2aa345f263242d17215171ee9355dbe4f73096f29a76c23adfd272f6fe659649

Analysis

max time kernel
140s
max time network
152s
platform
windows11_x64
resource
win11
submitted
19-10-2021 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rambox-0.7.9-win.exe
Size

112.3MB
MD5

d3b36737818f47270c788fae167446d2
SHA1

5a5e09c9365325ac640ada70e97d060d8984360c
SHA256

2aa345f263242d17215171ee9355dbe4f73096f29a76c23adfd272f6fe659649
SHA512

fe080ee14053a2e9cbb092b2bf9eace7e471ed357653ef776662d8d4f95da8cdc9cfa2ba872e5142ed47b4a49a48d4220cd6a126766f100789fe7e00e5f5eb48

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

Rambox.exeRambox.exeRambox.exeRambox.exeRambox.exeRambox.exe

pid process

3056 Rambox.exe
3780 Rambox.exe
4556 Rambox.exe
4468 Rambox.exe
1028 Rambox.exe
1240 Rambox.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3056	Rambox.exe
3780	Rambox.exe
4556	Rambox.exe
4468	Rambox.exe
1028	Rambox.exe
1240	Rambox.exe

Loads dropped DLL 20 IoCs

Processes:

Rambox-0.7.9-win.exeRambox.exeRambox.exeRambox.exeRambox.exeRambox.exeRambox.exe

pid	process
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3056	Rambox.exe
3780	Rambox.exe
4556	Rambox.exe
4468	Rambox.exe
3780	Rambox.exe
3780	Rambox.exe
3780	Rambox.exe
1028	Rambox.exe
1240	Rambox.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rambox = "\"C:\\Program Files\\Rambox\\Rambox.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

Rambox-0.7.9-win.exe

description	ioc	process
File created	C:\Program Files\Rambox\LICENSES.chromium.html	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\gu.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\th.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\d3dcompiler_47.dll	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\swiftshader	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\am.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\ms.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\sv.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\te.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\libEGL.dll	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\bg.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\fi.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\ko.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\zh-TW.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\chrome_200_percent.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\fil.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\hu.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\it.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\ml.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\resources.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\el.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\et.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\fil.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\mr.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\sl.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\bg.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\snapshot_blob.bin	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\ffmpeg.dll	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\he.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\sv.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\resources\app-update.yml	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\chrome_200_percent.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\ar.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\ko.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\nl.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\ta.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\LICENSES.chromium.html	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\am.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\lv.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\ro.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\th.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\resources\app-update.yml	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\vk_swiftshader.dll	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\de.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\en-GB.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\et.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\id.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\sk.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\bn.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\sl.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\vulkan-1.dll	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\hr.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\pl.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\sk.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\vi.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\vk_swiftshader.dll	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\ar.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\hr.pak	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\locales\kn.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\sw.pak	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\ffmpeg.dll	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\libGLESv2.dll	Rambox-0.7.9-win.exe
File created	C:\Program Files\Rambox\swiftshader\libEGL.dll	Rambox-0.7.9-win.exe
File opened for modification	C:\Program Files\Rambox\locales\ca.pak	Rambox-0.7.9-win.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3216 reg.exe

pid	process
3216	reg.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Rambox.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Rambox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Rambox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Rambox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Rambox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Rambox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Rambox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Rambox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Rambox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Rambox.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Rambox-0.7.9-win.exeRambox.exeRambox.exeRambox.exeRambox.exeRambox.exe

pid	process
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
3860	Rambox-0.7.9-win.exe
4556	Rambox.exe
4556	Rambox.exe
4468	Rambox.exe
4468	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
1028	Rambox.exe
1028	Rambox.exe
1240	Rambox.exe
1240	Rambox.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

