exe

3 other processes

started started

regsvr32.exe regsvr32.exe

6 1

Creates an undocumented autostart registry key

Simulations

Behavior and APIs

Time Type Description 23:17:26 API Interceptor 3x Sleep call for process: WinCDEmu-4.1.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link WinCDEmu-4.1.exe 0% virustotal Browse WinCDEmu-4.1.exe 0% metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files (x86)\WinCDEmu\batchmnt.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\batchmnt.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\batchmnt64.exe 0% virustotal Browse

Copyright Joe Security LLC 2019 Page 11 of 93 Source Detection Scanner Label Link C:\Program Files (x86)\WinCDEmu\batchmnt64.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\mkisofs.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\mkisofs.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\uninstall.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\uninstall64.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\vmnt.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\vmnt.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\vmnt64.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\vmnt64.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe 0% metadefender Browse C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll 0% virustotal Browse C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll 0% metadefender Browse

Unpacked PE Files

Source Detection Scanner Label Link Download 0.0.WinCDEmu-4.1.exe.c40000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File 0.1.WinCDEmu-4.1.exe.c40000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File 0.2.WinCDEmu-4.1.exe.c40000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File 0.0.WinCDEmu-4.1.exe.c40000.0.unpack 100% Joe Sandbox ML Download File 0.1.WinCDEmu-4.1.exe.c40000.0.unpack 100% Joe Sandbox ML Download File 0.2.WinCDEmu-4.1.exe.c40000.0.unpack 100% Joe Sandbox ML Download File 0.3.WinCDEmu-4.1.exe.5540000.1.unpack 100% Joe Sandbox ML Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link wincdemu.s 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 4.1.1.0 WinCDEmu-4.1.exe Get hash malicious Browse WinCDEmu-4.1.exe Get hash malicious Browse WinCDEmu-4.1.exe Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context LEVEL3-Level3ParentLLCUS 27instructio.exe Get hash malicious Browse 4.240.78.15 47jihu.exe Get hash malicious Browse 4.225.160.35 56MESSAG.exe Get hash malicious Browse 4.46.196.224 22DOCUMEN.exe Get hash malicious Browse 4.5.26.252 25lette.exe Get hash malicious Browse 4.18.43.3 69tex.exe Get hash malicious Browse 4.240.78.157 8Lette.exe Get hash malicious Browse 4.240.75.245 43PYZqk80spk.exe Get hash malicious Browse 4.240.75.29 26yylmzs.exe Get hash malicious Browse 4.240.75.119 .exe Get hash malicious Browse 4.242.186.186 67file.exe Get hash malicious Browse 4.240.75.111 5vWsDZUEb0B.exe Get hash malicious Browse 4.240.78.178 51messag.exe Get hash malicious Browse 4.240.75.56 18transcript.exe Get hash malicious Browse 4.240.78.49 67.doc .exe Get hash malicious Browse 4.12.170.221 47documen.exe Get hash malicious Browse 4.17.227.201 3lette.exe Get hash malicious Browse 4.240.78.155 23documen.exe Get hash malicious Browse 4.240.78.46 64attachmen.exe Get hash malicious Browse 4.240.78.44 21mai.exe Get hash malicious Browse 4.16.242.69

JA3 Fingerprints

No context

Dropped Files

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Program Files WinCDEmu-4.1.exe Get hash malicious Browse (x86)\WinCDEmu\uninstall64.exe WinCDEmu-4.1.exe Get hash malicious Browse C:\Program Files WinCDEmu-4.1.exe Get hash malicious Browse (x86)\WinCDEmu\batchmnt64.exe WinCDEmu-4.1.exe Get hash malicious Browse WinCDEmu-4.1.exe Get hash malicious Browse C:\Program Files WinCDEmu-4.1.exe Get hash malicious Browse (x86)\WinCDEmu\mkisofs.exe WinCDEmu-4.1.exe Get hash malicious Browse WinCDEmu-4.1.exe Get hash malicious Browse C:\Program Files WinCDEmu-4.1.exe Get hash malicious Browse (x86)\WinCDEmu\uninstall.exe WinCDEmu-4.1.exe Get hash malicious Browse C:\Program Files WinCDEmu-4.1.exe Get hash malicious Browse (x86)\WinCDEmu\batchmnt.exe WinCDEmu-4.1.exe Get hash malicious Browse WinCDEmu-4.1.exe Get hash malicious Browse

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 14 of 93 System is w10x64 WinCDEmu-4.1.exe (PID: 2284 cmdline: 'C:\Users\user\Desktop\WinCDEmu-4.1.exe' MD5: 4E53BEFE779F677B1CCEC54B84F60A8C) uninstall64.exe (PID: 3692 cmdline: 'C:\Program Files (x86)\WinCDEmu\uninstall64.exe' /UPDATE MD5: 2ED433C12CFA75908EB790FC8B23EA9E) VirtualAutorunDisabler.exe (PID: 3456 cmdline: 'C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe' /RegServer MD5: 98E22C7CD9BAECA08875EAFD182C13FC) regsvr32.exe (PID: 2560 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll' MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 1032 cmdline: /s 'C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) regsvr32.exe (PID: 2944 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll' MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 3104 cmdline: /s 'C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll' MD5: 426E7499F6A7346F0410DEAD0805586B) VirtualAutorunDisabler.exe (PID: 4348 cmdline: 'C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe' /RegServer MD5: 6F587118EB5B019F61B864FAAFD6EBCD) regsvr32.exe (PID: 4852 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll' MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 1144 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll' MD5: D78B75FC68247E8A63ACBA846182740E) drvinst64.exe (PID: 3340 cmdline: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe instroot 'root\BazisVirtualCDBus' 'C:\Program Files (x86)\WinCDEmu\Bazi sVirtualCDBus.inf' MD5: 731A3CE577B0A406723B4405FB4CD2F1) vmnt64.exe (PID: 3300 cmdline: 'C:\Program Files (x86)\WinCDEmu\vmnt64' /uacdisable MD5: BF26C935FFD4C25FFF6731DBF73D2212) WerFault.exe (PID: 4864 cmdline: C:\Windows\system32\WerFault.exe -u -p 3300 -s 504 MD5: BFD11F05E0245D5178ADFBC609E0328B) drvinst.exe (PID: 4356 cmdline: DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{df3353aa-c23b-5443-8fea-aa7ade97b78e}\bazisvirtualcdbus.inf' '9' '4aa431c33' '0000000 000000D7C' 'WinSta0\Default' '0000000000000DA4' '208' 'c:\program files (x86)\wincdemu' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) rundll32.exe (PID: 3820 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{973994b0-5adb-bd4d-819c-fe0f7d6aa2c9} Global\{5 ea01259-f862-6e47-b860-3e0ae80066e2} C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\bazisvirtualcdbus.inf C:\Windows\System32\Drive rStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\BazisVirtualCDBus.cat MD5: 73C519F050C20580F8A62C849D49215A) drvinst.exe (PID: 3160 cmdline: DrvInst.exe '2' '211' 'ROOT\SCSIADAPTER\0000' 'C:\Windows\INF\oem3.inf' 'bazisvirtualcdbus.inf:6a548da5cccf6fa4:BazisVirtualCDBus_ Device:4.1.1.0:root\bazisvirtualcdbus,' '4aa431c33' '0000000000000CDC' MD5: 46F5A16FA391AB6EA97C602B4D2E7819) cleanup

Created / dropped Files

C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: Windows setup INFormation, ASCII text Size (bytes): 1458 Entropy (8bit): 5.361028042086157 Encrypted: false MD5: 9A41ACAF308273117F12253119753CD2 SHA1: DE3DA728432C61BE2C8684670997BAA8EEB36934 SHA-256: BB36739BDBBBCA8D445BC0F79A6BB286F374A12B7EA06D5F6904068756B4C801 SHA-512: 51EDC19B7BBAF365EF8528603120EFC56CCA5C768A1054B79C93876BB042DFFC2999F2EC0C0DC1547A4E0B90E7B8B8281F27FCFA80F276FB991E7CF5EC01D8A 6 Malicious: false Preview: [Version].Signature="$WINDOWS NT$".Class=SCSIAdapter.ClassGuid={4d36e97b-e325-11ce-bfc1-08002be10318}.Provider=%BAZIS%.DriverVer=06/02/2015, 4.01.0001.CatalogFile=BazisVirtualCDBus.cat..[DestinationDirs].DefaultDestDir = 12..[SourceDisksNames.x86].1 = %DiskId1%,,,..[SourceDisksNames.amd64].1 = %Disk Id1%,,,..[SourceDisksFiles.x86].BazisVirtualCDBus.sys = 1,\x86..[SourceDisksFiles.amd64].BazisVirtualCDBus.sys = 1,\x64..[Manufacturer].%BAZIS%=Standard, NTam d64..[Standard].%BazisVirtualCDBus.DeviceDesc%=BazisVirtualCDBus_Device, root\BazisVirtualCDBus..[Standard.NTamd64].%BazisVirtualCDBus.DeviceDesc%=Baz isVirtualCDBus_Device, root\BazisVirtualCDBus..[BazisVirtualCDBus_Device.NT].CopyFiles=Drivers_Dir..[Drivers_Dir].BazisVirtualCDBus.sys,,,2..;------Service insta llation.[BazisVirtualCDBus_Device.NT.Services].AddService = BazisVirtualCDBus,%SPSVCINST_ASSOCSERVICE%, dev_Service_Inst..; ------busenum driver install sections.[dev_Service_Inst].DisplayName = %dev.SVCDESC%

C:\Program Files (x86)\WinCDEmu\batchmnt.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 105984 Entropy (8bit): 6.23128355808037 Encrypted: false MD5: 5E6561921A7722EA025A79172E7B443E SHA1: 1CBB792056D630A8718CF29CD1FEC36721E57B5F SHA-256: C694D42D19DAA784687B9146D19B7797B937E151A8AA7155904F54A1A6FD7A84 SHA-512: FBD798E435F4AAC9D3513C3565445E2E2F4B74DF8EB9B2E42B742ED022FB3B6EAE91FA90BF51D10D104EB09863625A4E90C35206604F20B1EC35D303488D0F18 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Joe Sandbox Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse View: Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse

Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... _.r..r..r...... r...... r...... r...... r...... r..s...r...... r...... r...... r.Rich.r...... PE..L...... V...... z...... 0....@...... p....@...... k..P...... @....1...... Z..@...... 0..\ ...... text...... `.rdata...C...0...D...$...... @[email protected]...... h...... @....rsrc...... z...... @[email protected]...... @..B......

C:\Program Files (x86)\WinCDEmu\batchmnt64.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (console) x86-64, for MS Windows Size (bytes): 130048 Entropy (8bit): 6.001382566428226 Encrypted: false MD5: EF5F980E1E1DBDF454673206751BF255 SHA1: 2B5AEA7B577984C4BAA99F0108C1AEB84F76F91E SHA-256: 4A363E27B849A994250E6F2E4C9B4DD56F70F7CF9FF78375B3EE23244F1F9B6E SHA-512: BAD71F938DD819A83CDDD1A920ADAAC31F645CEEBBD421974D370B75DFEBD4DA3A6F4CB398C6990239571F87F56D3BF94F1FE9001C8610D7A8C897F5F9D215 66 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Joe Sandbox Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse View: Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... M\0Y,2cY,2cY,2cB..c=,2cB..cS,2cB..cr,2cPT.cX,2cPT.cP,2cY,3c5, 2cB..cS,2cB..cX,2cB..cX,2cRichY,2c...... PE..d...... V...... "...... T...... @...... `...... @...... 4...P....@...... ,...... P..d....s...... p...... text...BR...... T...... `.rdata...h...p...j...X...... @[email protected]....>...... @....pdata..,...... @[email protected]...... @...... @[email protected]...... P...... @..B......

C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8624 Entropy (8bit): 7.218510203540477 Encrypted: false MD5: 1A7AE9457824C66CF047A95F1A5C4629 SHA1: 4D9C13618E5D1A998DF6B299D7BA8FDB45012EB2 SHA-256: 63A80143E6394BEA74A798481F19056D12F67AB4910758BA2FE4F499D1A8698A SHA-512: C5F802236507BA252B0CA632C07E6A08DC2C9820ADC4706CFE04A781EEF4D010FA8E6D8EC9DF7105D64DB2274C2342FA97161E4B774B2E0F0B906D956FF814F6 Malicious: false Preview: 0.!...*.H...... !.0.!....1.0...+...... 0.....+.....7...... 0...0...+.....7...... ;[email protected]...+.....7.....0..w0....R5.B.4.A.A.C.1.F.D.3.E.2.F.6.8.5.7.3.2.A.1.0.8.7.9.4.4.1 .E.8.1.2.B.8.C.7.3.9.D.9...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.. .0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&...... <.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...... [J ...... s*...A....9.0....RD.1.A.2.0.D.9.8.6.7.9.3.D.5.B.F.4.3.5.1.B.3.0.C.6.B.4.8.1.5.E.7.7.2.B.6.9.4.1.2...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s... 0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.... 0i..+.....7...1[0Y04..+.....7...0&.....

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Arabic.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8574 Entropy (8bit): 3.8754681099226946 Encrypted: false MD5: 1C177FB48474504E2A12E135DA569C89 SHA1: B23EC0113CFB893DE01059D9DDD5398A121851BA SHA-256: 49057E02A613243B138EA30F697E5DE68A8CE68D9F48C2119AAE33347711F474 SHA-512: 316F964DF85CCA78B795F070545EF032AA0E4ADE623BA06DB9CD50FC2DF0EF0CBB31375424C8DD4D431312A5E9FDE1F716B33241A9E7F51757D4C86BAFE0DD 23 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... '.D.9.1.(.J.).....L.a.n.g.u.a.g.e.E.n.g...... A.r.a.b.i.c.....T.r.a.n.s.l.a.t.o.r...... E.l.i.a.s. .A.b.....L.A.N.G.I.D...... 3.1.7. 7.0.....C.o.u.n.t.r.y.C.o.d.e...... S.A...... [.s.t.r.i.n.g.s.].....I.D.S._.A.U.T.O.C.L.O.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 1676 Entropy (8bit): 3.6145111119676137

Copyright Joe Security LLC 2019 Page 16 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng Encrypted: false MD5: D23C884983ACDD3E39D905B456A93810 SHA1: C2AD7FDDF65DB7C6EFCD3E52EF2D3AD6C09DD7EF SHA-256: A7F22EA0BBBF9C22AC7E3B6F72785E41CABEAB35A762A55CDD0782015A5DD029 SHA-512: F1E8A3EA4B735BDDA303C4102A6D9C40B31B72EBD0328C7EC3FA6BB77AD08DBF9F9C9858CC54016638160A517EB4E20A400BA6C085C5FAC96F1520B0D986BC C7 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... L.a.n.g.u.a.g.e.E.n.g...... B.e.n.g.a.l.i.....T.r.a.n.s.l.a.t.o.r...... R.a.n.a. .M.a.h.m.u.d.....L.A.N.G.I.D...... 2. 1.1.7.....C.o.u.n.t.r.y.C.o.d.e...... B.D...... [.s.t.r.i.n.g.s.].....I.D.S._.C.A.N.C.E.L.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Catalan.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10508 Entropy (8bit): 3.40177105227803 Encrypted: false MD5: AB6B693AB0D2E076F38C5A1F66F0178C SHA1: 395CF8AA6E72DA78EF409932935001927382D50F SHA-256: 46A16FEDDA9AE1F6A80C932ABE28E883BA87DD475E84CED6888F2B49A52866A3 SHA-512: 8201DA84C0CEB0B1BF3EE23D3CBF797F0DCA84AFF02D682498BD3F34E8617D723BC13A1ABD346565BE006C4D686F331CB77062A0DD3D35BD4FE904C4182EE7 E4 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... C.a.t.a.l...... L.a.n.g.u.a.g.e.E.n.g...... C.a.t.a.l.a.n.....T.r.a.n.s.l.a.t.o.r...... B.e.n.n.y.B.e.a.t. .[.C.A.T.e.g.o.r.i.a...c.a.t.].....E.-.M.a.i.l...... [email protected]......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9484 Entropy (8bit): 3.5821111783399986 Encrypted: false MD5: E27BE5A5E7121ED58E8127475B3ACF33 SHA1: 3991DCF763F81CCD431D8A963DF126F1E1B79FBE SHA-256: 7375E41071F2417035608D01C516E0957C4D4CA4824EA6FCC44E12349A4581CE SHA-512: 898F36D4A1DF4C8DA2BAA3ECD30AE635F7EEB9DEF345566934F4EDCD53FF03F36049C41DF62D098A3C2D64C054A98A63734FC8345CED95263478846CEB604C3 0 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... e.s.k.y.....L.a.n.g.u.a.g.e.E.n.g...... C.z.e.c.h.....T.r.a.n.s.l.a.t.o.r...... D.r.a.k.o.u.s.7.9.....E.-.M.a.i.l...... d.r.a.k.o. u.s.7.9. .a.t. .g.m.a.i.l...c.o.m.....L.A.N.G.I.D...... 1.0.2.9.....C.o.u.n.t.r.y.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Farsi.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9206 Entropy (8bit): 3.906454960093117 Encrypted: false MD5: 5AE5AC5C2BA4B2788C8DADA8091B17FC SHA1: 8024A1ACA0596DD33F81473FEDA6A562D486A655 SHA-256: 7481EC639DAFE58EF68EADAFD22C45CC35AD747C764FBCBEADE8D18FC7EFBA2C SHA-512: A1CD356FEC376525E958D80F8671D979D40316AF71862820FDB629086B0831AB0F78135D4361BB8F5DA2A13616AF42038DF5E173F205396422C4E24EA9E408DB Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... A.'.1.3...... L.a.n.g.u.a.g.e.E.n.g...... P.e.r.s.i.a.n.....T.r.a.n.s.l.a.t.o.r...... o.p.e.n.s.o.u.r.c.e.u.s.e.r.....E.-.M.a.i.l...... [email protected]...... 1.0.6.5.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9234