svchost.exesvchost.exesvchost.exeRambox-0.7.9-win.exeWaaSMedicAgent.exe

description	pid	process
Token: SeSystemtimePrivilege	3496	svchost.exe
Token: SeSystemtimePrivilege	3496	svchost.exe
Token: SeIncBasePriorityPrivilege	3496	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeCreatePagefilePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeCreatePagefilePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeCreatePagefilePrivilege	880	svchost.exe
Token: SeShutdownPrivilege	2096	svchost.exe
Token: SeCreatePagefilePrivilege	2096	svchost.exe
Token: SeSecurityPrivilege	3860	Rambox-0.7.9-win.exe
Token: SeTakeOwnershipPrivilege	3376	WaaSMedicAgent.exe
Token: SeSecurityPrivilege	3376	WaaSMedicAgent.exe
Token: SeRestorePrivilege	3376	WaaSMedicAgent.exe
Token: SeBackupPrivilege	3376	WaaSMedicAgent.exe
Token: SeShutdownPrivilege	880	svchost.exe
Token: SeCreatePagefilePrivilege	880	svchost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Rambox.exe

pid process

3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

Rambox.exe

pid process

3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe
3056 Rambox.exe

pid	process
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe

pid	process
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe
3056	Rambox.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

svchost.exeRambox.exe

description	pid	process	target process
PID 2096 wrote to memory of 2436	2096	svchost.exe	MoUsoCoreWorker.exe
PID 2096 wrote to memory of 2436	2096	svchost.exe	MoUsoCoreWorker.exe
PID 3056 wrote to memory of 3216	3056	Rambox.exe	reg.exe
PID 3056 wrote to memory of 3216	3056	Rambox.exe	reg.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 3780	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 4556	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 4556	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 4468	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 4468	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 1028	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 1028	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 1240	3056	Rambox.exe	Rambox.exe
PID 3056 wrote to memory of 1240	3056	Rambox.exe	Rambox.exe

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv Yd2Gyko5vU6cPK8AfXz9Tg.0
1⤵
PID:4988

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv Yd2Gyko5vU6cPK8AfXz9Tg.0.2
2⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\Rambox-0.7.9-win.exe
"C:\Users\Admin\AppData\Local\Temp\Rambox-0.7.9-win.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:888

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bf8c6a2c6dd37701056bf90c17a79ac7 Yd2Gyko5vU6cPK8AfXz9Tg.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:2436

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Rambox /t REG_SZ /d "\"C:\Program Files\Rambox\Rambox.exe\"" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:3216

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe" --type=gpu-process --field-trial-handle=1552,7918748924136235214,14603270463187756903,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,CrossOriginOpenerPolicy,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1560 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3780

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,7918748924136235214,14603270463187756903,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,CrossOriginOpenerPolicy,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe" --type=renderer --field-trial-handle=1552,7918748924136235214,14603270463187756903,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,CrossOriginOpenerPolicy,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.grupovrs.ramboxce --app-path="C:\Program Files\Rambox\resources\app.asar" --enable-plugins --node-integration --webview-tag --no-sandbox --no-zygote --enable-remote-module --background-color=#FFF --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe" --type=renderer --field-trial-handle=1552,7918748924136235214,14603270463187756903,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,CrossOriginOpenerPolicy,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-user-model-id=com.grupovrs.ramboxce --app-path="C:\Program Files\Rambox\resources\app.asar" --enable-plugins --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files\Rambox\resources\app.asar\resources\js\rambox-service-api.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Program Files\Rambox\Rambox.exe
"C:\Program Files\Rambox\Rambox.exe" --type=renderer --field-trial-handle=1552,7918748924136235214,14603270463187756903,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,CrossOriginOpenerPolicy,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-user-model-id=com.grupovrs.ramboxce --app-path="C:\Program Files\Rambox\resources\app.asar" --enable-plugins --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files\Rambox\resources\app.asar\resources\js\rambox-service-api.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bf8c6a2c6dd37701056bf90c17a79ac7 Yd2Gyko5vU6cPK8AfXz9Tg.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Rambox\D3DCompiler_47.dll
MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
3c7933385b18471bb8916ad64d302af5

SHA1
ee3d04c6e3cc415fe66349baf970ed5d574f4665

SHA256
243018da9f22e10e4779a3e97133d33af83328d18d95e816c9ae4463247d0e14

SHA512
279a7271f60beb1fe3a893bbb133850ec5c3445ae18d9c5ab16e0e9cafffa1a3b42bd126f055287836ed542a86b764d428417e437ac2b28c4186bf6f64cbad63