Copyright Joe Security LLC 2019 Page 17 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng Entropy (8bit): 3.394209778599828 Encrypted: false MD5: 2E0FC52D313032A4626CAA4BE6BA563C SHA1: FE6F4BFD32CD05EAE926A6E6DB99929F3A156E2A SHA-256: 4F2D907E3D960617F93CBD14FD44913E1B1C409C8A5C8160BDB6F4EB1D736F13 SHA-512: 303EE6B5E144B693FDFD32C96CE69BE29E827EA104347FE100F9F83CF13CCD51C0740FB0E0D14ED50C30AE3DB7A88D9AA9F329D2BE90CDB8B8D8BCA3F58807 BC Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... B.a.h.a.s.a. .I.n.d.o.n.e.s.i.a.....L.a.n.g.u.a.g.e.E.n.g...... I.n.d.o.n.e.s.i.a.n.....T.r.a.n.s.l.a.t.o.r...... J.e.t.i.s.3.3.....E.-.M.a.i.l...... [email protected]...... 1.0.5.7.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Slovak.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9632 Entropy (8bit): 3.5786881994133437 Encrypted: false MD5: 2CEBD7A662FF4102436EBDA4D8B8B33D SHA1: B0368E7C1DD54676D4A788DDD76E004C09E19D03 SHA-256: CDCCC857A73C01C62446C858DD10FDF1EC7E75FDF9EA9A21D210740482A0F001 SHA-512: 985C251B7C1E3F97DE6CC746FB0993DDC19B7C8944BF7BB50AAB685C179699EC83AA8B26619AD34A4FDBE3AAE59234F78BB1F9F7E05250E015254D88E137593 6 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... S.l.o.v.e.n.s.k.y.....L.a.n.g.u.a.g.e.E.n.g...... S.l.o.v.a.k.....T.r.a.n.s.l.a.t.o.r...... f.a.n.o.x.....L.A.N.G.I.D...... 1.0.5.1.....C.o.u.n.t.r.y.C.o.d.e...... S.K...... [.s.t.r.i.n.g.s.].....I.D.S._.A.U.T.O.C.L.O.S.E.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Taiwan.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 7004 Entropy (8bit): 4.319162650302342 Encrypted: false MD5: 5839297F4C3B5AA339B91FFD4B05760D SHA1: 2EF21231A90B9A9C99D26969EC1A23003DDA11C0 SHA-256: 9D5D8B200FFE7D61BFDF36118D1CC1991D1AFB3CB9461EBB4473816C0B254861 SHA-512: 20C8B95D6FEA2AE65F6EDEDD990518D54CA8810AC69322C6B22F3089AA5A9B3B70ECE51D378F785ED20425E13FAEE26DDC4080C8AC7CB98899B9B0DC0D8644 01 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... A~.-N.e .(...cp).....L.a.n.g.u.a.g.e.E.n.g...... C.h.i.n.e.s.e. .(.T.a.i.w.a.n.).....T.r.a.n.s.l.a.t.o.r...... F.r.o.s.t.y. .P.o.-.J.u.n.g. .L.u.....L .A.N.G.I.D...... 1.0.2.8.....C.o.u.n.t.r.y.C.o.d.e...... T.W...... [.s.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_armenian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 4202 Entropy (8bit): 3.966748129004514 Encrypted: false MD5: 054BC47AEC44BC24EFB7FA2D3CB4D16E SHA1: 067EE15600F3B9E4377CA159936D0980F5ADBCC3 SHA-256: F997CB43C2A5D3BB937E7966757F913DC2E4A4781723F45A5E93CD63D213C2FC SHA-512: 77C29A5994C9C03105CE3ED939C1118F9480618E76241E1E43ABD6327744E3EDB298B35F75443AEBC2598435B2AC1BA5FF4AFDD70C7E97E2F4887DFF44B3CCE A Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... @.a.u.e...e.v.....L.a.n.g.u.a.g.e.E.n.g...... A.r.m.e.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... a.r.s.h.a.m.....E.-.M.a.i.l...... [email protected]...... 1.0.6.7.....C.o.u.n.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bahasaindonesia.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe

Copyright Joe Security LLC 2019 Page 18 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bahasaindonesia.lng File Type: data Size (bytes): 10358 Entropy (8bit): 3.4044719095407063 Encrypted: false MD5: EE1B69AD806DC238CDB3494D15EDAFAB SHA1: B79626FDEC8AD97CB19F51EE871D06CCCEF08C16 SHA-256: 42C1AC4600E24BF102D4F1ABE41275B275BF9A10196219049EEA33F1B21DE40C SHA-512: 97FF640661FA8201E1D38014460022DFD9069BA1A8D9993A419442B4C7266AAEEA15D22638FD1A035C2FCA0D78C8072511903F5261A23EF4D78CA529E0894B21 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... B.a.h.a.s.a. .I.n.d.o.n.e.s.i.a.....L.a.n.g.u.a.g.e.E.n.g...... I.n.d.o.n.e.s.i.a.n.....T.r.a.n.s.l.a.t.o.r...... A.n.d.i.k.a. .T.r.i.w.i.d.a.d.a.,. . A.c.h.m.a.d. .J.e.t.i.s.,. .Z.a.m.a.n.i. .K.a.r.m.a.n.a.....E.-.M.a.i.l...... [email protected].

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9836 Entropy (8bit): 3.9895069678884876 Encrypted: false MD5: BDE8E065B9964471A94577ABC273C6A2 SHA1: FC082776144313236794F54AB2F7C5E585B7E18A SHA-256: 2EF90CAFDF86FD7F9EAD5278F8A089048C3FECDF17C7F92B8086C12E73D3AE7B SHA-512: 2FDB47AD4ACDFC280AA6440D6A80A19227DBC94D3D12DBCFA416159830A79C5B08A0C41A7BD9C464BD3AF48A0BB47D1125B9D9AD6A4C01246B1CCC93032523 E7 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... J.;[email protected].:.8.....L.a.n.g.u.a.g.e.E.n.g...... B.u.l.g.a.r.i.a.n.....T.r.a.n.s.l.a.t.o.r...... p.r.1.m.e.....E.-.M.a.i.l...... s. u.p.p.o.r.t.#.s.y.s.p.r.o.g.s...o.r.g.....L.A.N.G.I.D...... 1.0.2.6.....C.o.u.n.t.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 6356 Entropy (8bit): 3.4137608282401133 Encrypted: false MD5: EED99027CE8D0BEE9393DF2E42368D56 SHA1: 68116D787A56E8C32EDC02F8A2F2FA12B46EB66F SHA-256: 7F48F93AB032FCFEE1212AFE9FEF30A7D0B764313CB3F45CC76EF08FF00979DB SHA-512: 00ECE9EE22F1B579EB7B542832C8861063F14892625CB5A5E82F14CA72AE595FAEF314D587EE14812D47DC081A4CCBB3065C9F1F63771ABEE623914F0F41281A Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... D.a.n.s.k.....L.a.n.g.u.a.g.e.E.n.g...... D.a.n.i.s.h.....T.r.a.n.s.l.a.t.o.r...... K.e.f.f.e.n.....E.-.M.a.i.l...... k.e.f.f.e.n... [email protected]...... 1.0.3.0.....C.o.u.n.t.r.y.C.o.d.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9358 Entropy (8bit): 3.4191284666196315 Encrypted: false MD5: 6B77C85BC096643F2211EDF35623C759 SHA1: 4B9C26CB14E8E4F915D83F70643CD0213B952F72 SHA-256: FA4DC5BFCB8CDA847512761126B9945A658CA58427FFE2C592ACFD50B67D70E0 SHA-512: EE62E79EE3FE9BBE746181823C59311C8E6E6D7F2DCE65062DC43F895C889D48D0342CD64E25E073F8FCCB54F6436B5AD1A19471EEEF888AF769D2E22E85554 9 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... N.e.d.e.r.l.a.n.d.s.....L.a.n.g.u.a.g.e.E.n.g...... D.u.t.c.h.....T.r.a.n.s.l.a.t.o.r...... R.o.b.e.r.t. .v.a.n. .d.e.r. .R.h.e.e.....E.-.M.a.i.l...... r.o.b.e.r.t.#.v.a.n.d.e.r.r.h.e.e...c.o.m.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe Copyright Joe Security LLC 2019 Page 19 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 8842 Entropy (8bit): 3.379097769873657 Encrypted: false MD5: 967BC885F19EB2CA9E036B9367A7392C SHA1: F475436DC03F06D82EA1CB5D25B75650C5D4C1D4 SHA-256: 9C2E62D42E0AC165C79C0FFEC1C90111A36F4F34FE565A1991659FD8F256FE42 SHA-512: BEB26660A4138E2BB6BDD564C78F9D7C1206170812D62820ABC5493A0F5C4F75588AAE9A84E5B3D432A8D9158FB9FF70A11101646BF708F28667064638135E15 Malicious: false Preview: ..;. .G.e.n.e.r.a.t.e.d. .b.y. .B.a.z.i.s.L.i.b. .S.T.R.G.E.N...E.X.E.,. .h.t.t.p.:././.b.a.z.i.s.l.i.b...s.y.s.p.r.o.g.s...o.r.g./.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<.s.p.a.c.e.s. .o.r. .t.a.b.s.>. . <.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...)...... ;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'.;. .'. .w.i.l.l. .b.e. .i.g.n. o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... E.n.g.l.i.s.h.....L.A.N.G.I.D...... 1.0.3.3.....L.a.n.g.u.a.g.e.E.n.g. . . . .E.n.g.l.i.s.h.....T.r.a.n.s.l.a.t.o.r...... S.y.s.P.r.o.g.s.....E.-.M.a.i.l...... [email protected]...... [.s.t.r.i.n.g.s.]. ....I.D.S._.A.U.T.O.C.L.O.S.E.W.N.D...... C.l.o.s.e. .t.h.i.s. .w.i.n.d.o.w. .a.u.t.o.m.a.t.i.c.a.l.l.y.....I.D.S._.A.U.T.O.L.E.T.T.E.R.S.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8898 Entropy (8bit): 3.4085589391233673 Encrypted: false MD5: B152548B47C0EFEC3D22D557E1725096 SHA1: EA855A162866318A557B09302ABE46276EE212C8 SHA-256: 15274E12FDD6477F96FCEB50EF5F4CB26E05CAF7EA7ED718F071EB924B4AB501 SHA-512: 044A76B0CFC45DDD0255075F0506A51A6FA4C45D02D6085EA0261B887182CAE8257D700CB744BE51A2AB8596BAA8AAD073EDD949DBA1AAB5B6AC069636945E 31 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... E.e.s.t.i. .k.e.e.l.....L.a.n.g.u.a.g.e.E.n.g...... E.s.t.o.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... S.y.s.P.r.o.g.s.....E.-.M.a.i.l...... s.u.p.p.o.r.t.#.s.y.s.p.r.o.g.s...o.r.g.....L.A.N.G.I.D...... 1.0.6.1.....C.o.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_finnish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10266 Entropy (8bit): 3.433484634516046 Encrypted: false MD5: 4457FDE782FEAA959D141C1E3880F4C0 SHA1: 9181BCEA80530F2700D02856862EC87C89744AFA SHA-256: 37D2482D63A86DE5548AC52AB6912EA0A3D4FEBA790DE0E9F89F62835F30CA3B SHA-512: 0AD86B9C83FD973030A13D5E297368D59769081BF8A1C12ACCF0AEC762F44C251E190C9180BBDC09DA26EAC5D653B0342708E064294A5154944BA15FED86CDC9 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... S.u.o.m.i.....L.a.n.g.u.a.g.e.E.n.g...... F.i.n.n.i.s.h.....T.r.a.n.s.l.a.t.o.r...... J.u.h.a.....L.A.N.G.I.D...... 1.0.3. 5.....C.o.u.n.t.r.y.C.o.d.e...... F.I...... [.s.t.r.i.n.g.s.].....I.D.S._.A.L.R.E.A.D.Y.M.O.U.N.T.E.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10158 Entropy (8bit): 3.4179024737144803 Encrypted: false MD5: 95031E630D34940CBB9ADC61760D225F SHA1: 785F3299EF54E63A6050D1C39D32514C0DF6DAE2 SHA-256: D1A8937A47460CDA3146C45C004A8EE5A4AE0CC8913FF26658A01F89484D2BE7 SHA-512: F5CAD9908478BF891462BAC240DC8DE18657F5421B08BF02492BEFEEB45F96AA4A63E6CF058DF02F2EDD439946C19E2C455A5F582C59F40AF48C080F989FAB1 E Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... F.r.a.n...a.i.s.....L.a.n.g.u.a.g.e.E.n.g...... F.r.e.n.c.h.....T.r.a.n.s.l.a.t.o.r...... W.i.l.l.i.a.m. .G.A.T.H.O.Y.E.....E.-.M.a.i.l...... [email protected]...... 1.0.3.6.....C.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe Copyright Joe Security LLC 2019 Page 20 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng File Type: data Size (bytes): 10618 Entropy (8bit): 3.4486059648151137 Encrypted: false MD5: 093783D763F020E9C5C6E9746A5ABF92 SHA1: 96A368C8536873C707EC2DBDAD6E92016DBECB64 SHA-256: A7E021618A74FB1E3BEEEEEEC03E0D753ED55EF7473983BA3E6092ED3580771B SHA-512: E6A85B5FE05FB81B1108B799BDE35F6AE62159474FD4967466FDC2405174EF37EDD61B1FFB073F754E3F092D07762E60634144B5EC7C6600A31887DE0DE83137 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... D.e.u.t.s.c.h.....L.a.n.g.u.a.g.e.E.n.g...... G.e.r.m.a.n.....T.r.a.n.s.l.a.t.o.r...... K.a.i. .E.v.e.r.s. ./. .b.a.t.c.h.0.7.1.1. ./. .P.a.d.m.a.n.....E.- .M.a.i.l...... k.e.v.e.r.s.#.s...n.e.t.i.c...d.e.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9700 Entropy (8bit): 4.142599921635029 Encrypted: false MD5: 1C74EB9BF2F9FBE1949A6BFAA0497E28 SHA1: DBF92890B79070EFC332E46DF9EF320C4673EF29 SHA-256: 8F7E082D879EC597654879D595F3DA167CA41365B57EFB69D22D7D34A1EAB83C SHA-512: CA987F57BFC276797DA2E4C67481D14936463A2A79FE07C844F220434BFF021F2C6AB493206425852C0183F83216C6CE745AAF6CCE2F972BBA17954A4AA7B1C9 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... L.a.n.g.u.a.g.e.E.n.g...... G.r.e.e.k.....T.r.a.n.s.l.a.t.o.r...... g.e.o.g.e.o. .-. .w.w.w...g.e.o.g.e.o...g.r.....E.-.M.a.i.l...... a.d.m.i.n.#.g.e.o.g.e.o...g.r.....L.A.N.G.I.D...... 1.0.3.2.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8632 Entropy (8bit): 3.997490342980419 Encrypted: false MD5: FFCA959029F8E28C160535EA7B38EE64 SHA1: 746A280574BF225FD17B20F38BDE268A9AC982BD SHA-256: D2328F3DE2BAD05251BC8D496AFA1EB619A5351FD93485C612D8C8DE26FDF395 SHA-512: 385A0F7BC9BEF8F805AEF37DE0FFEA3DF86E420B218219B59CD70046EB9CF830535B1C51A5430D6703BEE3A802CD5A3399DA0BFF35027216BECDC48911A6AB5 1 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... L.a.n.g.u.a.g.e.E.n.g...... H.e.b.r.e.w.....T.r.a.n.s.l.a.t.o.r...... p.e.t.e.r.g.....E.-.M.a.i.l...... a.p.o.l.o.n.0. 4.#.g.m.a.i.l...c.o.m.....L.A.N.G.I.D...... 1.0.3.7.....C.o.u.n.t.r.y.C.o.d.e. . .

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hungarian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10302 Entropy (8bit): 3.501816362465637 Encrypted: false MD5: B272FD93DE261270406B3CCD237C247D SHA1: 7182A744C7A047726E355C6EACB299A2A2A225CD SHA-256: BA6FED75872822CC1FD7135598DCB1718B07B7EDA049C5F7C3ED5DF8751C2ABF SHA-512: 3897D0F2F30BCC810FAE9D0315FA75CCF77485DC0939DC269285372E8F887A8B30D1252D63DCEC6CE2B95D6F3FF2EC7B098FE1090766936956D3B49FF67EEFAB Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... M.a.g.y.a.r.....L.a.n.g.u.a.g.e.E.n.g...... H.u.n.g.a.r.i.a.n.....T.r.a.n.s.l.a.t.o.r...... m.u.k.k.....E.-.M.a.i.l...... [email protected]...... 1.0.3.8.....C.o.u.n.t.r.y.C.o.d.e. . . .

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe

Copyright Joe Security LLC 2019 Page 21 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng File Type: data Size (bytes): 10296 Entropy (8bit): 3.388252502603621 Encrypted: false MD5: 63111C9D894811D7FEA24687F0DD35B0 SHA1: 31B62525E23E7CB1BE17D35318C51073B64490DD SHA-256: AC65FA205B9D336360FA752097B83347F7B336CB799AF081ED03B5667BFB3F3B SHA-512: DEC15591CEB3997C265ED5E92E7971DF26B71D045AE1F2EFCE0922D53410591E0C140838D28570F88DCDB250C04113B65DEA8D8BC300DB4B742726D67A20C040 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... I.t.a.l.i.a.n.o.....L.a.n.g.u.a.g.e.E.n.g...... I.t.a.l.i.a.n.....T.r.a.n.s.l.a.t.o.r...... M.a.r.c.o. .B.a.r.t.o.l.u.c.c.i.....L.A.N.G.I.D...... 1.0.4.0.....C.o.u.n.t.r.y.C.o.d.e...... I.T...... [.s.t.r.i.n.g.s.].....I.D.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 2688 Entropy (8bit): 3.951440135741067 Encrypted: false MD5: 29D6E5181D9E3D1BCAD83664C12B8185 SHA1: 65E5BB3B51A6071AD0DBD40ACCFEDF3CE6B2C621 SHA-256: 84D7BE0472BB27389CE21183F1AEEA56DBC18BF0D65C19505E1B5C11A136A575 SHA-512: 31F385B94EFABC9B23ED52118D7AEEA5C5C046F295B61F59415AB6F8F3ECDE0339F358255A932BD500AF77A93D20636DD862AEFF06876726BB5B5D1B65A478F F Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... e,g...... L.a.n.g.u.a.g.e.E.n.g...... J.a.p.a.n.e.s.e.....T.r.a.n.s.l.a.t.o.r...... G...K... .A.p.p.l.e.t.....E.-.M.a.i.l...... a.p. p.l.e.t.#.b.p...i.i.j.4.u...o.r...j.p.....L.A.N.G.I.D...... 1.0.4.1.....C.o.u.n.t.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9846 Entropy (8bit): 4.163943161876933 Encrypted: false MD5: F941D8E5277FC7711E0B50622030A055 SHA1: 0C1005634358E564BD973F16C9B9D65D4E0A49F1 SHA-256: 43BE088C70FEE45FFE8CAFB921CC3A5B8ADC276C15C473D029CA4BD10FBCD954 SHA-512: 7E44B9F682111BAF1C081F7328CE1D99E6CC11ADC30F470021F92BB8703907D7EBD36D963B219E977FA5C568A255E595FA8587CA7326EE1800287DE8B0C2DFAA Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... L.a.n.g.u.a.g.e.E.n.g...... K.a.n.n.a.d.a.....T.r.a.n.s.l.a.t.o.r...... M.u.r.t.h.y.....E.-.M.a.i.l...... r.u.d.r.a.m. [email protected]...... 1.0.9.9.....C.o.u.n.t.r.y.C.o.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 7178 Entropy (8bit): 4.248917671254704 Encrypted: false MD5: FBC2FA5FC31AB329BBCDDD5D58585C43 SHA1: 7731F8E4D61B9CBA15419068C1EEB1BD509EC59A SHA-256: E5A506356BFF4512D63AC0AE39BD6BAD5C41D15091817F4EC1FD30E522F79DD7 SHA-512: 56C710AB51275717519A5D2DA0E852DEC6AAE1E28524E488F73026D91917800625FD10B0B7F8D78D72E586B9E0CEA990416D919394E88DEDD47EE3E0E18B6F4E Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... \.m...... L.a.n.g.u.a.g.e.E.n.g...... K.o.r.e.a.n.....T.r.a.n.s.l.a.t.o.r...... j.i.n.h.w.a.n.-.j.e.o.n.g.....E.-.M.a.i.l...... y.o. [email protected]...... 1.0.4.2.....C.o.u.n.t.r.y.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe

Copyright Joe Security LLC 2019 Page 22 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng File Type: data Size (bytes): 5006 Entropy (8bit): 3.9356540064220535 Encrypted: false MD5: 12690623FC8EB82F9A47B5296A8141D9 SHA1: C9664880E5AC9B3AD1C9C76D5F9BC742F785F119 SHA-256: B778C00789FE073B8CCD247254CC7F4F4222F003E36555402BD437E1CDD7A4BC SHA-512: 0C863E235465EE4C147F79736B5727E33D43928733B0042908AFBD75B5C6B2FC5380923782E928D32DBDB680488CDA441E1E4990787529A40662806A11F8197A Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... K.u.r.d.i.s.h.....L.a.n.g.u.a.g.e.E.n.g...... K.u.r.d.i.s.h.....T.r.a.n.s.l.a.t.o.r...... H.a.v.a.l. .A.b.d.u.l.k.a.r.i.m.....E.-.M.a.i.l...... h.a.v.a.l...a.b.d.u.l.k.a.r.i.m.@.g.m.a.i.l...c.o.m.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 3034 Entropy (8bit): 3.417261387926855 Encrypted: false MD5: 7D1604FD2688471758B2E8FC31726828 SHA1: 2983A67D17D7E3D0B5165AE87C0608A2F80B8D3D SHA-256: 92EB2867B681B25C3E5AB669D4228089A55FB61B1817E96C2BBA8D2B2762B92F SHA-512: AFCF5AA77147B08C5BB039AFC7239814A96DD8E013838E6F5B5286DBB0D533E4DCB04E3F0CC106802B3FAEB60E2529C865A4557E2E26D7957F4B0661BF5F25E 2 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... L.i.t.h.u.a.n.i.a.n.....L.a.n.g.u.a.g.e.E.n.g...... L.i.t.h.u.a.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... D.o.v.y.d.a.s. .S.a.u.d.y.s.....E.-.M.a.i.l...... d.o.v.y.d.a.s.h.a.s.#.g.m.a.i.l...c.o.m.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_macedonian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9538 Entropy (8bit): 3.967525576428448 Encrypted: false MD5: 83E846BB5A229272DD01418B25FAF0B6 SHA1: 3F84DCC8EE0F6E4095FA46674E4631088E4E3F9A SHA-256: E08A61F1D29DC6881BA000159FCBCA2CBE92D5754031525879AA046F853764EA SHA-512: E7DE565697FA3C2074C1C1452695AEDBCE9356FCBC655EF4987555BFC9D09A94DF6694F338A317A3ABF7846FBDD5D93742AC23BBA504EFDE6F4079B096355AA F Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... <.0.:.5.4.>.=.A.:.8.....L.a.n.g.u.a.g.e.E.n.g...... M.a.c.e.d.o.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... m.i.t.e.7.1.....E.-.M.a.i.l...... [email protected]...... 1.0.7.1.....C.o.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9558 Entropy (8bit): 3.412731326163489 Encrypted: false MD5: FEBFBED2AE83A7165599D4FA99C5603F SHA1: 6928B24865B8D581175C94EB011654DC47439318 SHA-256: 05E2760E8A093A4E71680DAA14B15DE8FD0E2AB25A0E8474D80DA47C56ED0B7B SHA-512: 5103B02E9236E57EA879FDCD13E39F9DF7B0E272B4DDD41EFFAFF9EEF57D013A916663B71D4EFDD4E8D27EF337391793D16805AF44808BB5D031E8A0313D8E1 C Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... M.a.l.a.y.....L.a.n.g.u.a.g.e.E.n.g...... B.a.h.a.s.a. .M.e.l.a.y.u.....T.r.a.n.s.l.a.t.o.r...... s.h.a.h.r.i.l.9.6.....E.-.M.a.i.l...... s.h.a.h.r.i.l._.p.r.o.g.r.a.m.m.e.r.@.y.a.h.o.o...c.o.m.....L.A.N.G.I.D......

Copyright Joe Security LLC 2019 Page 23 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8462 Entropy (8bit): 3.440607996879059 Encrypted: false MD5: E87826E3ED5C16DA3284D7930D419251 SHA1: 4843FF853581E67F80736E71CB46DC05D7002596 SHA-256: 1AE9195876886AC68D1D6EA2C5D7D3C4D8E28ACCF97327B7C684542D176D4213 SHA-512: C70DDED68E9E1CDFE7876449709BBE23D88CA7BFBBCFC82EC5895B590673E6A3139747F48BAA7EA23D7C01E967915EFE30BB3ABEA9F973CE9D6F8EF0BD4F7 EF3 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... N.o.r.s.k. .(.B.o.k.m...l.).....L.a.n.g.u.a.g.e.E.n.g...... N.o.r.w.e.g.i.a.n.....T.r.a.n.s.l.a.t.o.r...... O.l.e. .A.n.d.e.r.s. .D.a.n.i.e.l.s.e.n.....E.- .M.a.i.l...... m.e.#.s.w.o.y...o.r.g.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9910 Entropy (8bit): 3.4202983875890784 Encrypted: false MD5: 970FA1701F771BA7DC04BDB6988FA9C9 SHA1: 45D21A31753D1289A68A720359A3AB9BC4021924 SHA-256: ACF442F2D45A93690A9D31E4C574A206C69AF9653C9911BB13C3C99E45F42A5F SHA-512: 56FFD95195D01430907992BDD1C3BC9269EA6FA9A2D60FDBE86B5EF5E6A5EAEB9B02D1A0AA5DC55BFFAAA6DC5CCB8098221DB658B3E5028E5909D2ACFC0F4 FAC Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... N.o.r.s.k.....L.a.n.g.u.a.g.e.E.n.g...... N.o.r.w.e.g.i.a.n.....T.r.a.n.s.l.a.t.o.r...... S.v.e.i.n.A.r.e.K.a.r.l.s.e.n.....E.-.M.a.i.l...... s.v.e.i.n...a.r.e...k.a.r.l.s.e.n.@.s.t.f.k...n.o.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10586 Entropy (8bit): 3.55778059463891 Encrypted: false MD5: 58324F09BDBB950DF0F773A121F6037F SHA1: 2B84006ABEC8B4728CD41C19E205FB4EC76D078D SHA-256: 8BDBD44053B3267B5377694088B54233DD75BDFA8786957BF8290192989B5762 SHA-512: F2EC89CA70F1441CBDB4E29D4072A08DBDFCBA2B3A2780FB371D8995A9125A22CDE81168241FEBE6E1C2969A8C70899A1BF638187583B5B096DA059876A03FF 1 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... p.o.l.s.k.i.....L.a.n.g.u.a.g.e.E.n.g...... P.o.l.i.s.h.....T.r.a.n.s.l.a.t.o.r...... m.a.l.e.n.s. ./. .H.x. ./. .a.h.o.y.u.....E.-.M.a.i.l...... m.a.l.e.n.s.w.#.g.m.a.i.l...c.o.m. ./. .k.i.t.y.n.s.k.a.#.g.m.a.i.l...c.o.m.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10868 Entropy (8bit): 3.3971659150797997 Encrypted: false MD5: 5BCFC4450928C8AFB5EAB66B8062C6EF SHA1: 291CF726F84AC51BA9AB61CD37B8F21C1A74A13D SHA-256: 94C42059850B6F84727BEB3842CDD9AAE9CE75478F68BF9EA2F5BC94992FD67E SHA-512: A521AD420A25419FFFA3CEFA599B3CF77A4E321174446372576BAD27CDA2A5AA7E8DD6CE667A48FB7B2D11D6CC2921FD4139EEC6DC0299A632D980558ADFE5 94 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... P.o.r.t.u.g.u...s.....L.a.n.g.u.a.g.e.E.n.g...... P.o.r.t.u.g.u.e.s.e.....T.r.a.n.s.l.a.t.o.r...... I.s.m.a.e.l. .V.i.l.a.s. .B.o.a.s. .&. .P.a.u.l.o. .R.e.s.e. n.d.e.....E.-.M.a.i.l...... i.s.m.a.e.l...v.b.#.g.m.a.i.l...c.o.m. .&. .P.a.u.l.o.R.e.s.e.n.

Copyright Joe Security LLC 2019 Page 24 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese_brazil.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9460 Entropy (8bit): 3.4050529558714038 Encrypted: false MD5: BA61BF688521D5A7721FF9F6628C444D SHA1: 1BCD34D6CEBEEA09D15EA5AE70D512345911D495 SHA-256: 5A79A0A8419B7BE7E2990D708C592976599CCFAA1950216874D92FCCEB2AB75B SHA-512: 3363A96BA0474C5A17F3EB6B836460C3AA9FE6B2E134FC489843495EA89B18E9B0B610457D9E72AF86737310385DB3A8C0134B3FADBCA52EEB07715403FD233C Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... P.o.r.t.u.g.u...s. .(.B.r.).....L.a.n.g.u.a.g.e.E.n.g...... P.o.r.t.u.g.u.e.s.e. .(.B.r.).....T.r.a.n.s.l.a.t.o.r...... a.d.i.l.s.o.n.r.o.c.k.....E.-.M.a.i.l...... [email protected]......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9580 Entropy (8bit): 3.460609159953664 Encrypted: false MD5: 5159A7044993359D360B6506219978DD SHA1: 1BB44E62D8BB180FAE2FD92034649150A06BC709 SHA-256: BA65D6C19799E7C6F5B5ACC91F142E48F2466915764606AE431B9ECFD010F578 SHA-512: 561BECFE19905A592643CFCAEB7A791EE39DD224695540C2B42D8CE2F8EA044413C1EDF76858C9CCA180EC1CCCF998D325F8D26A89091DC306CCBC51CCB76C C2 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... R.o.m...n...... L.a.n.g.u.a.g.e.E.n.g...... R.o.m.a.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... A.l.e.x.a.n.d.r.u. .B.o.g.d.a.n. .M.u.n.t.e.a.n.u.....E.-.M. a.i.l...... m.u.n.t.e.a.l.b.#.g.m.a.i.l...c.o.m.....L.A.N.G.I.D......

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9190 Entropy (8bit): 4.008129013763779 Encrypted: false MD5: 05E875A13AB0424D01699D02289C9420 SHA1: 341BCA8EFFBAB74434F19BA87575E469FE08B1BB SHA-256: 4EAA04B538AA2EE1A90B49FF9171F4E1A111EFB51DC70D326883A24DBEA6BC7A SHA-512: 9290767649785CDA962306290F2C907A5E283F052A68484DD97E971E94D86DC8BE4BA87AFC0253B023DC6006B19E306CA87076AD9E3C5F2CB6601B77043C56E0 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... C.A.A.:.8.9.....L.a.n.g.u.a.g.e.E.n.g...... R.u.s.s.i.a.n.....T.r.a.n.s.l.a.t.o.r...... S.y.s.P.r.o.g.s.....E.-.M.a.i.l...... s.u. p.p.o.r.t.#.s.y.s.p.r.o.g.s...o.r.g.....L.A.N.G.I.D...... 1.0.4.9.....C.o.u.n.t.r.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenian.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9810 Entropy (8bit): 3.4532797533209543 Encrypted: false MD5: 08548B1EAE4C26E930CC45104033E5AA SHA1: 6887C635F050381E050505B9CE3260B6EDF9CB9B SHA-256: F457FDA47ABEE08E4CD76729176CC095E559F944FF83863EFB810224D2F81725 SHA-512: D8550881B1F68A1CDFE64A5659FF27FEB41DE8A9BDD8535A49AF8843B209E033A7BDBC5EC632216595C7A3AD7B719BA2AB47A18834BC92031691061C8889CE2 7 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... S.l.o.v.e.n.s.k.o.....L.a.n.g.u.a.g.e.E.n.g...... S.l.o.v.e.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... T.i.h.i.....L.A.N.G.I.D...... 1.0. 6.0.....C.o.u.n.t.r.y.C.o.d.e...... S.I...... [.s.t.r.i.n.g.s.].....I.D.S._.A.L.R.E.A.D.Y.

Copyright Joe Security LLC 2019 Page 25 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenscina.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 4030 Entropy (8bit): 3.3990201529151727 Encrypted: false MD5: 09D289A231A1F47D2DC3FE0D826EDD27 SHA1: 405FECB4B50EDDFC7ECEDD40130DCF1E95135CF5 SHA-256: 48DBB4A650293D9F987065BF7030C0365DC8EA43509EB6CA43A891A6DB8EC370 SHA-512: 993ECBAC8F6414DA130240B4FA9BFF8FB4E0BF904B372ABDEE2E195E3B9E92C8A2177AFBC79E2106FE8439D396F46B8E06B24CDC61EAC7189BB47B31399694 BF Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... S.l.o.v.e.n.s.k.o.....L.a.n.g.u.a.g.e.E.n.g...... S.l.o.v.e.n.i.a.n.....T.r.a.n.s.l.a.t.o.r...... M.a.d.C.o.w.....E.-.M.a.i.l...... [email protected]...... 1.0.6.0.....C.o.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 10612 Entropy (8bit): 3.3855242925829705 Encrypted: false MD5: 4BDA51AE6EC0E55F7CCEFD42A21310D0 SHA1: BC04DB252A40D1C51F24F9A2FAF1D69CC76D848F SHA-256: EAF9FAEE910F613411AFE0580DA58DC9405B142F5693F82E03A873434E109E92 SHA-512: 0E0549B8CE02F7911D767F2876689F7B2EFAA658653A9EB3077DB935FCEE03D2CFFBE09C51AF45A63983E5183301EC52CF483E197978BBF2C6CAABF6A223001A Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... E.s.p.a...o.l.....L.a.n.g.u.a.g.e.E.n.g...... S.p.a.n.i.s.h.....T.r.a.n.s.l.a.t.o.r...... D.a.v.i.d.....E.-.M.a.i.l...... w.i.n.c.d. [email protected]...... 1.0.3.4.....C.o.u.n.t.r.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_sr.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9258 Entropy (8bit): 3.982557264278979 Encrypted: false MD5: 059000FE86691136AB905886D1AE23B9 SHA1: 61FCE8339E2626069E928F02BFC632E0D422FD04 SHA-256: 2D280FFACB4891BCDA35B631D01E90CB07EAB607447CB9680C308CABE3C1A47E SHA-512: 82A5EEAC2BB4198BAB2D314FA56DA83329C065E8BC3906FE89AE196487280923FD3F7B9B36EA42A3E979933614818BF9A069AA5DABF0D541EC1C58ADD79CF43 6 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... !.@.?.A.:.8.....L.a.n.g.u.a.g.e.E.n.g...... S.e.r.b.i.a.n.....T.r.a.n.s.l.a.t.o.r...... R.a.n.c.h.e.r.....E.-.M.a.i.l...... t.h.e.r. [email protected]...... 3.0.9.8.....C.o.u.n.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9172 Entropy (8bit): 3.4613017055603628 Encrypted: false MD5: 5A5B952E17EA5027575C09131B97BBDA SHA1: BAC079FA874BE8F8F8FFBC52A4BE4591A7163C4E SHA-256: 11EED30EE47F4A72F71EA865A0851926CBA271F1C9375013D2F12D269C364B83 SHA-512: B0AECA5CB3BC33DB1618C2A0A2609C7805CFC6182E13DF641F1A75052F60EF1B8252EC8680BA674BFAD993D7AED86947A4157A664FE72558B789746A80471CC0 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... S.v.e.n.s.k.a.....L.a.n.g.u.a.g.e.E.n.g...... S.w.e.d.i.s.h.....T.r.a.n.s.l.a.t.o.r...... A.l.e.x.i.s.,. .l.i.m.e.....E.-.M.a.i.l...... s.u.p.p.o.r.t.#.s.y.s.p.r.o.g.s...o.r.g.....L.A.N.G.I.D...... 1.0.5.3.....C.o.

Copyright Joe Security LLC 2019 Page 26 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_ta.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9820 Entropy (8bit): 4.083575282931318 Encrypted: false MD5: 809380356B7FE2FC2D35B948D8EC6DE5 SHA1: BE34F39FABE26E5678025D3B636B68CF50BE42FA SHA-256: 6ECD6B3CAC5076FEA1CB044FC76F91EBD95C2304E97488AA7BD7B4017236E079 SHA-512: 3363579407BFA448577C789D9F90D1643F3A5B507B492D18AC2E78BE5952EE9B2BD147FD5AD16090F52F4897FC1333290963217874F09E09F7CDFBE00DED6E4A Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e.E.n.g...... T.a.m.i.l.....T.r.a.n.s.l.a.t.o.r...... N.a.v.e.e.n. .V.e.n.u.g.o.p.a.l.....E.-.M.a.i.l...... [email protected]...... 1.0.9.7.....C.o.u.n.t.r.y.C.o.d.e...... t.a...... [.s.t.r.i.n.g.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 8864 Entropy (8bit): 3.549899206255195 Encrypted: false MD5: 1D638ADBDAC9FEF7F062ED66F36672A2 SHA1: 881AC42D22480368F307DA1B75A3D73B24CE3241 SHA-256: 0790650E0B7FA237FC34AB6331128336A52314C3D1E9E7B91C2723C7D98C924B SHA-512: 63592B0ECBB06F1156F66B9EA544789178EAF15C87D38303DC77692DBBBA580C17148CB26F957169EEC156F0D2FDEF529D7DD27DB75EFBF5CA2F2E41CD4A4E D4 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... T...r.k...e.....L.a.n.g.u.a.g.e.E.n.g...... T.u.r.k.i.s.h.....T.r.a.n.s.l.a.t.o.r...... m.e.r. .A.k.1.n.....E.-.M.a.i.l...... o.m. [email protected]...... 1.0.5.5.....C.o.u.n.t.r.y.C.o.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_urdu.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9104 Entropy (8bit): 3.913533373221831 Encrypted: false MD5: B4B5FBC4B54EC5ED4458B53C043892F4 SHA1: 982279D3638B3A3E806488FC37E9C39CEB9C9D67 SHA-256: 1CBBAF64FDF3D98B44F788FB236CA7E3C89C4B7927A87BFD8F88A445334868B2 SHA-512: 3854061EF01ACD77E9ED05C2A334826289F190B0393948D2F761357C4ACA9457550167CCABBCB0283B3F36C1C11D0AA3CCAFA5D2D11151B8CE5793DF9606FE82 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... U.r.d.u.....L.a.n.g.u.a.g.e.E.n.g...... U.r.d.u.....T.r.a.n.s.l.a.t.o.r...... S.a.r.m.a.d. .K.h.a.n.....E.-.M.a.i.l...... [email protected]...... 1.0.5.6.....C.o.u.n.t.r.y.C.o.d.e. . .

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_uzbek.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 9124 Entropy (8bit): 3.450603984346546 Encrypted: false MD5: 0C074DB45972542F28D9C6EFBD008F52 SHA1: 2FEFAF360E0254159ED536856B0A1034673B529A SHA-256: 32D4A67A1ED748ED685844844B46159764CC76FA7BF88B618A838A7D6EF88101 SHA-512: A52C8051E617936ABB9B075B1F622405D4B7D397DDFA2CC550437D3078721A2D13FB05E3B180CAABDBFF47934DA6F56C0931312793E70BEF1165810DB23B8388 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... O.'.z.b.e.k.....L.a.n.g.u.a.g.e.E.n.g...... U.z.b.e.k.....T.r.a.n.s.l.a.t.o.r...... U.m.i.d.j.o.n. .A.l.m.a.s.o.v.....E.-.M.a.i.l...... [email protected]...... 1.0.9.1.....C.o.u.

Copyright Joe Security LLC 2019 Page 27 of 93 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_CN.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 6406 Entropy (8bit): 4.224639764979269 Encrypted: false MD5: 40789C69C026F2100F86E2B1A7B7A7A8 SHA1: 9D1D8C3530FAD5648EDF9A08C2D6E82D26E5CB45 SHA-256: 11308A9C7FCAC27CA6685C06A3BB0F743411E84306159C1A2CCDE1E5F7379F12 SHA-512: 509CA5820B5A21285E9874455640807ADFF9E049973E6AF2C3FEA406423BCF2B100F9B52150ED6447F699151593FE389740CACDDB066499C6366448B1AC71243 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... {SO-N.e....L.a.n.g.u.a.g.e.E.n.g...... C.h.i.n.e.s.e. .S.i.m.p.l...... T.r.a.n.s.l.a.t.o.r...... S.a.m.....E.-.M.a.i.l...... [email protected]...... 2.0.5.2.....C.o.u.n.t.r.y.C.o.d.e.

C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: data Size (bytes): 3380 Entropy (8bit): 3.9195950991919726 Encrypted: false MD5: F4C9F78EA2D59C281D78D89F455D2328 SHA1: 849508BEF20E90D737372A04116C98CE25496BFD SHA-256: CBA9899AF4DB048A7AAC5F3F7064E8E43E7C0EDD0E46C89EBD9AB407CEEB3622 SHA-512: 9009BE7A2EDE390B2C0C7CD714331A5627FC4CF57CA59DDFCBACD32C64B33ABF03D59546453182EB7EB0663E09B425109EA77051D1B7BFB8114D2BC7C849D8 D0 Malicious: false Preview: ;. .G.e.n.e.r.a.t.e.d. .b.y. .o.n.l.i.n.e. .L.N.G. .e.d.i.t.o.r.,. .h.t.t.p.:././.w.i.n.c.d.e.m.u...s.y.s.p.r.o.g.s...o.r.g./.t.r.a.n.s.l.a.t.i.o.n.s./.l.n.g.e.d.i.t...p.h.p.....;. .S.y.n.t.a.x.:. .<.I.D.>. .<. s.p.a.c.e.s. .o.r. .t.a.b.s.>. .<.v.a.l.u.e.>.....;. .<.v.a.l.u.e.>. .s.h.o.u.l.d. .b.e. .i.n. .C./.C.+.+. .f.o.r.m.a.t. .(.\.r.,. .\.n.,. .\.t.,. .\.".,. .e.t.c...).....;. .S.t.r.i.n.g.s. .s.t.a.r.t.i.n.g. .w.i.t.h. .'. ;. .'. .w.i.l.l. .b.e. .i.g.n.o.r.e.d.....;. .W.A.R.N.I.N.G.!. .T.h.i.s. .f.i.l.e. .s.h.o.u.l.d. .a.l.w.a.y.s. .b.e. .U.N.I.C.O.D.E.!...... [.s.e.t.t.i.n.g.s.].....L.a.n.g.u.a.g.e...... ck.-N.e....L.a.n.g.u.a.g.e.E.n.g...... C.h.i.n.e.s.e. .(.t.r.a.d...).....T.r.a.n.s.l.a.t.o.r...... C.h.u.n.g.-.Y.u.,. .H.s.u.....E.-.M.a.i.l...... c.h.u.n.g.y.u...h.s.u.#.g.m.a.i.l...c.o.m.....L.A.N.G.I.D...... 1.

C:\Program Files (x86)\WinCDEmu\mkisofs.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows Size (bytes): 1395214 Entropy (8bit): 7.17123088847959 Encrypted: false MD5: 298B00E6DC408F5EA4FAD8FF173028D5 SHA1: A09539B1FAFB5DB8922BDD68629DDAA60E1C2437 SHA-256: 19F7C8771CCE642A15984C73C4BEE2B441D6C47236958D8F5A7EB05738B0DA4B SHA-512: 5865F06CB5F0E4ADD5637C4DCDDC6D2B94A592787B6FA0B346783C3788478AFFF68898F69C7AD91C01160B675666677072FD8EAC3E2D5F454773BC7B2C693A42 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Joe Sandbox Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse View: Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L.....tT.J...... @...F...... P....@...... 0...... P...... L...... text....?...... @...... `.P`.data...... P...... D...... @.`..rda ta...... p...... Z...... @.`@/4...... b...... @[email protected]....,....`...... `..idata..P...... 8...... @.0..CRT...... F...... @.0..tls...... H...... @.0......

C:\Program Files (x86)\WinCDEmu\uninstall.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 139424 Entropy (8bit): 6.550048781719848 Encrypted: false MD5: 168CF87105D81FD649C2D49F91C53496 SHA1: F9F2090347D3A86FA3A9AA503CB57A513FA9FCB3 SHA-256: 6A8F9819384A46411ACD85297D895D650766271D476EFEB3392134D6784680C5 SHA-512: 21D5A3BE03FCE639585AFB67171B62AEB644B073449D98B8000AF572844ABA8B4AF699C79CA15F4D842740A577F87EFE84B973D640BF6F94AF085FD95F70E59F Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse

Joe Sandbox Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse View: Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... Rich...... PE..L...2..\...... f...... %R...... @...... P...... Q....@...... x...... 0..(...p...p...... @...... text...Xd...... f...... `.rdata.."...... j...... @[email protected]...<...... @....rsrc...... @[email protected]..(....0...... @..B......

C:\Program Files (x86)\WinCDEmu\uninstall64.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 169632 Entropy (8bit): 6.238015574670894 Encrypted: false MD5: 2ED433C12CFA75908EB790FC8B23EA9E SHA1: F77025BF81731265507217F70E9F24D1B689CBC2 SHA-256: 9590EBD10C8CF1D58CC7FF543923E22DBDFC901EA5643F0E59670EF911694C90 SHA-512: 9536DE079B77CF0AB3610ABCECFFB4000033CDAB42FBE94DAB92E3981CB355AD78B327C173442F9BB82E2628D444CB01C77BA4B331D35EC736266C162C92153 B Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Joe Sandbox Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse View: Filename: WinCDEmu-4.1.exe, Detection: malicious, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ~.=.:yS.:yS.:yS.U.P.?yS.U.V..yS.h.P.2yS.h.V..yS.h.W.)yS.U.W.1y S.U.R.7yS.:yR..yS.S.Z.

C:\Program Files (x86)\WinCDEmu\vmnt.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 323416 Entropy (8bit): 6.4019054376246585 Encrypted: false MD5: EEAE83A94A6364A8A640E0F6CACCFD85 SHA1: 501CE395DA2EB37E60C8654077B47EED3C186B7A SHA-256: 6B642BABB6E9AC67CBB35AD29A5437E774DC4E82442A3F23EE3889DF07D54039 SHA-512: A45138721F89A3C7556C174382AF65178D5BE83C11D217BF0B6BABCF0FF830AA881C772880C184524B5C798E5619BD45CCC4638C805417087CCAC49BEBC328B9 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... =LS.y-=.y-=.y-=.b...b-=.b....-=.b...O-=.pU..{-=.pU..j-=.y-<..-=.b...f-=. b...x-=.b...x-=.Richy-=...... PE..L...... V...... 8...... A...... P....@...... P..X...... X...... `S...... @...@...... P...... text....6...... 8...... `.rdata...... P...... <...... @[email protected]... J...... @....rsrc...X....P...... @..@......

C:\Program Files (x86)\WinCDEmu\vmnt64.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 406360 Entropy (8bit): 6.202776062519468 Encrypted: false MD5: BF26C935FFD4C25FFF6731DBF73D2212 SHA1: B5446EC4FD06A17022E2F9A5345CDE131FE4E5E6 SHA-256: 40DBCF0EC787455837EC5D7439874B1CE6F586A570AF8D5132F09CEC531B97C7 SHA-512: B2327CC42649CCB2F7040889C5C7912258D5AE876D32B492765BD9F62D93F2389917AEBE6B65A1E9CD3C62545E3B59D16E2DE60E081136CD6F41D0E46D96AE3D Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 1...b...b...b..Hb...b..|b...b..Ib...b..ab...b..qb..b...bK..b..Mb..b..x b...b...b...bRich...b...... PE..d...+..V...... #...... H...... t...... @...... p...... UT...... X....`...4...... X...... text...... `.rdata..Z...... @[email protected]...... ,...... @....pdata...4...`...6...... @[email protected]...... J...... @..@......

C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 172376 Copyright Joe Security LLC 2019 Page 29 of 93 C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys

Entropy (8bit): 6.254276310537291 Encrypted: false MD5: 09391BA416AA29682298A612FDFDD7B8 SHA1: A936409D136B10CFEADD85ED40607A359077DA13 SHA-256: D889679C25DA37212E2E0E08E4B2CF774FFF395E83BCD168B240A59E74204070 SHA-512: 079B04575F746400FA0F8E50587DBB03D4E25AF79DC771DA5534E9FA81C46A02248A491D3C9216DC9A56914B3712DA3A88C27AF70588C41041218521259B6867 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ,...BT..BT..BT...T..BT...T..BT...T..BT..CT..BT.w9T..BT.w?T..B T.w.T..BT.w.T..BT.w.T..BT.w.T..BTRich..BT...... PE..d....Y.V...... "...... @...... (...... p....p..P "...... X...... text...... h.rdata...G...... H...... @..H.data...... `...... B...... @....pdata..P"...p...$... D...... @..H.CRT...... h...... @..H.STL...... j...... @...INIT...... l...... rsrc...p...... x...... @..B.reloc...... |...... @..B......

C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 101376 Entropy (8bit): 5.7543382835266135 Encrypted: false MD5: 6F587118EB5B019F61B864FAAFD6EBCD SHA1: 6B16E90262161F4A8BF7F7FF66547792281B660E SHA-256: 2606D333535BF625104D881ECA62043C431BA3851DAD29EDC5D090ED7CE1509C SHA-512: 62934E76393DC0DA1F7722677B96D23461E2184F21863F9177048C104A19B88C0A0181D3BDAE84EF48B9BEF008216E871D07F5403261A238820E227F63AD6731 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... [email protected][email protected].~.I.....~.RS..a.~.RS....~. RS..H.~.RS..H.~.RichI.~...... PE..d...... V...... "...... 4~...... @...... ).....@...... K..x...... `...... text...n...... `.rdata...g...... h...... @[email protected]/...`...... B...... @....pdata...... \...... @. [email protected]...... l...... @[email protected]...... @..B......

C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll

Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 41472 Entropy (8bit): 5.5033390944334615 Encrypted: false MD5: 7D20F582E32CC6D34E633928C5564F65 SHA1: 1349883AEC255B9D54058002644C8D2ADF014A91 SHA-256: B8C08185576D7CD5749C94D792B35F5EDE59885BE89F26F980526B7AB47CB534 SHA-512: 58FA903ADD1788DC0BC27B19D5C0F145CD9F043932C39882408D5CBA1F196A590824A5C9D95B23E4B3D61246C1F936DDE7FE67EC187842199B6900953532B92C Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... y..y..y.....y.....y.....y..x...y.....y.....y.....y.Rich.y...... PE. .d...... V...... " .....T...J...... @...... @...... 0...<...... @...... x...... text....P...... R...... `.orpc...... p...... V...... `.rdata...-...... X...... @[email protected]....!...... @....pdata..@...... @[email protected]...... @[email protected]..>...... @..B......

C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.bak Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 254976 Entropy (8bit): 5.936073046787278 Encrypted: false MD5: 03A9955EC55C5C6E00A3281602B30132 SHA1: BFD7FF40CE3ED319F6AA5C6777A3A8A2E2AA825B SHA-256: 24B62E505F0A612FED69A425A9FD0F3459E76941ADD8FB6CCC3F43C64F12A7BE SHA-512: D6F813C4D654B9F0CFBE04EA459EAFCA12EDF042BF78AD15FFDB2A9DA1159E53D5F573E70687F2621826C6C7295F89E981D1D3274FA6F668B6613D4FACD0C42 8 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... s].=7<.n7<.n7<.n,./n=<.n,..n0<.n>D2n4<.n>D"n"<.n7<.n.<.n,..n.< .n,..n^<.n,.*n6<.n,.+n6<.n,.,n6<.nRich7<.n...... PE..d.....nU...... " ...... (...... @...... k....@...... @...... X...... 0..$...... text...... `.orpc...... `.rdata...... @[email protected]...... *...... @....pdata...... @[email protected]...... @[email protected]...... 0...... @..B...... Copyright Joe Security LLC 2019 Page 30 of 93 C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 255488 Entropy (8bit): 5.931776882247897 Encrypted: false MD5: E3526F364347D94C329A8CA6D8DF17DA SHA1: DC7821D81E7E5706F853EAD288007920B714587E SHA-256: 0CA454FA57A90A4D899E0797D0AFF5364260F3649B963D21582FA7010E419C2A SHA-512: A5E9C0F83A69FF092EF2603B417F7242EA7681A9BD2B0D77C2C5A89702DB47994FF873E1547E07725C62E2B08BC1EB998AFF3A93E543A87A0ABCB95704C007E1 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... s].=7<.n7<.n7<.n,./n=<.n,..n0<.n>D2n4<.n>D"n"<.n7<.n.<.n,..n.< .n,..n^<.n,.*n6<.n,.+n6<.n,.,n6<.nRich7<.n...... PE..d...5..V...... " ...... (...... @...... @...... 0...... text...... `.orpc...... `.rdata...... @[email protected]...... *...... @....pdata...... @[email protected]...... @[email protected]...... 0...... @..B......

C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (native) Intel 80386, for MS Windows Size (bytes): 121688 Entropy (8bit): 6.494963006443387 Encrypted: false MD5: 7B15FCEDC5B947422208911633AB65CA SHA1: 652D6C9753D9BE476AED059BAC82A058CD755221 SHA-256: 90C6FB0EF81DCA6AF763BA7581BDE9096220737FEECF3C6FA66A9B82E167A1A5 SHA-512: EEA3571111B9748E464BE85918167E4EF8FC75B9D692A4478E37F4605CE3F6E183A44C8BD2796C3A72CDE92375C2F6B55B835F1F6D9DB2D95A8FB43DA5289FCF Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 4F.CU(.CU(.CU(.J-..@U(.J-..BU(.J-..BU(.CU).9U(..Zu.DU(..Zw.BU (.X..OU(.X..zU(.X..BU(.X..BU(.RichCU(...... PE..L....Y.V...... :...... P...... @...... <...... p...... X...... text...ru...... v...... h.rdata...... z...... @..H.data...... @....CRT...... @..H.STL...... @...INIT....:...... rsrc...p...... @..B.reloc...... @..B......

C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 87040 Entropy (8bit): 6.061908979011888 Encrypted: false MD5: 98E22C7CD9BAECA08875EAFD182C13FC SHA1: 253FC7F9165D173250BC5FBA805DE2648105E948 SHA-256: 06969D6F39A5C181580C7A418D1795CB1A1D890EBA07E8125F18A58FA8476423 SHA-512: 3C2E807CE20961AF454592A04F50463483A1545BD36706D358C1204277C70B15BFDFF58ECD629C67224C4C51830E39D8CA100BB609F2EA9FA039CDB6E793CF86 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... J....k.O.k.O.k.O..8O.k.O...O.k.O..%O.k.O..5O.k.O.k.O.k.O...O)k .O...OBk.O..

C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 35840 Entropy (8bit): 5.828250402923908 Encrypted: false MD5: E3BD21095F8D0017E2073D53E68F7509 SHA1: 215DAE9426E57BBE3F68EC5C194EEBA3FE26DC63 SHA-256: F7DD93BF06C41897D8EA789F7B9B358547576F30F1D93ABCFCC421BA50C89C69 SHA-512: 24F8E5FB284BC911261F9D2549959FBA5D4E8CCF7A8289D2A9FF2F2B3DE20F58F5B7CCE55E3CBA36246EBE0298BB27D1DBEAECEF252A54862F074155E064672 1 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... `.d.$...$...$...?8..-...?8..,...-..!...$...u...?8...... ?8..%...?8..%...Rich$...... PE..L...... V...... !.....J...>...... p...... 5.....@...... <...... @...... p..4...... text...bF...... H...... `.orpc...... `...... L...... `.rdata..E%...p...&...N...... @[email protected]...... t...... @....rsrc...... @[email protected]..,...... @..B......

Copyright Joe Security LLC 2019 Page 31 of 93 C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 222720 Entropy (8bit): 6.149734529924124 Encrypted: false MD5: C36FEE011C683583EC2D7F81DC53C348 SHA1: 3998739C21F267760E6744EBD3AF15C2A8E65754 SHA-256: 51659ADDDEC203EE06BB21BA263E1BFB7EEE990648CDE127628E2C963F53A8C9 SHA-512: 3F68387BEB72C540C549C553E80F4DCEA72B33058DB2C00E6E7DD0A15F25D4C645D349371DE26F5C69FF8C4CDF610A150B29B7FD1848467311A61F27AB48AD06 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... q...5...5...5....ij.&....i[.2...<.w.6...<.g. ...5...... i_...... i^.E....io.4....i n.4....ii.4...Rich5...... PE..L...!..V...... !...... }...... @...... p=...... T/...... @...... l...... text...... `.orpc...... `.rdata..5n...... p...... @[email protected]....>...@...... @....rsrc...... 6...... @[email protected]...)...... *...<...... @..B......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinCDEmu\WinCDEmu Settings.lnk Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Sat Feb 11 23:28:36 2017, mtime=Sat Feb 11 23:28:36 2017, atime=Mon Sep 28 17:08:44 2015, length=406360, window=hide Size (bytes): 1070 Entropy (8bit): 4.640915366423337 Encrypted: false MD5: B76708CBF9706A6DF3BF9A0C19BACFED SHA1: 9438415C612F9B25E3EEA4E98334A1C03AC0D49B SHA-256: 968A57D85E370A69D04BBCF0816D609EC1B0F57403F925E53A385990943DA11C SHA-512: 19603B53FB67398FD9DA8BA94A0588A6338ACCD53E8B64C0EF7393D46AFD03364DFA53D51ABF43B673B6B792AE1BF65B0E7739443EFEC6FC0E9BA5B6E1581D DB Malicious: false Preview: L...... F...... c63....c63....^...... X3...... P.O. .:i.....+00.../C:\...... 1.....vMF...PROGRA~2...... L..N'2...... V...... *a.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x. 8.6.)[email protected].,.-.2.1.8.1.7.....Z.1...... N02..WinCDEmu..B...... N02.N02.....G...... W.i.n.C.D.E.m.u.....`.2.X3..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vmnt64.exe_e26732cc1432a1458898c71c6a5a38632cbb_7ece7677_1307ee36\Report .wer Process: C:\Windows\System32\WerFault.exe File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators Size (bytes): 10794 Entropy (8bit): 3.7697773939775097 Encrypted: false MD5: 7BE3CA61A60D717060CD2321BF5E417E SHA1: 9DFBD13ADB91148CBACCD546856A4D09B563A113 SHA-256: 8C402CD5F06E7C5E90AEBB44C769F471DC959FD6465DC25B62303611A5FBE965 SHA-512: 94E1097E6A5BAB90FACE379D00789939791FD087843937073C61A0BB9EB7CC2F85DFE823F206F83B85BC0344D359099DB745DB232D512C0544A45E4D07783DD3 Malicious: false Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.0.2.0.2.9.0.7.2.6.3.4.5.1.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t. a.t.u.s.=.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.4.1.3.2.c.4.-.0.f.c.f.-.4.b.e.a.-.b.f.3.2.-.c.3.3.d.0.4.2.d.2.d.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.6.3.3.7.7.4.-.b. 1.b.e.-.4.8.8.a.-.a.7.e.c.-.7.5.1.4.c.b.5.c.e.5.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.v.m.n.t.6.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.m.n.t...e.x.e.....A. p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.e.4.-.0.0.0.1.-.0.0.1.7.-.e.1.3.2.-.a.1.4.2.c.1.0.7.d.5.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.b.e.4.a.2.2.1.0.5.3.7.8.5.e.b.9.8.4. d.5.a.6.b.d.8.2.9.2.e.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.5.4.4.6.e.c.4.f.d.0.6.a.1.7.0.2.2.e.2.f.9.a.5.3.4.5.c.d.e.1.3.1.f.e.4.e.5.e.6.!.v.m.n.t.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r. =.2.0.1.5././.0.9././.2.8.:.1.8.:.0.8.:.4.3.!.6.5.4.5.5.!.v.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8D7.tmp.dmp Process: C:\Windows\System32\WerFault.exe File Type: Mini DuMP crash report, 14 streams, Sat May 11 06:17:52 2019, 0x1205a4 type Size (bytes): 79456 Entropy (8bit): 1.4515636593853938 Encrypted: false MD5: 7B4EF8E882C358E24EE096FEA47A177A SHA1: 4B20129B2507A4920F0F9BE61E66BC4DAF73E969 SHA-256: 7396434C9E915B83372D30984408FAB087DA7186E97853C28A63DFCFC18F0B83 SHA-512: 6E86F06C2652BD75357E2ADED500F69D37E60DA0B5267E6EC76A7FE726C7920C5D93D2C55F14158B2CAB086EA6A3A00B0C7A367D997F38B5395A8193A4B22532 Malicious: false Preview: MDMP...... i.\...... ?...... B...... Lw...... _...T...... i.\...... 0...... P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...... P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...... 1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4...... d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1......