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
3c7933385b18471bb8916ad64d302af5

SHA1
ee3d04c6e3cc415fe66349baf970ed5d574f4665

SHA256
243018da9f22e10e4779a3e97133d33af83328d18d95e816c9ae4463247d0e14

SHA512
279a7271f60beb1fe3a893bbb133850ec5c3445ae18d9c5ab16e0e9cafffa1a3b42bd126f055287836ed542a86b764d428417e437ac2b28c4186bf6f64cbad63

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
3c7933385b18471bb8916ad64d302af5

SHA1
ee3d04c6e3cc415fe66349baf970ed5d574f4665

SHA256
243018da9f22e10e4779a3e97133d33af83328d18d95e816c9ae4463247d0e14

SHA512
279a7271f60beb1fe3a893bbb133850ec5c3445ae18d9c5ab16e0e9cafffa1a3b42bd126f055287836ed542a86b764d428417e437ac2b28c4186bf6f64cbad63

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
3c7933385b18471bb8916ad64d302af5

SHA1
ee3d04c6e3cc415fe66349baf970ed5d574f4665

SHA256
243018da9f22e10e4779a3e97133d33af83328d18d95e816c9ae4463247d0e14

SHA512
279a7271f60beb1fe3a893bbb133850ec5c3445ae18d9c5ab16e0e9cafffa1a3b42bd126f055287836ed542a86b764d428417e437ac2b28c4186bf6f64cbad63

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
3c7933385b18471bb8916ad64d302af5

SHA1
ee3d04c6e3cc415fe66349baf970ed5d574f4665

SHA256
243018da9f22e10e4779a3e97133d33af83328d18d95e816c9ae4463247d0e14

SHA512
279a7271f60beb1fe3a893bbb133850ec5c3445ae18d9c5ab16e0e9cafffa1a3b42bd126f055287836ed542a86b764d428417e437ac2b28c4186bf6f64cbad63

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
0068883fde532753db3a7da897ab0dc2

SHA1
97f3e26b22d1d15ce11c040689929341631b6ec8

SHA256
886debcc51361883c55121ad574e389bf4a11578f0572f4145f784d94a178a71

SHA512
4c300760ad133282623a4d97255bb87a686ffa07a25551a9a757ec5b3ca2ac7f396f7f5c3c0505a21f07457eda9ac80b6ab5a3fe236ebac96e9b548da7d5a766

Download Submit
C:\Program Files\Rambox\Rambox.exe
MD5
a1978b0c942a4125433f02d70de2eab0

SHA1
0dc38cbc6cafc6fa99a450039bc029f1c207949e

SHA256
11dcbfd1ef777521ef6714c2b091b1c97ca194cf8d6023f7cd2d9303941156d5

SHA512
d5962415be7017a9701148178f4ce175f4f1e702ede462ae619f22d3d0e49d0cf4b3f703299a7571388cf4a0553f97973949b7f6847fbe15fa4fdd85521888df

Download Submit
C:\Program Files\Rambox\chrome_100_percent.pak
MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Program Files\Rambox\chrome_200_percent.pak
MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Program Files\Rambox\d3dcompiler_47.dll
MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\ffmpeg.dll
MD5
4f3f7ba723c5e8b617407c7a57e568ba

SHA1
7aa11a45e1c1826ee58dabd2773256a6df5da262

SHA256
b08d2a9076f65a83420cabcb42bb0ed8364683c77f8ff608e16acd0f8615b0c6

SHA512
2a0b61d6223a6e7e105558ac52e128ed7bf0050f6ddd1fd80de6ce0ac89157b0c9d6de696349a8c95b7b3afe54fa555d34993a5b17eb68db51cdbb0443e84241

Download Submit
C:\Program Files\Rambox\icudtl.dat
MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Program Files\Rambox\locales\en-US.pak
MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Program Files\Rambox\resources.pak
MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Program Files\Rambox\resources\app.asar
MD5
d517d3cca304a39bf86197d94ef35954