Copyright Joe Security LLC 2019 Page 32 of 93 C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB1A.tmp.WERInternalMetadata.xml Process: C:\Windows\System32\WerFault.exe File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators Size (bytes): 8726 Entropy (8bit): 3.6954924735854084 Encrypted: false MD5: E74AAD84EF1797DF675C7DBF025E7E72 SHA1: 4BEC39E1CE3B3232920AD22D031F1A7E7BD0AE9E SHA-256: 23D15BF45BCE08CBC9365CAD2C71D40908EB80044052BE8746D21998CCFDBE01 SHA-512: A3858668423ED6A19A3087383D815D68D6BF839BAF955DF4C1F54C6A7140E971763955F5F8286E7AAC3498C5C4A935DECC1C61D215AF1B2DE9B25715C9650CB5 Malicious: false Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>...... <.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>...... <.W.i.n.d. o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>...... <.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>...... <.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o. <./.P.r.o.d.u.c.t.>...... <.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>...... <.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-. 1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>...... <.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>...... <.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>...... <.A.r.c.h.i.t.e.c.t. u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>...... <.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>...... <./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>...... <.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>...... <.P.i.d. >.3.3.0.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDAB.tmp.xml Process: C:\Windows\System32\WerFault.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Size (bytes): 4604 Entropy (8bit): 4.41799077983289 Encrypted: false MD5: CF6253933153BA5D351A0B104D306B85 SHA1: A42F68B81FE6C9EB943D57F7859F129771417A13 SHA-256: 9F09E3E5EE724ADFE14C4C38FA6FAC20E0373AD38D066B031EED002D404B4DE9 SHA-512: E4445222A91488F4ADFAE3EF86CDA2AB11D45BF0B883BDF717642E940792C6902B4ED5DDF3126C687852B57F4D2C33DCA1FF5CF178F487A56F85C572147F8073 Malicious: false Preview: .... .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst32.exe Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 5120 Entropy (8bit): 4.318122440672197 Encrypted: false MD5: 89A62F871FBE2E1B00E1ED2A59F6C873 SHA1: 4495F04F2D1B2084751833E2A898D29B9037382B SHA-256: 40748EC7FAC9C77B1E722403425CA9E99B88B445FD6677D8072F7C49DD9A73CF SHA-512: 8534881DE8556281974E5532186B668601ABD9886279E1BC0B2178A6DF1B9A2B7EBA1258C11FE633810E659A33768C25733115A98689160717FA5E38E420512F Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... S<.2R..2R..2R...)..2R..2S..2R..J..2R..J..2R.Rich.2R...... PE. .L...... K...... @...... `...... @...... 8!..d....@...... P..X...p ...... h...... text ...v...... `.rdata..d...... @[email protected]...... 0...... @....rsrc...... @...... @[email protected]...... P...... @..B......

C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe Process: C:\Users\user\Desktop\WinCDEmu-4.1.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 6144 Entropy (8bit): 4.306068101655417 Encrypted: false MD5: 731A3CE577B0A406723B4405FB4CD2F1 SHA1: C7F8E61D894F7934DF428BBC7C19EDE847169997 SHA-256: 7A0A25AB8A255739EC21FE2ACF6FA0809AC313460E09D10688ED84FCF296DA72 SHA-512: 894AF9917CEFCE119C63BD67EB46DF391AD753DE7D4A40F6D0E34D2FEDB0D915B8B0BF48F43A7E696DE8E7ED5303E0D928E143006FDB869964B5838BF95C701 9 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... S<.2R..2R..2R...)..2R..2S..2R..J..2R..J..2R.Rich.2R...... PE. .d...... K...... "...... P...... @...... `...... X.....@...... "..d....P...... @...... text...8...... `.rdata...... @[email protected]...... 0...... @....pdata...... @...... @[email protected]...... P...... @..@......

Copyright Joe Security LLC 2019 Page 33 of 93 C:\Users\user\AppData\Local\Temp\{df3353aa-c23b-5443-8fea-aa7ade97b78e}\SETAFB7.tmp Process: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe File Type: data Size (bytes): 8624 Entropy (8bit): 7.218510203540477 Encrypted: false MD5: 1A7AE9457824C66CF047A95F1A5C4629 SHA1: 4D9C13618E5D1A998DF6B299D7BA8FDB45012EB2 SHA-256: 63A80143E6394BEA74A798481F19056D12F67AB4910758BA2FE4F499D1A8698A SHA-512: C5F802236507BA252B0CA632C07E6A08DC2C9820ADC4706CFE04A781EEF4D010FA8E6D8EC9DF7105D64DB2274C2342FA97161E4B774B2E0F0B906D956FF814F6 Malicious: false Preview: 0.!...*.H...... !.0.!....1.0...+...... 0.....+.....7...... 0...0...+.....7...... ;[email protected]...+.....7.....0..w0....R5.B.4.A.A.C.1.F.D.3.E.2.F.6.8.5.7.3.2.A.1.0.8.7.9.4.4.1 .E.8.1.2.B.8.C.7.3.9.D.9...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.. .0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&...... <.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...... [J ...... s*...A....9.0....RD.1.A.2.0.D.9.8.6.7.9.3.D.5.B.F.4.3.5.1.B.3.0.C.6.B.4.8.1.5.E.7.7.2.B.6.9.4.1.2...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s... 0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.... 0i..+.....7...1[0Y04..+.....7...0&.....

C:\Users\user\AppData\Local\Temp\{df3353aa-c23b-5443-8fea-aa7ade97b78e}\SETAFB8.tmp Process: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe File Type: Windows setup INFormation, ASCII text Size (bytes): 1458 Entropy (8bit): 5.361028042086157 Encrypted: false MD5: 9A41ACAF308273117F12253119753CD2 SHA1: DE3DA728432C61BE2C8684670997BAA8EEB36934 SHA-256: BB36739BDBBBCA8D445BC0F79A6BB286F374A12B7EA06D5F6904068756B4C801 SHA-512: 51EDC19B7BBAF365EF8528603120EFC56CCA5C768A1054B79C93876BB042DFFC2999F2EC0C0DC1547A4E0B90E7B8B8281F27FCFA80F276FB991E7CF5EC01D8A 6 Malicious: false Preview: [Version].Signature="$WINDOWS NT$".Class=SCSIAdapter.ClassGuid={4d36e97b-e325-11ce-bfc1-08002be10318}.Provider=%BAZIS%.DriverVer=06/02/2015, 4.01.0001.CatalogFile=BazisVirtualCDBus.cat..[DestinationDirs].DefaultDestDir = 12..[SourceDisksNames.x86].1 = %DiskId1%,,,..[SourceDisksNames.amd64].1 = %Disk Id1%,,,..[SourceDisksFiles.x86].BazisVirtualCDBus.sys = 1,\x86..[SourceDisksFiles.amd64].BazisVirtualCDBus.sys = 1,\x64..[Manufacturer].%BAZIS%=Standard, NTam d64..[Standard].%BazisVirtualCDBus.DeviceDesc%=BazisVirtualCDBus_Device, root\BazisVirtualCDBus..[Standard.NTamd64].%BazisVirtualCDBus.DeviceDesc%=Baz isVirtualCDBus_Device, root\BazisVirtualCDBus..[BazisVirtualCDBus_Device.NT].CopyFiles=Drivers_Dir..[Drivers_Dir].BazisVirtualCDBus.sys,,,2..;------Service insta llation.[BazisVirtualCDBus_Device.NT.Services].AddService = BazisVirtualCDBus,%SPSVCINST_ASSOCSERVICE%, dev_Service_Inst..; ------busenum driver install sections.[dev_Service_Inst].DisplayName = %dev.SVCDESC%

C:\Users\user\AppData\Local\Temp\{df3353aa-c23b-5443-8fea-aa7ade97b78e}\x64\SETAF0A.tmp Process: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 172376 Entropy (8bit): 6.254276310537291 Encrypted: false MD5: 09391BA416AA29682298A612FDFDD7B8 SHA1: A936409D136B10CFEADD85ED40607A359077DA13 SHA-256: D889679C25DA37212E2E0E08E4B2CF774FFF395E83BCD168B240A59E74204070 SHA-512: 079B04575F746400FA0F8E50587DBB03D4E25AF79DC771DA5534E9FA81C46A02248A491D3C9216DC9A56914B3712DA3A88C27AF70588C41041218521259B6867 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ,...BT..BT..BT...T..BT...T..BT...T..BT..CT..BT.w9T..BT.w?T..B T.w.T..BT.w.T..BT.w.T..BT.w.T..BTRich..BT...... PE..d....Y.V...... "...... @...... (...... p....p..P "...... X...... text...... h.rdata...G...... H...... @..H.data...... `...... B...... @....pdata..P"...p...$... D...... @..H.CRT...... h...... @..H.STL...... j...... @...INIT...... l...... rsrc...p...... x...... @..B.reloc...... |...... @..B......

C:\Windows\INF\oem3.PNF Process: C:\Windows\System32\drvinst.exe File Type: data Size (bytes): 7156 Entropy (8bit): 3.3810531177110086 Encrypted: false MD5: D146E5EFBE5356FF56C5A3141B7D9A87 SHA1: 46D680952960849B1F17105DA6DBD09C3409C551 SHA-256: F01604B371C44977A19FDC09FBC2EAD34E67355A41ED41F30E3A946E21D83E3B SHA-512: 775A551C498CF8C9D49AE77A2DA51E9E3CF9F23A453FBB1667D7B04BCCE3661E8553C5605E5AA733EED9E346E05FC2E5C0C2DACECCAE10442F90B5BF52BFF C0B Malicious: false Preview: ...... N...... U.<@...... h...... P...... `...h...... C.:.\.W.i.n.d.o.w.s.....X...... 4...... t...... p...... 8...... ,...... D...... 4...`...... \......

Copyright Joe Security LLC 2019 Page 34 of 93 C:\Windows\INF\oem3.inf Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text Size (bytes): 1458 Entropy (8bit): 5.361028042086157 Encrypted: false MD5: 9A41ACAF308273117F12253119753CD2 SHA1: DE3DA728432C61BE2C8684670997BAA8EEB36934 SHA-256: BB36739BDBBBCA8D445BC0F79A6BB286F374A12B7EA06D5F6904068756B4C801 SHA-512: 51EDC19B7BBAF365EF8528603120EFC56CCA5C768A1054B79C93876BB042DFFC2999F2EC0C0DC1547A4E0B90E7B8B8281F27FCFA80F276FB991E7CF5EC01D8A 6 Malicious: false Preview: [Version].Signature="$WINDOWS NT$".Class=SCSIAdapter.ClassGuid={4d36e97b-e325-11ce-bfc1-08002be10318}.Provider=%BAZIS%.DriverVer=06/02/2015, 4.01.0001.CatalogFile=BazisVirtualCDBus.cat..[DestinationDirs].DefaultDestDir = 12..[SourceDisksNames.x86].1 = %DiskId1%,,,..[SourceDisksNames.amd64].1 = %Disk Id1%,,,..[SourceDisksFiles.x86].BazisVirtualCDBus.sys = 1,\x86..[SourceDisksFiles.amd64].BazisVirtualCDBus.sys = 1,\x64..[Manufacturer].%BAZIS%=Standard, NTam d64..[Standard].%BazisVirtualCDBus.DeviceDesc%=BazisVirtualCDBus_Device, root\BazisVirtualCDBus..[Standard.NTamd64].%BazisVirtualCDBus.DeviceDesc%=Baz isVirtualCDBus_Device, root\BazisVirtualCDBus..[BazisVirtualCDBus_Device.NT].CopyFiles=Drivers_Dir..[Drivers_Dir].BazisVirtualCDBus.sys,,,2..;------Service insta llation.[BazisVirtualCDBus_Device.NT.Services].AddService = BazisVirtualCDBus,%SPSVCINST_ASSOCSERVICE%, dev_Service_Inst..; ------busenum driver install sections.[dev_Service_Inst].DisplayName = %dev.SVCDESC%

C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_18ec2ff4b04883c1\bazisvirtualcdbus.PNF Process: C:\Windows\System32\drvinst.exe File Type: data Size (bytes): 7156 Entropy (8bit): 3.3808593192275107 Encrypted: false MD5: C0E6375139BA177D89C36C8812A3D66A SHA1: A5B61B38FB2655FE3C0386D9E803E001F2879DDD SHA-256: 36B34A3C8E7BACB6CC904961CF011BC43A4D9FD806E2284BECCAD7A5840AAFC9 SHA-512: 28398C9130F4142591D3096BF3A790EA337A172A10F2253B6B9E541BBDCC488C666FCF436BB6DA97FE0FB0EB113117F09EA003D32BEF0DE1E9FE910C8BCE26E A Malicious: false Preview: ...... N...... G...... h...... P...... `...h...... C.:.\.W.i.n.d.o.w.s.....X...... 4...... t...... p...... 8...... ,...... D...... 4...`...... \......

C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\SETB19B.tmp Process: C:\Windows\System32\drvinst.exe File Type: data Size (bytes): 8624 Entropy (8bit): 7.218510203540477 Encrypted: false MD5: 1A7AE9457824C66CF047A95F1A5C4629 SHA1: 4D9C13618E5D1A998DF6B299D7BA8FDB45012EB2 SHA-256: 63A80143E6394BEA74A798481F19056D12F67AB4910758BA2FE4F499D1A8698A SHA-512: C5F802236507BA252B0CA632C07E6A08DC2C9820ADC4706CFE04A781EEF4D010FA8E6D8EC9DF7105D64DB2274C2342FA97161E4B774B2E0F0B906D956FF814F6 Malicious: false Preview: 0.!...*.H...... !.0.!....1.0...+...... 0.....+.....7...... 0...0...+.....7...... ;[email protected]...+.....7.....0..w0....R5.B.4.A.A.C.1.F.D.3.E.2.F.6.8.5.7.3.2.A.1.0.8.7.9.4.4.1 .E.8.1.2.B.8.C.7.3.9.D.9...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.. .0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&...... <.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...... [J ...... s*...A....9.0....RD.1.A.2.0.D.9.8.6.7.9.3.D.5.B.F.4.3.5.1.B.3.0.C.6.B.4.8.1.5.E.7.7.2.B.6.9.4.1.2...1..y0N..+.....7...1@0>...F.i.l.e...... ,b.a.z.i.s.v.i.r.t.u.a.l.c.d.b.u.s...s.y.s... 0X..+.....7...1J0H...O.S.A.t.t.r...... 22.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.... 0i..+.....7...1[0Y04..+.....7...0&.....

C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\SETB19C.tmp Process: C:\Windows\System32\drvinst.exe File Type: Windows setup INFormation, ASCII text Size (bytes): 1458 Entropy (8bit): 5.361028042086157 Encrypted: false MD5: 9A41ACAF308273117F12253119753CD2 SHA1: DE3DA728432C61BE2C8684670997BAA8EEB36934 SHA-256: BB36739BDBBBCA8D445BC0F79A6BB286F374A12B7EA06D5F6904068756B4C801 SHA-512: 51EDC19B7BBAF365EF8528603120EFC56CCA5C768A1054B79C93876BB042DFFC2999F2EC0C0DC1547A4E0B90E7B8B8281F27FCFA80F276FB991E7CF5EC01D8A 6 Malicious: false

Copyright Joe Security LLC 2019 Page 35 of 93 C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\SETB19C.tmp Preview: [Version].Signature="$WINDOWS NT$".Class=SCSIAdapter.ClassGuid={4d36e97b-e325-11ce-bfc1-08002be10318}.Provider=%BAZIS%.DriverVer=06/02/2015, 4.01.0001.CatalogFile=BazisVirtualCDBus.cat..[DestinationDirs].DefaultDestDir = 12..[SourceDisksNames.x86].1 = %DiskId1%,,,..[SourceDisksNames.amd64].1 = %Disk Id1%,,,..[SourceDisksFiles.x86].BazisVirtualCDBus.sys = 1,\x86..[SourceDisksFiles.amd64].BazisVirtualCDBus.sys = 1,\x64..[Manufacturer].%BAZIS%=Standard, NTam d64..[Standard].%BazisVirtualCDBus.DeviceDesc%=BazisVirtualCDBus_Device, root\BazisVirtualCDBus..[Standard.NTamd64].%BazisVirtualCDBus.DeviceDesc%=Baz isVirtualCDBus_Device, root\BazisVirtualCDBus..[BazisVirtualCDBus_Device.NT].CopyFiles=Drivers_Dir..[Drivers_Dir].BazisVirtualCDBus.sys,,,2..;------Service insta llation.[BazisVirtualCDBus_Device.NT.Services].AddService = BazisVirtualCDBus,%SPSVCINST_ASSOCSERVICE%, dev_Service_Inst..; ------busenum driver install sections.[dev_Service_Inst].DisplayName = %dev.SVCDESC%

C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da908724}\x64\SETB17B.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 172376 Entropy (8bit): 6.254276310537291 Encrypted: false MD5: 09391BA416AA29682298A612FDFDD7B8 SHA1: A936409D136B10CFEADD85ED40607A359077DA13 SHA-256: D889679C25DA37212E2E0E08E4B2CF774FFF395E83BCD168B240A59E74204070 SHA-512: 079B04575F746400FA0F8E50587DBB03D4E25AF79DC771DA5534E9FA81C46A02248A491D3C9216DC9A56914B3712DA3A88C27AF70588C41041218521259B6867 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ,...BT..BT..BT...T..BT...T..BT...T..BT..CT..BT.w9T..BT.w?T..B T.w.T..BT.w.T..BT.w.T..BT.w.T..BTRich..BT...... PE..d....Y.V...... "...... @...... (...... p....p..P "...... X...... text...... h.rdata...G...... H...... @..H.data...... `...... B...... @....pdata..P"...p...$... D...... @..H.CRT...... h...... @..H.STL...... j...... @...INIT...... l...... rsrc...p...... x...... @..B.reloc...... |...... @..B......

C:\Windows\System32\catroot2\dberr.txt Process: C:\Windows\System32\drvinst.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 77 Entropy (8bit): 4.912527696865872 Encrypted: false MD5: CD3998308D82773E1E162719423098E1 SHA1: 871777EB435FBF043BE79957DC2888AEE52BFE91 SHA-256: A87DAAB23B342B1E74F4D84A1B43838E5AF9A3F18D8CAB79BACC47A0B0F3A5DD SHA-512: 2DBDAAF5BDA83FD04E9673DB61D4B3DD532FEF578202E50CA0CA1E4F40BB9A3017C8532EEB26C7EA5CE54A33AE8FC078CBEC4AFCA981B93BF258C6EB5479 14AB Malicious: false Preview: CatalogDB: 11:17:46 PM 5/10/2019: DONE Adding Catalog File (15ms): oem3.cat..

C:\Windows\System32\drivers\SETD6C6.tmp Process: C:\Windows\System32\drvinst.exe File Type: PE32+ executable (native) x86-64, for MS Windows Size (bytes): 172376 Entropy (8bit): 6.254276310537291 Encrypted: false MD5: 09391BA416AA29682298A612FDFDD7B8 SHA1: A936409D136B10CFEADD85ED40607A359077DA13 SHA-256: D889679C25DA37212E2E0E08E4B2CF774FFF395E83BCD168B240A59E74204070 SHA-512: 079B04575F746400FA0F8E50587DBB03D4E25AF79DC771DA5534E9FA81C46A02248A491D3C9216DC9A56914B3712DA3A88C27AF70588C41041218521259B6867 Malicious: false Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ,...BT..BT..BT...T..BT...T..BT...T..BT..CT..BT.w9T..BT.w?T..B T.w.T..BT.w.T..BT.w.T..BT.w.T..BTRich..BT...... PE..d....Y.V...... "...... @...... (...... p....p..P "...... X...... text...... h.rdata...G...... H...... @..H.data...... `...... B...... @....pdata..P"...p...$... D...... @..H.CRT...... h...... @..H.STL...... j...... @...INIT...... l...... rsrc...p...... x...... @..B.reloc...... |...... @..B......

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Copyright Joe Security LLC 2019 Page 36 of 93 Name Source Malicious Antivirus Detection Reputation WinCDEmu-4.1.exe, 00000000.000 false high www.sysprogs.com/PublisherSysprogsNoRepairNoModifyInst 00002.5206788382.0000000000C41 allLocationDisplayVersion%x.%xDisplayNa 000.00000040.sdmp crl.thawte.com/ThawteTimestampingCA.crl0 WinCDEmu-4.1.exe false high w. WinCDEmu-4.1.exe false high wincdemu.sysprogs.org/openUpdating WinCDEmu-4.1.exe, 00000000.000 false high 00002.5206788382.0000000000C41 000.00000040.sdmp bazislib.sysprogs.org/dK regsvr32.exe, 0000000A.0000000 false high 3.5009175741.0000000002910000. 00000004.sdmp ocsp.thawte.com0 WinCDEmu-4.1.exe false high wincdemu.sysprogs.org/ WinCDEmu-4.1.exe, WinCDEmu-4.1 false high .exe, 00000000.00000002.520711 5403.0000000000C90000.00000040 .sdmp, VirtualAutorunDisabler.exe, vmnt64.exe www.sysprogs.org/signing WinCDEmu-4.1.exe false high drvinst64.exe, 0000000C.000000 false high ocsp.thawte.comhttp://crl.thawte.com/ThawteTimestampingCA 03.5031973626.0000000000DDA000 .crl .00000004.sdmp, rundll32.exe, 0000000E.00000003.5101053189.0 00001F6F834D000.00000004.sdmp www.sysprogs.org/signingSetup WinCDEmu-4.1.exe, 00000000.000 false high 00002.5206788382.0000000000C41 000.00000040.sdmp bazislib.sysprogs.org/ WinCDEmu-4.1.exe, 00000000.000 false high 00003.4973820017.0000000005540 000.00000004.sdmp, regsvr32.exe, 0000000A.00000003.500917574 1.0000000002910000.00000004.sdmp, vmnt_english.lng.0.dr wincdemu.sysprogs.org/translations/lngedit.php WinCDEmu-4.1.exe, 00000000.000 false high 00003.4973820017.0000000005540 000.00000004.sdmp, vmnt64.exe, 00000011.00000000.5176649611. 0000000002136000.00000004.sdmp, vmnt_romanian.lng.0.dr wincdemu.s regsvr32.exe, 00000008.0000000 false Avira URL Cloud: safe unknown 3.5004446508.0000000002FD0000. 00000004.sdmp, regsvr32.exe, 0 000000A.00000003.5009411446.00 00000002A40000.00000004.sdmp wincdemu.sysprogs.org/translations/KE vmnt64.exe, 00000011.00000000. false high 5176649611.0000000002136000.00 000004.sdmp wincdemu.sysprogs.org/8 WinCDEmu-4.1.exe false high www.sysprogs.com/ WinCDEmu-4.1.exe false high crl.thawte.com/ThawteTimestampingCA.crl drvinst.exe, 0000000D.00000002 false high .5126090180.000002201C1B0000.0 0000004.sdmp

Contacted IPs

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 4.1.1.0 United States 3356 LEVEL3-Level3ParentLLCUS false

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed Entropy (8bit): 7.985859241496418 TrID: Win32 Executable (generic) a (10002005/4) 99.38% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: WinCDEmu-4.1.exe File size: 1576544 MD5: 4e53befe779f677b1ccec54b84f60a8c SHA1: 9ff4f2ed41d5bd09496d2cfb6e09c4b31659dc19 SHA256: c47763631d20120057766f2f71f781bf958e22712da4ac9 33b21db0d615dc93c SHA512: a0fe06176a62be0c0f0f946ab3f9182f1be1020ca6ab2fcfb 855254d77c123f95baa48fa6dc6abf73917103534cca713 382f90f440917a2a343d54dde2332e04 SSDEEP: 49152:kCFdVNpsRKZdJ0ya6wWfumwumbp/afUD+6EV V4dDD/:kaVNpsIF0ya6wWf32p/69Z4dDj File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... 9_..}>.F} >.F}>.Ff.7Fj>.Ff..F.>.Ff..F2>.FtF*Fy>.FtF:Fr>.F}>.F.>.Ff ..Fu>.Ff.3F|>.Ff.4F|>.FRich}>.F...... PE..L..

File Icon

Icon Hash: ae9a4c58d8f07830 Copyright Joe Security LLC 2019 Page 38 of 93 Static PE Info

General Entrypoint: 0x45a900 Entrypoint Section: UPX1 Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x560C2A83 [Wed Sep 30 18:31:31 2015 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 2f45dc341e82cb821aa3706313cfae94

Authenticode Signature

Signature Valid: true Signature Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 6/20/2016 12:03:45 PM 8/2/2019 3:00:00 AM Subject Chain CN=Sysprogs OU, O=Sysprogs OU, L=Maardu, C=EE Version: 3 Thumbprint MD5: 7DA8A890B515620A71AF7E53388161C0 Thumbprint SHA-1: 59CF9229881EFF089D3286A3A3BA1BD87C61F23E Thumbprint SHA-256: B679E1A3746AD362EBD59CC62709ADDD8CDE4FC4E8BF83275CD9455DD3AADFAA Serial: 240ACBD424C328A5BD9A5BC8

Entrypoint Preview

Instruction pushad mov esi, 0043E000h lea edi, dword ptr [esi-0003D000h] push edi or ebp, FFFFFFFFh jmp 00007F8098552A42h nop nop nop nop nop nop mov al, byte ptr [esi] inc esi mov byte ptr [edi], al inc edi add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jc 00007F8098552A1Fh mov eax, 00000001h add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh

Copyright Joe Security LLC 2019 Page 39 of 93 Instruction adc ebx, ebx adc eax, eax add ebx, ebx jnc 00007F8098552A3Dh jne 00007F8098552A5Ah mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jc 00007F8098552A51h dec eax add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc eax, eax jmp 00007F8098552A06h add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc ecx, ecx jmp 00007F8098552A84h xor ecx, ecx sub eax, 03h jc 00007F8098552A43h shl eax, 08h mov al, byte ptr [esi] inc esi xor eax, FFFFFFFFh je 00007F8098552AA7h sar eax, 1 mov ebp, eax jmp 00007F8098552A3Dh add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jc 00007F80985529FEh inc ecx add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jc 00007F80985529F0h add ebx, ebx jne 00007F8098552A39h mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx adc ecx, ecx add ebx, ebx jnc 00007F8098552A21h jne 00007F8098552A3Bh mov ebx, dword ptr [esi] sub esi, FFFFFFFCh adc ebx, ebx jnc 00007F8098552A16h add ecx, 02h cmp ebp, FFFFFB00h adc ecx, 02h

Rich Headers

Programming Language: [ C ] VS2008 SP1 build 30729 [LNK] VS2010 SP1 build 40219 [ASM] VS2010 SP1 build 40219 [RES] VS2010 SP1 build 40219 [ C ] VS2010 SP1 build 40219 [C++] VS2010 SP1 build 40219 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x646e0 0x1d4 .rsrc IMAGE_DIRECTORY_ENTRY_RESOURCE 0x5b000 0x96e0 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x17f7c0 0x16a0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x648b4 0x10 .rsrc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x5aaec 0x48 UPX1 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics UPX0 0x1000 0x3d000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ UPX1 0x3e000 0x1d000 0x1cc00 False 0.989521059783 data 7.92791356632 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x5b000 0xa000 0x9a00 False 0.528561282468 data 5.51965882151 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_BITMAP 0x37670 0x10028 empty Russian Russia RT_ICON 0x5b674 0xca8 dBase III DBT, version number 0, next free block Russian Russia index 40 RT_ICON 0x5c320 0x4228 dBase III DBT, version number 0, next free block Russian Russia index 40 RT_ICON 0x6054c 0x25a8 data Russian Russia RT_ICON 0x62af8 0x10a8 data Russian Russia RT_ICON 0x63ba4 0x468 GLS_BINARY_LSB_FIRST Russian Russia RT_ICON 0x50020 0x2e8 data Russian Russia RT_ICON 0x50308 0x368 data Russian Russia RT_ICON 0x50670 0x368 data Russian Russia RT_ICON 0x509d8 0x368 data Russian Russia RT_DIALOG 0x50d40 0x21e data English United States RT_DIALOG 0x50f60 0x244 data Russian Russia RT_DIALOG 0x511a4 0x1e2 data English United States RT_DIALOG 0x51388 0x1f2 data Russian Russia RT_DIALOG 0x5157c 0x21a data English United States RT_DIALOG 0x51798 0x210 data Russian Russia RT_DIALOG 0x519a8 0x1a4 data English United States RT_DIALOG 0x51b4c 0x1b0 data Russian Russia

Copyright Joe Security LLC 2019 Page 41 of 93 Name RVA Size Type Language Country RT_DIALOG 0x51cfc 0x178 data English United States RT_DIALOG 0x51e74 0x176 data Russian Russia RT_DIALOG 0x51fec 0x46c data Russian Russia RT_STRING 0x52458 0x4e0 data Russian Russia RT_STRING 0x52938 0x2be data Russian Russia RT_STRING 0x52bf8 0x272 data RT_STRING 0x52e6c 0x388 data RT_STRING 0x531f4 0x164 data RT_GROUP_ICON 0x64010 0x4c data Russian Russia RT_GROUP_ICON 0x533a4 0x14 data Russian Russia RT_GROUP_ICON 0x533b8 0x14 data Russian Russia RT_GROUP_ICON 0x533cc 0x14 data Russian Russia RT_GROUP_ICON 0x533e0 0x14 data Russian Russia RT_VERSION 0x64060 0x304 data Russian Russia RT_MANIFEST 0x64368 0x376 ASCII text, with very long lines, with CRLF line English United States terminators

Imports

DLL Import KERNEL32.DLL LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess ADVAPI32.dll RegOpenKeyA COMCTL32.dll GDI32.dll FillRgn ole32.dll CoInitialize SHELL32.dll ShellExecuteA USER32.dll GetDC

Version Infos

Description Data LegalCopyright LGPL FileVersion 4.1 CompanyName Sysprogs OU LegalTrademarks Sysprogs Comments wincdemu.sysprogs.org/ ProductName WinCDEmu ProductVersion 4.1 FileDescription WinCDEmu installer OriginalFilename WinCDEmu-installer.exe Translation 0x0000 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

Russian Russia

English United States

Network Behavior

No network behavior found

Code Manipulations Copyright Joe Security LLC 2019 Page 42 of 93 Statistics

Behavior

• WinCDEmu-4.1.exe • uninstall64.exe • VirtualAutorunDisabler.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • VirtualAutorunDisabler.exe • regsvr32.exe • regsvr32.exe • regsvr32.exe • drvinst64.exe • drvinst.exe • rundll32.exe • drvinst.exe • vmnt64.exe • WerFault.exe

Click to jump to process

System Behavior

Analysis Process: WinCDEmu-4.1.exe PID: 2284 Parent PID: 3704

General

Start time: 23:17:26 Start date: 10/05/2019 Path: C:\Users\user\Desktop\WinCDEmu-4.1.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\WinCDEmu-4.1.exe' Imagebase: 0xc40000 File size: 1576544 bytes MD5 hash: 4E53BEFE779F677B1CCEC54B84F60A8C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\XXINSTCOMP08EC\ read data or list normal directory file | success or wait 1 C4ABA5 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\ssi9393.tmp read attributes | normal synchronous io success or wait 1 C45C45 GetTempFileNameA synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Temp\ssi9393.tmp read data or list normal directory file | success or wait 1 C45C55 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 43 of 93 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x64 read data or list normal directory file | object path not found 1 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86) read data or list normal directory file | object name collision 1 C51312 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu read data or list normal directory file | success or wait 1 C51312 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\x64 read data or list normal directory file | success or wait 1 C51312 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.bak read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x86 read data or list normal directory file | success or wait 1 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\ read data or list normal directory file | object name collision 9 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\batchmnt.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\batchmnt64.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\mkisofs.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\uninstall.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\uninstall64.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\vmnt.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2019 Page 44 of 93 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\vmnt64.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles read data or list normal directory file | success or wait 1 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Arabic.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_armenian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bahasaindonesia.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Catalan.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Farsi.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_finnish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2019 Page 45 of 93 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hungarian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_macedonian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese_brazil.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Slovak.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2019 Page 46 of 93 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenian.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenscina.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_sr.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_ta.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Taiwan.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_urdu.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_uzbek.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_CN.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x64 read data or list normal directory file | object name collision 1 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Program Files (x86)\WinCDEmu\x86 read data or list normal directory file | object name collision 1 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2019 Page 47 of 93 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\ssi9393.tmp\ read data or list normal directory file | object name collision 2 C51B5D CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst32.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe read attributes | archive synchronous io success or wait 1 C52143 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinCDEmu read data or list normal directory file | success or wait 1 C4DAA7 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\ssi9393.tmp success or wait 1 C45C4C DeleteFileA C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst32.exe success or wait 1 C4AA0A DeleteFileA C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe success or wait 1 C4AA0A DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEm unknown 254976 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile u\x64\WinCDEmuContextMenu.bak 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... s].=7<.n7<.n7<.n,./n= 00 00 00 00 00 00 00 <.n,..n0<.n>D2n4<.n>D"n" 00 00 00 00 00 00 00 <.n7<.n.<.n,..n. 00 00 00 00 01 00 00 <.n,..n^<.n,.*n6<.n,. 0e 1f ba 0e 00 b4 09 +n6<.n,.,n6<.nRich7<.n..... cd 21 b8 01 4c cd 21 ...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 73 5d df 3d 37 3c b1 6e 37 3c b1 6e 37 3c b1 6e 2c a1 2f 6e 3d 3c b1 6e 2c a1 1e 6e 30 3c b1 6e 3e 44 32 6e 34 3c b1 6e 3e 44 22 6e 22 3c b1 6e 37 3c b0 6e 98 3c b1 6e 2c a1 1a 6e 0e 3c b1 6e 2c a1 1b 6e 5e 3c b1 6e 2c a1 2a 6e 36 3c b1 6e 2c a1 2b 6e 36 3c b1 6e 2c a1 2c 6e 36 3c b1 6e 52 69 63 68 37 3c b1 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 48 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEm unknown 41472 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile u\x64\VirtualAutorunDisablerPS.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... y...y...y...... 00 00 00 00 00 00 00 y...... y...... y...x...y..... 00 00 00 00 00 00 00 ..y...... y...... y.Rich..y... 00 00 00 e0 00 00 00 ...... PE..d...... V...... " 0e 1f ba 0e 00 b4 09 .....T. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9d f6 17 d9 d9 97 79 8a d9 97 79 8a d9 97 79 8a c2 0a d2 8a d0 97 79 8a c2 0a e7 8a de 97 79 8a d0 ef ea 8a dc 97 79 8a d9 97 78 8a 8b 97 79 8a c2 0a d3 8a ef 97 79 8a c2 0a e2 8a d8 97 79 8a c2 0a e4 8a d8 97 79 8a 52 69 63 68 d9 97 79 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 0a a9 08 56 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 54 00 C:\Program Files (x86)\WinCDEm unknown 255488 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile u\x64\WinCDEmuContextMenu.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... s].=7<.n7<.n7<.n,./n= 00 00 00 00 00 00 00 <.n,..n0<.n>D2n4<.n>D"n" 00 00 00 00 00 00 00 <.n7<.n.<.n,..n. 00 00 00 00 01 00 00 <.n,..n^<.n,.*n6<.n,. 0e 1f ba 0e 00 b4 09 +n6<.n,.,n6<.nRich7<.n..... cd 21 b8 01 4c cd 21 ...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 73 5d df 3d 37 3c b1 6e 37 3c b1 6e 37 3c b1 6e 2c a1 2f 6e 3d 3c b1 6e 2c a1 1e 6e 30 3c b1 6e 3e 44 32 6e 34 3c b1 6e 3e 44 22 6e 22 3c b1 6e 37 3c b0 6e 98 3c b1 6e 2c a1 1a 6e 0e 3c b1 6e 2c a1 1b 6e 5e 3c b1 6e 2c a1 2a 6e 36 3c b1 6e 2c a1 2b 6e 36 3c b1 6e 2c a1 2c 6e 36 3c b1 6e 52 69 63 68 37 3c b1 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 49 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEm unknown 35840 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile u\x86\VirtualAutorunDisablerPS.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... `.d.$...$...$...?8..-...? 00 00 00 00 00 00 00 8..,...-...!...$...u...?8...... ? 00 00 00 00 00 00 00 8..%...?8..%...Rich$..... 00 00 00 d8 00 00 00 ...... PE..L...... V...... ! 0e 1f ba 0e 00 b4 09 .....J...>..... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 60 c4 64 ac 24 a5 0a ff 24 a5 0a ff 24 a5 0a ff 3f 38 a1 ff 2d a5 0a ff 3f 38 94 ff 2c a5 0a ff 2d dd 99 ff 21 a5 0a ff 24 a5 0b ff 75 a5 0a ff 3f 38 a0 ff 1e a5 0a ff 3f 38 91 ff 25 a5 0a ff 3f 38 97 ff 25 a5 0a ff 52 69 63 68 24 a5 0a ff 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 10 82 09 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 4a 00 00 00 3e 00 00 00 00 00 C:\Program Files (x86)\WinCDEm unknown 222720 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile u\x86\WinCDEmuContextMenu.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... q...5...5...5....ij.&. 00 00 00 00 00 00 00 ...i[.2...<.w.6...<.g. ...5... 00 00 00 00 00 00 00 .....i_...... i^.E....io.4....i 00 00 00 f8 00 00 00 n.4....ii.4...Rich5...... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 71 95 9a fa 35 f4 f4 a9 35 f4 f4 a9 35 f4 f4 a9 2e 69 6a a9 26 f4 f4 a9 2e 69 5b a9 32 f4 f4 a9 3c 8c 77 a9 36 f4 f4 a9 3c 8c 67 a9 20 f4 f4 a9 35 f4 f5 a9 98 f4 f4 a9 2e 69 5f a9 0d f4 f4 a9 2e 69 5e a9 45 f4 f4 a9 2e 69 6f a9 34 f4 f4 a9 2e 69 6e a9 34 f4 f4 a9 2e 69 69 a9 34 f4 f4 a9 52 69 63 68 35 f4 f4 a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06

Copyright Joe Security LLC 2019 Page 50 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\batchmnt.exe unknown 105984 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... _..r...r...r...... 00 00 00 00 00 00 00 r...... r...... r...... r..... 00 00 00 00 00 00 00 ..r...s...r...... r...... r... 00 00 00 f8 00 00 00 ....r.Rich..r...... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 ff 1c 5f e1 9e 72 0c e1 9e 72 0c e1 9e 72 0c fa 03 ec 0c f0 9e 72 0c fa 03 d8 0c 89 9e 72 0c fa 03 d9 0c cb 9e 72 0c e8 e6 f1 0c e0 9e 72 0c e8 e6 e1 0c e8 9e 72 0c e1 9e 73 0c 8a 9e 72 0c fa 03 dd 0c eb 9e 72 0c fa 03 e8 0c e0 9e 72 0c fa 03 ef 0c e0 9e 72 0c 52 69 63 68 e1 9e 72 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 C:\Program Files (x86)\WinCDEmu\batchmnt64.exe unknown 130048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... M\0Y,2cY,2cY,2cB.. 00 00 00 00 00 00 00 c=, 00 00 00 00 00 00 00 2cB..cS,2cB..cr,2cPT.cX,2 00 00 00 f0 00 00 00 cPT.c 0e 1f ba 0e 00 b4 09 P,2cY,3c5,2cB..cS,2cB..cX cd 21 b8 01 4c cd 21 ,2cB. 54 68 69 73 20 70 72 .cX,2cRichY,2c...... 6f 67 72 61 6d 20 63 PE..d...... V... 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d 4d 5c 30 59 2c 32 63 59 2c 32 63 59 2c 32 63 42 b1 98 63 3d 2c 32 63 42 b1 ac 63 53 2c 32 63 42 b1 99 63 72 2c 32 63 50 54 b1 63 58 2c 32 63 50 54 a1 63 50 2c 32 63 59 2c 33 63 35 2c 32 63 42 b1 9d 63 53 2c 32 63 42 b1 a8 63 58 2c 32 63 42 b1 af 63 58 2c 32 63 52 69 63 68 59 2c 32 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 0c a9 08 56 00 00 00

Copyright Joe Security LLC 2019 Page 51 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\mkisofs.exe unknown 1395214 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L.....tT.J...... 00 00 00 00 00 00 00 ...... @...F...... P.. 00 00 00 00 00 00 00 ..@...... 0 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 89 08 74 54 00 4a 15 00 00 00 00 00 e0 00 0f 03 0b 01 02 17 00 40 05 00 00 46 15 00 00 96 03 00 80 12 00 00 00 10 00 00 00 50 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 19 00 00 04 00 00 b3 11 16 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Program Files (x86)\WinCDEmu\uninstall.exe unknown 139424 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 08 01 00 00 ...... Rich.... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da f7 8c eb 9e 96 e2 b8 9e 96 e2 b8 9e 96 e2 b8 f1 f2 e1 b9 94 96 e2 b8 f1 f2 e7 b9 0d 96 e2 b8 cc fe e1 b9 8d 96 e2 b8 cc fe e7 b9 b6 96 e2 b8 cc fe e6 b9 8d 96 e2 b8 f1 f2 e6 b9 8d 96 e2 b8 f1 f2 e3 b9 95 96 e2 b8 9e 96 e3 b8 1d 96 e2 b8 f7 fe eb b9 98 96 e2 b8 f7 fe 1d b8 9f 96 e2 b8 f7 fe e0 b9 9f 96 e2 b8 52 69 63 68 9e 96 e2 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 52 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\uninstall64.exe unknown 169632 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ~.=.:yS.:yS.:yS.U.P.? 00 00 00 00 00 00 00 y 00 00 00 00 00 00 00 S.U.V..yS.h.P.2yS.h.V..yS. 00 00 00 00 01 00 00 h.W. 0e 1f ba 0e 00 b4 09 )yS.U.W.1yS.U.R.7yS.:yR. cd 21 b8 01 4c cd 21 .yS.S.Z. 54 68 69 73 20 70 72

Copyright Joe Security LLC 2019 Page 53 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\vmnt64.exe unknown 406360 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 1...b...b...b..Hb.. 00 00 00 00 00 00 00 .b..|b...b..Ib...b..ab...b..qb 00 00 00 00 00 00 00 ...b...bK..b..Mb...b..xb...b.. 00 00 00 e8 00 00 00 .b...bRich...b...... PE..d... 0e 1f ba 0e 00 b4 09 +..V...... # cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b3 e3 8c 31 f7 82 e2 62 f7 82 e2 62 f7 82 e2 62 ec 1f 48 62 80 82 e2 62 ec 1f 7c 62 fd 82 e2 62 ec 1f 49 62 c0 82 e2 62 fe fa 61 62 f5 82 e2 62 fe fa 71 62 e4 82 e2 62 f7 82 e3 62 4b 82 e2 62 ec 1f 4d 62 e8 82 e2 62 ec 1f 78 62 f6 82 e2 62 ec 1f 7f 62 f6 82 e2 62 52 69 63 68 f7 82 e2 62 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 2b 82 09 56 00 00 00 00 00 00 00 00 f0 00 23 C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.e unknown 101376 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile xe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... I.~.I.~.I.~.RS..C. 00 00 00 00 00 00 00 [email protected][email protected].~.I 00 00 00 00 00 00 00 ... 00 00 00 f8 00 00 00 ..~.RS..a.~.RS....~.RS..H.~ 0e 1f ba 0e 00 b4 09 .RS..H.~.RichI.~...... cd 21 b8 01 4c cd 21 ...... PE..d.. 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0d af 10 bb 49 ce 7e e8 49 ce 7e e8 49 ce 7e e8 52 53 e0 e8 43 ce 7e e8 52 53 d1 e8 4c ce 7e e8 40 b6 fd e8 4a ce 7e e8 40 b6 ed e8 44 ce 7e e8 49 ce 7f e8 c3 ce 7e e8 52 53 d5 e8 61 ce 7e e8 52 53 d4 e8 01 ce 7e e8 52 53 e4 e8 48 ce 7e e8 52 53 e3 e8 48 ce 7e e8 52 69 63 68 49 ce 7e e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06

Copyright Joe Security LLC 2019 Page 54 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.e unknown 87040 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile xe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... J....k.O.k.O.k.O..8O.k 00 00 00 00 00 00 00 .O...O.k.O..%O.k.O..5O.k. 00 00 00 00 00 00 00 O.k.O 00 00 00 f8 00 00 00 .k.O...O)k.O...OBk.O.. 0e 1f ba 0e 00 b4 09 . .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 55 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_armenian.lng unknown 4202 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEm unknown 10358 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile u\langfiles\vmnt_bahasaindonesia.lng 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 56 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Bengali.lng unknown 1676 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng unknown 9836 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 57 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Catalan.lng unknown 10508 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Czech.lng unknown 9484 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 58 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng unknown 6356 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng unknown 9358 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 59 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng unknown 8842 ff fe 3b 00 20 00 47 00 ..;. .G.e.n.e.r.a.t.e.d. .b.y. success or wait 1 C4EA3F WriteFile 65 00 6e 00 65 00 72 .B.a.z.i.s.L.i.b. .S.T.R.G.E. 00 61 00 74 00 65 00 N...E.X.E.,. .h.t.t.p.:././.b. 64 00 20 00 62 00 79 a.z.i.s.l.i.b...s.y.s.p.r.o.g. 00 20 00 42 00 61 00 s...o.r.g./.....;. .S.y.n.t.a.x.:. 7a 00 69 00 73 00 4c .<.I.D.>. .<.s.p.a.c.e.s. .o.r. 00 69 00 62 00 20 00 .t.a.b.s.>. .<.v.a.l.u.e.>.....;. 53 00 54 00 52 00 47 .<.v.a.l.u.e.>. .s.h.o.u.l.d. 00 45 00 4e 00 2e 00 .b.e 45 00 58 00 45 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 62 00 61 00 7a 00 69 00 73 00 6c 00 69 00 62 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e 00 0d 00 0a 00 3b 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e 00 20 00 73 00 68 00 6f 00 75 00 6c 00 64 00 20 00 62 00 65 C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng unknown 8898 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 60 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Farsi.lng unknown 9206 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_finnish.lng unknown 10266 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 61 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng unknown 10158 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng unknown 10618 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 62 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng unknown 9700 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng unknown 8632 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 63 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hungarian.lng unknown 10302 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Indonesia.lng unknown 9234 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 64 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_italian.lng unknown 10296 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng unknown 2688 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 65 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kannada.lng unknown 9846 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng unknown 7178 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 66 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_kurdish.lng unknown 5006 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng unknown 3034 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 67 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEm unknown 9538 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile u\langfiles\vmnt_macedonian.lng 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_malay.lng unknown 9558 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 68 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng unknown 8462 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norwegian.lng unknown 9910 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 69 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng unknown 10586 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.ln unknown 10868 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile g 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 70 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEm unknown 9460 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile u\langfiles\vmnt_portuguese_brazil.lng 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng unknown 9580 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 71 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng unknown 9190 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Slovak.lng unknown 9632 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 72 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenian.lng unknown 9810 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_slovenscina.l unknown 4030 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile ng 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 73 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng unknown 10612 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_sr.lng unknown 9258 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 74 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng unknown 9172 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_ta.lng unknown 9820 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 75 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_Taiwan.lng unknown 7004 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng unknown 8864 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 76 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_urdu.lng unknown 9104 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_uzbek.lng unknown 9124 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 77 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_CN.lng unknown 6406 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng unknown 3380 3b 00 20 00 47 00 65 ;. .G.e.n.e.r.a.t.e.d. .b.y. . success or wait 1 C4EA3F WriteFile 00 6e 00 65 00 72 00 o.n.l.i.n.e. .L.N.G. .e.d.i.t. 61 00 74 00 65 00 64 o.r.,. .h.t.t.p.:././.w.i.n.c. 00 20 00 62 00 79 00 d.e.m.u...s.y.s.p.r.o.g.s...o. 20 00 6f 00 6e 00 6c r.g./.t.r.a.n.s.l.a.t.i.o.n.s. 00 69 00 6e 00 65 00 /.l.n.g.e.d.i.t...p.h.p.....;. 20 00 4c 00 4e 00 47 .S.y.n.t.a.x.:. .<.I.D.>. .<. 00 20 00 65 00 64 00 s.p.a.c.e.s. .o.r. .t.a.b.s.>. . 69 00 74 00 6f 00 72 <.v.a.l.u.e.> 00 2c 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 69 00 6e 00 63 00 64 00 65 00 6d 00 75 00 2e 00 73 00 79 00 73 00 70 00 72 00 6f 00 67 00 73 00 2e 00 6f 00 72 00 67 00 2f 00 74 00 72 00 61 00 6e 00 73 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 73 00 2f 00 6c 00 6e 00 67 00 65 00 64 00 69 00 74 00 2e 00 70 00 68 00 70 00 0d 00 0a 00 3b 00 20 00 53 00 79 00 6e 00 74 00 61 00 78 00 3a 00 20 00 3c 00 49 00 44 00 3e 00 20 00 3c 00 73 00 70 00 61 00 63 00 65 00 73 00 20 00 6f 00 72 00 20 00 74 00 61 00 62 00 73 00 3e 00 20 00 3c 00 76 00 61 00 6c 00 75 00 65 00 3e

Copyright Joe Security LLC 2019 Page 78 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat unknown 8624 30 82 21 ac 06 09 2a 0.!...*.H...... !.0.!....1.0. success or wait 1 C4EA3F WriteFile 86 48 86 f7 0d 01 07 ..+...... 0.....+.....7...... 0. 02 a0 82 21 9d 30 82 ..0...+.....7...... ;..SF..0. 21 99 02 01 01 31 0b @.K...150928180855Z0...+ 30 09 06 05 2b 0e 03 .....7 02 1a 05 00 30 82 06 .....0..w0....R5.B.4.A.A.C.1. c8 06 09 2b 06 01 04 F 01 82 37 0a 01 a0 82 .D.3.E.2.F.6.8.5.7.3.2.A.1. 06 b9 30 82 06 b5 30 0.8 0c 06 0a 2b 06 01 04 .7.9.4.4.1.E.8.1.2.B.8.C.7. 01 82 37 0c 01 01 04 3.9 10 a3 b9 85 3b 1e c2 .D.9...1..y0N..+.....7...1@0 53 46 96 f6 30 9c 40 >...F.i.l.e...... 15 4b 01 17 0d 31 35 30 39 32 38 31 38 30 38 35 35 5a 30 0e 06 0a 2b 06 01 04 01 82 37 0c 01 02 05 00 30 82 05 77 30 82 01 d1 04 52 35 00 42 00 34 00 41 00 41 00 43 00 31 00 46 00 44 00 33 00 45 00 32 00 46 00 36 00 38 00 35 00 37 00 33 00 32 00 41 00 31 00 30 00 38 00 37 00 39 00 34 00 34 00 31 00 45 00 38 00 31 00 32 00 42 00 38 00 43 00 37 00 33 00 39 00 44 00 39 00 00 00 31 82 01 79 30 4e 06 0a 2b 06 01 04 01 82 37 0c 02 01 31 40 30 3e 1e 08 00 46 00 69 00 6c 00 65 02 04 10 01 00 01 C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf unknown 1458 5b 56 65 72 73 69 6f [Version].Signature="$WIN success or wait 1 C4EA3F WriteFile 6e 5d 0a 53 69 67 6e DOWS 61 74 75 72 65 3d 22 NT$".Class=SCSIAdapter. 24 57 49 4e 44 4f 57 ClassGuid={4d36e97b- 53 20 4e 54 24 22 0a e325-11ce-bfc1-08 43 6c 61 73 73 3d 53 002be10318}.Provider=%B 43 53 49 41 64 61 70 AZIS%.D 74 65 72 0a 43 6c 61 riverVer=06/02/2015, 73 73 47 75 69 64 3d 4.01.0001 7b 34 64 33 36 65 39 .CatalogFile=BazisVirtualC 37 62 2d 65 33 32 35 DBus.cat.. 2d 31 31 63 65 2d 62 [DestinationDirs].Defaul 66 63 31 2d 30 38 30 tDestDir = 12.. 30 32 62 65 31 30 33 [SourceDisksNam 31 38 7d 0a 50 72 6f es.x86].1 = %Di 76 69 64 65 72 3d 25 42 41 5a 49 53 25 0a 44 72 69 76 65 72 56 65 72 3d 30 36 2f 30 32 2f 32 30 31 35 2c 20 34 2e 30 31 2e 30 30 30 31 0a 43 61 74 61 6c 6f 67 46 69 6c 65 3d 42 61 7a 69 73 56 69 72 74 75 61 6c 43 44 42 75 73 2e 63 61 74 0a 0a 5b 44 65 73 74 69 6e 61 74 69 6f 6e 44 69 72 73 5d 0a 44 65 66 61 75 6c 74 44 65 73 74 44 69 72 20 3d 20 31 32 0a 0a 5b 53 6f 75 72 63 65 44 69 73 6b 73 4e 61 6d 65 73 2e 78 38 36 5d 0a 31 20 3d 20 25 44 69

Copyright Joe Security LLC 2019 Page 79 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys unknown 172376 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ,...BT..BT..BT...T.. 00 00 00 00 00 00 00 BT...T..BT...T..BT..CT..BT. 00 00 00 00 00 00 00 w9T..BT.w? 00 00 00 00 01 00 00 T..BT.w.T..BT.w.T..BT.w 0e 1f ba 0e 00 b4 09 .T..BT.w.T..BTRich..BT...... cd 21 b8 01 4c cd 21 ...... 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e9 8b 2c 07 ad ea 42 54 ad ea 42 54 ad ea 42 54 a4 92 d7 54 ac ea 42 54 a4 92 c1 54 ae ea 42 54 a4 92 c6 54 ac ea 42 54 ad ea 43 54 c2 ea 42 54 db 77 39 54 a8 ea 42 54 db 77 3f 54 ae ea 42 54 b6 77 ed 54 a1 ea 42 54 b6 77 e9 54 94 ea 42 54 b6 77 d8 54 ac ea 42 54 b6 77 df 54 ac ea 42 54 52 69 63 68 ad ea 42 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys unknown 121688 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 4F.CU(.CU(.CU(.J- 00 00 00 00 00 00 00 ..@U(.J-..BU(.J- 00 00 00 00 00 00 00 ..BU(.CU).9U(..Zu. 00 00 00 f0 00 00 00 DU(..Zw.BU(.X...OU(.X...z 0e 1f ba 0e 00 b4 09 U(.X. cd 21 b8 01 4c cd 21 ..BU(.X...BU(.RichCU(...... 54 68 69 73 20 70 72 ..PE..L....Y.V... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 34 46 a3 43 55 28 f0 43 55 28 f0 43 55 28 f0 4a 2d ab f0 40 55 28 f0 4a 2d ac f0 42 55 28 f0 4a 2d bd f0 42 55 28 f0 43 55 29 f0 39 55 28 f0 80 5a 75 f0 44 55 28 f0 80 5a 77 f0 42 55 28 f0 58 c8 87 f0 4f 55 28 f0 58 c8 83 f0 7a 55 28 f0 58 c8 b2 f0 42 55 28 f0 58 c8 b5 f0 42 55 28 f0 52 69 63 68 43 55 28 f0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 ab 59 07 56 00 00 00

Copyright Joe Security LLC 2019 Page 80 of 93 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst32.exe unknown 5120 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S<..2R..2R..2R...)..2 00 00 00 00 00 00 00 R..2S..2R..J...2R..J...2R.Ri 00 00 00 00 00 00 00 ch.2R...... PE..L..... 00 00 00 c8 00 00 00 .K...... 0e 1f ba 0e 00 b4 09 ....@ cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 53 3c d6 bb 32 52 85 bb 32 52 85 bb 32 52 85 9c f4 29 85 b2 32 52 85 bb 32 53 85 ad 32 52 85 b2 4a d8 85 b8 32 52 85 b2 4a c3 85 ba 32 52 85 52 69 63 68 bb 32 52 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8b 84 b3 4b 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 06 00 00 00 0a 00 00 00 00 00 00 e0 10 00 00 00 10 00 00 00 20 00 00 00 00 40 C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe unknown 6144 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 C4EA3F WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S<..2R..2R..2R...)..2 00 00 00 00 00 00 00 R..2S..2R..J...2R..J...2R.Ri 00 00 00 00 00 00 00 ch.2R...... PE..d..... 00 00 00 c8 00 00 00 .K...... "...... 0e 1f ba 0e 00 b4 09 P...... @... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 53 3c d6 bb 32 52 85 bb 32 52 85 bb 32 52 85 9c f4 29 85 b2 32 52 85 bb 32 53 85 ad 32 52 85 b2 4a d8 85 b8 32 52 85 b2 4a c3 85 ba 32 52 85 52 69 63 68 bb 32 52 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 07 87 b3 4b 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 09 00 00 08 00 00 00 0c 00 00 00 00 00 00 50 11 00 00 00 10 00 00 00 00 00 40 01 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 1576544 success or wait 1 C41F29 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 88 success or wait 1 C49476 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 88 success or wait 1 C4A441 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C49B83 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C49BB9 ReadFile Copyright Joe Security LLC 2019 Page 81 of 93 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 144 success or wait 1 C49C19 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C49D73 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C49DA9 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 144 success or wait 1 C49E03 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C4A0D8 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C4A135 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 16 success or wait 1 C4A189 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C4A1D8 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 16 success or wait 1 C4A231 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 292 success or wait 4 C4A27F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C43B7A ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 4 success or wait 1 C43B9A ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 160 success or wait 1 C43BF8 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5031 success or wait 1 C43C19 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 7 success or wait 2 C4F129 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 24 success or wait 2 C4F180 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 160 success or wait 2 C4F1E2 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 2 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 452 success or wait 15 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 12 success or wait 2 C4F324 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 2 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 7 success or wait 1 C4F129 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 24 success or wait 1 C4F180 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 160 success or wait 1 C4F1E2 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 1 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 12 success or wait 1 C4F324 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 1 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 7 success or wait 3 C4F129 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 24 success or wait 3 C4F180 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 160 success or wait 3 C4F1E2 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 3 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 12 success or wait 3 C4F324 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 3 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 16 success or wait 3 C4F324 ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 5 success or wait 3 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 228619 success or wait 1 C4F06F ReadFile C:\Users\user\Desktop\WinCDEmu-4.1.exe unknown 244 success or wait 3 C4F06F ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe success or wait 1 C482DE RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe\shell success or wait 1 C482DE RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe\shell\open success or wait 1 C482DE RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\vmnt64.exe\shell\open\command success or wait 1 C482DE RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.IsoFile\shell\open success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.IsoFile\shell\open\command success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cue success or wait 1 C478A7 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Cue success or wait 1 C4795D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Cue\DefaultIcon success or wait 1 C479AD RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Cue\DefaultIcon\shell success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Cue\shell\open success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Cue\shell\open\command success or wait 1 C47A36 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cue success or wait 1 C47F9E RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.img success or wait 1 C47F9E RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.nrg success or wait 1 C478A7 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg success or wait 1 C4795D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\DefaultIcon success or wait 1 C479AD RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\DefaultIcon\shell success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\shell\open success or wait 1 C47A36 RegCreateKeyExA

Copyright Joe Security LLC 2019 Page 82 of 93 Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Nrg\shell\open\command success or wait 1 C47A36 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrg success or wait 1 C47F9E RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mds success or wait 1 C478A7 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds success or wait 1 C4795D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\DefaultIcon success or wait 1 C479AD RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\DefaultIcon\shell success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\shell\open success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\shell\open\command success or wait 1 C47A36 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mds success or wait 1 C47F9E RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ccd success or wait 1 C478A7 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd success or wait 1 C4795D RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\DefaultIcon success or wait 1 C479AD RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\DefaultIcon\shell success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\shell\open success or wait 1 C47A36 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\shell\open\command success or wait 1 C47A36 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ccd success or wait 1 C47F9E RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinCDEmu success or wait 1 C48A34 RegCreateKeyExA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\Explorer\FileExts\.iso HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\Explorer\FileExts\.cue HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\Explorer\FileExts\.img HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\Explorer\FileExts\.nrg HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\ Explorer\FileExts\.mds HKEY_CURRENT_USER\Software\Mic Application unicode vmnt64.exe success or wait 1 C44336 RegSetValueExA rosoft\Windows\CurrentVersion\Explorer\FileExts\.ccd HKEY_LOCAL_MACHINE\SOFTWARE\WO DisplayName unicode WinCDEmu success or wait 1 C48A78 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO DisplayVersion unicode 4.1 success or wait 1 C48AD0 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO InstallLocation unicode C:\Program Files (x86)\WinCDEmu success or wait 1 C48B0D RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO NoModify dword 1 success or wait 1 C48B3A RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO NoRepair dword 1 success or wait 1 C48B61 RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO Publisher unicode Sysprogs success or wait 1 C48B7F RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO HelpLink unicode http://www.sysprogs.com/ success or wait 1 C48B9D RegSetValueExA W6432Node\Microsoft\Windows\Cu rrentVersion\Uninstall\WinCDEmu HKEY_LOCAL_MACHINE\SOFTWARE\WO UninstallString unicode C:\Program Files (x86)\WinCDEm success or wait 1 C48BD3 RegSetValueExA W6432Node\Microsoft\Windows\Cu u\uninstall64.exe rrentVersion\Uninstall\WinCDEmu

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C483EB RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\Applications\vmnt64.exe\ shell\open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 4 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\Windows.IsoFile\shell\op en\command

Copyright Joe Security LLC 2019 Page 83 of 93 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 4 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\Windows.IsoFile\shell\op en\command HKEY_LOCAL_MACHINE\SOFT NULL unicode BazisVirtualCD.Cue success or wait 1 C44336 RegSetValueExA WARE\Classes\.cue HKEY_LOCAL_MACHINE\SOFT NULL unicode CUE Sheet for CD/DVD image success or wait 1 C44336 RegSetValueExA WARE\Cl asses\BazisVirtualCD.Cue HKEY_LOCAL_MACHINE\SOFT NULL unicode %SystemRoot%\SysWow64\shell success or wait 1 C44336 RegSetValueExA WARE\Cl 32.dll,11 asses\BazisVirtualCD.Cue\Defau ltIcon HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Cue\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Cue\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode BazisVirtualCD.Nrg success or wait 1 C44336 RegSetValueExA WARE\Classes\.nrg HKEY_LOCAL_MACHINE\SOFT NULL unicode Nero CD/DVD image success or wait 1 C44336 RegSetValueExA WARE\Cl asses\BazisVirtualCD.Nrg HKEY_LOCAL_MACHINE\SOFT NULL unicode %SystemRoot%\SysWow64\shell success or wait 1 C44336 RegSetValueExA WARE\Cl 32.dll,11 asses\BazisVirtualCD.Nrg\Defau ltIcon HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Nrg\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Nrg\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode BazisVirtualCD.Mds success or wait 1 C44336 RegSetValueExA WARE\Classes\.mds HKEY_LOCAL_MACHINE\SOFT NULL unicode Alcohol CD/DVD image success or wait 1 C44336 RegSetValueExA WARE\Cl asses\BazisVirtualCD.Mds HKEY_LOCAL_MACHINE\SOFT NULL unicode %SystemRoot%\SysWow64\shell success or wait 1 C44336 RegSetValueExA WARE\Cl 32.dll,11 asses\BazisVirtualCD.Mds\Defau ltIcon HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Mds\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Mds\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode BazisVirtualCD.Ccd success or wait 1 C44336 RegSetValueExA WARE\Classes\.ccd HKEY_LOCAL_MACHINE\SOFT NULL unicode CloneCD CD/DVD image success or wait 1 C44336 RegSetValueExA WARE\Cl asses\BazisVirtualCD.Ccd HKEY_LOCAL_MACHINE\SOFT NULL unicode %SystemRoot%\SysWow64\shell success or wait 1 C44336 RegSetValueExA WARE\Cl 32.dll,11 asses\BazisVirtualCD.Ccd\Defau ltIcon HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Ccd\shell \open\command HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 2 C44336 RegSetValueExA WARE\Cl mu\vmnt64.exe" "%1" asses\BazisVirtualCD.Ccd\shell \open\command

Analysis Process: uninstall64.exe PID: 3692 Parent PID: 2284

Start time: 23:17:32 Start date: 10/05/2019 Path: C:\Program Files (x86)\WinCDEmu\uninstall64.exe Wow64 process (32bit): false Commandline: 'C:\Program Files (x86)\WinCDEmu\uninstall64.exe' /UPDATE Imagebase: 0x7ff7ff140000 File size: 169632 bytes MD5 hash: 2ED433C12CFA75908EB790FC8B23EA9E Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\BazisVirtualCDBus success or wait 1 7FF7FF14346B RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.IMG success or wait 1 7FF7FF142216 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.IMG\shell success or wait 1 7FF7FF14225F RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.ISO success or wait 1 7FF7FF142216 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BazisVirtualCD.ISO\shell success or wait 1 7FF7FF14225F RegCreateKeyExW

Analysis Process: VirtualAutorunDisabler.exe PID: 3456 Parent PID: 3692

General

Start time: 23:17:33 Start date: 10/05/2019 Path: C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe' /RegServer Imagebase: 0x9c0000 File size: 87040 bytes MD5 hash: 98E22C7CD9BAECA08875EAFD182C13FC Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6C50E507-74A2-4434-95A6-53563A797FF6} success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\VirtualAutorunDisabler.EXE success or wait 1 9C1D51 RegCreateKeyExW Copyright Joe Security LLC 2019 Page 85 of 93 Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorun.1 success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorun.1\CLSID success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CLSID success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CurVer success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61} success or wait 1 9C1D51 RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E6 success or wait 1 9C1D51 RegCreateKeyExW 1}\ProgID HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E6 success or wait 1 9C1D51 RegCreateKeyExW 1}\VersionIndependentProgID HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E6 success or wait 1 9C1D51 RegCreateKeyExW 1}\LocalServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E6 success or wait 1 9C1D51 RegCreateKeyExW 1}\TypeLib

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Cl ROTFlags dword 1 success or wait 1 9C1E5A RegSetValueExW asses\AppID\{6C50E507-74A2-4434-95A6- 53563A797FF6} HKEY_LOCAL_MACHINE\SOFTWARE\Cl AppID unicode {6C50E507-74A2-4434-95A6-53563 success or wait 1 9C1E97 RegSetValueExW asses\AppID\VirtualAutorunDisabler.EXE A797FF6} HKEY_LOCAL_MACHINE\SOFTWARE\Mi 04DDC073- unicode success or wait 1 9C1E97 RegSetValueExW crosoft\Windows\CurrentVersion 352E-447D- \Explorer\AutoplayHandlers\CancelAutoplay\CLSID 8A83-3E1FD9 D41E61

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisabler success or wait 1 9C1E97 RegSetValueExW WARE\Classes\AppID\ {6C50E507-74A2-4434-95A6- 53563A797FF6} HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisablingMonitor success or wait 1 9C1E97 RegSetValueExW WARE\Cl Class asses\VirtualAutorunDisabler.V irtualAutorun.1 HKEY_LOCAL_MACHINE\SOFT NULL unicode {04DDC073-352E-447D-8A83- success or wait 1 9C1E97 RegSetValueExW WARE\Cl 3E1FD9D41E61} asses\VirtualAutorunDisabler.V irtualAutorun.1\CLSID HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisablingMonitor success or wait 1 9C1E97 RegSetValueExW WARE\Cl Class asses\VirtualAutorunDisabler.V irtualAutorunDi HKEY_LOCAL_MACHINE\SOFT NULL unicode {04DDC073-352E-447D-8A83- success or wait 1 9C1E97 RegSetValueExW WARE\Cl 3E1FD9D41E61} asses\VirtualAutorunDisabler.V irtualAutorunDi\CLSID HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 9C1E97 RegSetValueExW WARE\Cl Autorun.1 asses\VirtualAutorunDisabler.V irtualAutorunDi\CurVer HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisablingMonitor success or wait 1 9C1E97 RegSetValueExW WARE\Cl Class asses\WOW6432Node\CLSID\ {04DDC073-352E-447D-8A83- 3E1FD9D41E61} HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 9C1E97 RegSetValueExW WARE\Cl Autorun.1 asses\WOW6432Node\CLSID\ {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\ProgID HKEY_LOCAL_MACHINE\SOFT NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 9C1E97 RegSetValueExW WARE\Cl AutorunDi asses\WOW6432Node\CLSID\ {04DDC073-352E-447D-8A83- 3E1FD9D41E6 1}\VersionIndependentProgID

Copyright Joe Security LLC 2019 Page 86 of 93 Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT NULL unicode "C:\Program Files (x86)\WinCDE success or wait 1 9C1E97 RegSetValueExW WARE\Cl mu\x86\VirtualAutorunDisabler. asses\WOW6432Node\CLSID\ exe" {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\LocalServer32 HKEY_LOCAL_MACHINE\SOFT NULL unicode {D2243491-B0DF-40CC-9973- success or wait 1 9C1E97 RegSetValueExW WARE\Cl 9E401631D770} asses\WOW6432Node\CLSID\ {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\TypeLib

Analysis Process: regsvr32.exe PID: 2560 Parent PID: 3692

General

Start time: 23:17:33 Start date: 10/05/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x86\Virtu alAutorunDisablerPS.dll' Imagebase: 0x7ff6fb910000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll unknown 64 success or wait 1 7FF6FB9110E3 ReadFile C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll unknown 264 success or wait 1 7FF6FB911125 ReadFile

Analysis Process: regsvr32.exe PID: 2944 Parent PID: 3692

General

Start time: 23:17:33 Start date: 10/05/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x86\WinCD EmuContextMenu.dll' Imagebase: 0x7ff6fb910000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll unknown 64 success or wait 1 7FF6FB9110E3 ReadFile

Copyright Joe Security LLC 2019 Page 87 of 93 Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll unknown 264 success or wait 1 7FF6FB911125 ReadFile

Analysis Process: regsvr32.exe PID: 1032 Parent PID: 2560

General

Start time: 23:17:33 Start date: 10/05/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: /s 'C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll' Imagebase: 0xc70000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: VirtualAutorunDisabler.exe PID: 4348 Parent PID: 3692

General

Start time: 23:17:34 Start date: 10/05/2019 Path: C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe Wow64 process (32bit): false Commandline: 'C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe' /RegServer Imagebase: 0x7ff74a730000 File size: 101376 bytes MD5 hash: 6F587118EB5B019F61B864FAAFD6EBCD Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Detection: 0%, metadefender, Browse Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61} success or wait 1 7FF74A73424A RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\ProgID success or wait 1 7FF74A73424A RegCreateKeyExW

Copyright Joe Security LLC 2019 Page 88 of 93 Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\VersionIn success or wait 1 7FF74A73424A RegCreateKeyExW dependentProgID HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\LocalServer32 success or wait 1 7FF74A73424A RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\TypeLib success or wait 1 7FF74A73424A RegCreateKeyExW

Key Value Modified

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisabler success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\AppID\ {6C50E507-74A2-4434-95A6- 53563A797FF6} HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisablingMonitor success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Cl Class asses\VirtualAutorunDisabler.V irtualAutorun.1 HKEY_LOCAL_MACHINE\SOF NULL unicode {04DDC073-352E-447D-8A83- success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Cl 3E1FD9D41E61} asses\VirtualAutorunDisabler.V irtualAutorun.1\CLSID HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisablingMonitor success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Cl Class asses\VirtualAutorunDisabler.V irtualAutorunDi HKEY_LOCAL_MACHINE\SOF NULL unicode {04DDC073-352E-447D-8A83- success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Cl 3E1FD9D41E61} asses\VirtualAutorunDisabler.V irtualAutorunDi\CLSID HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Cl Autorun.1 asses\VirtualAutorunDisabler.V irtualAutorunDi\CurVer HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisablingMonitor success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\CLSID\ Class {04DDC073-352E-447D-8A83- 3E1FD9D41E61} HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\CLSID\ Autorun.1 {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\ProgID HKEY_LOCAL_MACHINE\SOF NULL unicode VirtualAutorunDisabler.Virtual success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\CLSID\ AutorunDi {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\VersionIn dependentProgID HKEY_LOCAL_MACHINE\SOF NULL unicode "C:\Program Files (x86)\WinCDE success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\CLSID\ mu\x64\VirtualAutorunDisabler. {04DDC073-352E-447D-8A83- exe" 3E1FD9D41E61}\LocalServer32 HKEY_LOCAL_MACHINE\SOF NULL unicode {D2243491-B0DF-40CC-9973- success or wait 1 7FF74A733DC8 RegSetValueExW TWARE\Classes\CLSID\ 9E401631D770} {04DDC073-352E-447D-8A83- 3E1FD9D41E61}\TypeLib

Analysis Process: regsvr32.exe PID: 3104 Parent PID: 2944

General

Start time: 23:17:34 Start date: 10/05/2019 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: /s 'C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll' Imagebase: 0xc70000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 4852 Parent PID: 3692

General

Start time: 23:17:34 Start date: 10/05/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x64\Virtu alAutorunDisablerPS.dll' Imagebase: 0x7ff6fb910000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 1144 Parent PID: 3692

General

Start time: 23:17:34 Start date: 10/05/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Program Files (x86)\WinCDEmu\x64\WinCD EmuContextMenu.dll' Imagebase: 0x7ff6fb910000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: drvinst64.exe PID: 3340 Parent PID: 2284

General

Start time: 23:17:36 Start date: 10/05/2019 Path: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\ssi9393.tmp\drvinst64.exe instroot 'root\BazisVirtualCDBu s' 'C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf' Imagebase: 0x7ff7c6220000 File size: 6144 bytes MD5 hash: 731A3CE577B0A406723B4405FB4CD2F1 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: drvinst.exe PID: 4356 Parent PID: 724

General

Start time: 23:17:38 Start date: 10/05/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false

Copyright Joe Security LLC 2019 Page 91 of 93 Commandline: DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{df3353aa-c23b-5443-8fea-a a7ade97b78e}\bazisvirtualcdbus.inf' '9' '4aa431c33' '0000000000000D7C' 'WinSta0\Default' ' 0000000000000DA4' '208' 'c:\program files (x86)\wincdemu' Imagebase: 0x7ff7920d0000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: rundll32.exe PID: 3820 Parent PID: 4356

General

Start time: 23:17:39 Start date: 10/05/2019 Path: C:\Windows\System32\rundll32.exe Wow64 process (32bit): false Commandline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\ {973994b0-5adb-bd4d-819c-fe0f7d6aa2c9} Global\{5ea01259-f862-6e47-b860-3e0ae80 066e2} C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721-e090da90872 4}\bazisvirtualcdbus.inf C:\Windows\System32\DriverStore\Temp\{15724f1a-6ddf-4d47-b721- e090da908724}\BazisVirtualCDBus.cat Imagebase: 0x7ff785980000 File size: 69632 bytes MD5 hash: 73C519F050C20580F8A62C849D49215A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: drvinst.exe PID: 3160 Parent PID: 724

General

Start time: 23:17:47 Start date: 10/05/2019 Path: C:\Windows\System32\drvinst.exe Wow64 process (32bit): false Commandline: DrvInst.exe '2' '211' 'ROOT\SCSIADAPTER\0000' 'C:\Windows\INF\oem3.inf' 'bazisvi rtualcdbus.inf:6a548da5cccf6fa4:BazisVirtualCDBus_Device:4.1.1.0:root\bazisvirtualcdbus,' '4aa431c33' '0000000000000CDC' Copyright Joe Security LLC 2019 Page 92 of 93 Imagebase: 0x7ff7920d0000 File size: 166912 bytes MD5 hash: 46F5A16FA391AB6EA97C602B4D2E7819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: vmnt64.exe PID: 3300 Parent PID: 2284

General

Start time: 23:17:50 Start date: 10/05/2019 Path: C:\Program Files (x86)\WinCDEmu\vmnt64.exe Wow64 process (32bit): false Commandline: 'C:\Program Files (x86)\WinCDEmu\vmnt64' /uacdisable Imagebase: 0x140000000 File size: 406360 bytes MD5 hash: BF26C935FFD4C25FFF6731DBF73D2212 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Detection: 0%, metadefender, Browse Reputation: low

Analysis Process: WerFault.exe PID: 4864 Parent PID: 3300

General

Start time: 23:17:52 Start date: 10/05/2019 Path: C:\Windows\System32\WerFault.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\WerFault.exe -u -p 3300 -s 504 Imagebase: 0x7ff672280000 File size: 494488 bytes MD5 hash: BFD11F05E0245D5178ADFBC609E0328B Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Disassembly

Code Analysis