SHA1
c371c5800707fd39f9964b3b1eb4af0b4f28c2d2

SHA256
a70b371b38206d1d19feffd674b23dc202aed98b5d05fae6a8f400606b1f8359

SHA512
0d49a83aeac93d3541a53abcc1d0e81b712d745a5f65057e2645230b8a2e7e18ef01c482f55efe7f7f34a9a029d15d318e181bfc428c3cbbc1c000080041a641

Download Submit
C:\Program Files\Rambox\swiftshader\libEGL.dll
MD5
0bca9efb4be44d8987760e3b1ff76032

SHA1
7b99640f857e4c0108a593fa05a4b03d35dd5dc6

SHA256
6d6b066929f7621800a61b53d4cafc6f7962b88b601bb9e8859416efaf3b0a1f

SHA512
2b1dc34e88ed0e91cc229bf2da383ebe18aae2e89f69a56ed494b836d6752e415f14ac27e49aa40784dafaa481065a8a35202645a15f5cbefc31725082417d10

Download Submit
C:\Program Files\Rambox\swiftshader\libGLESv2.dll
MD5
dbd413214ce785796914d79dbe0b3ee7

SHA1
3a2d86aa4562a05d601aed131e797c003365c03f

SHA256
bec01a8fe41898656204d5397de04089d0cee5a3fb9f0bcbc1753af8a6a526a8

SHA512
acf5d65616d280e133f9ec8d84dcc07f012e5305e6b8b368a3db113b7aeb113bdfbaf1cd8813c368699d5964a6983fba3e96a12c05d92c90f1df43a68c93fe4e

Download Submit
C:\Program Files\Rambox\swiftshader\libegl.dll
MD5
0bca9efb4be44d8987760e3b1ff76032

SHA1
7b99640f857e4c0108a593fa05a4b03d35dd5dc6

SHA256
6d6b066929f7621800a61b53d4cafc6f7962b88b601bb9e8859416efaf3b0a1f

SHA512
2b1dc34e88ed0e91cc229bf2da383ebe18aae2e89f69a56ed494b836d6752e415f14ac27e49aa40784dafaa481065a8a35202645a15f5cbefc31725082417d10

Download Submit
C:\Program Files\Rambox\swiftshader\libglesv2.dll
MD5
dbd413214ce785796914d79dbe0b3ee7

SHA1
3a2d86aa4562a05d601aed131e797c003365c03f

SHA256
bec01a8fe41898656204d5397de04089d0cee5a3fb9f0bcbc1753af8a6a526a8

SHA512
acf5d65616d280e133f9ec8d84dcc07f012e5305e6b8b368a3db113b7aeb113bdfbaf1cd8813c368699d5964a6983fba3e96a12c05d92c90f1df43a68c93fe4e

Download Submit
C:\Program Files\Rambox\v8_context_snapshot.bin
MD5
c2208c06c8ff81bca3c092cc42b8df1b

SHA1
f7b9faa9ba0e72d062f68642a02cc8f3fed49910

SHA256
4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3

SHA512
6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\StdUtils.dll
MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\System.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\nsDialogs.dll
MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDC13.tmp\nsis7z.dll
MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/880-155-0x000001E5C7F70000-0x000001E5C7F74000-memory.dmp

Filesize
16KB

Download
memory/1028-217-0x000001F690600000-0x000001F690602000-memory.dmp

Filesize
8KB

Download
memory/1028-210-0x000001F690600000-0x000001F690602000-memory.dmp

Filesize
8KB

Download
memory/1028-211-0x000001F690600000-0x000001F690602000-memory.dmp

Filesize
8KB

Download
memory/1028-207-0x0000000000000000-mapping.dmp

Download
memory/1028-218-0x000001F690600000-0x000001F690602000-memory.dmp

Filesize
8KB

Download
memory/1240-213-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-209-0x0000000000000000-mapping.dmp

Download
memory/1240-221-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-215-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-222-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-219-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-223-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/1240-220-0x000001B1E9D90000-0x000001B1E9D92000-memory.dmp

Filesize
8KB

Download
memory/2436-156-0x0000000000000000-mapping.dmp

Download
memory/3056-172-0x0000018E804A0000-0x0000018E804A2000-memory.dmp

Filesize
8KB

Download
memory/3056-166-0x0000018E804A0000-0x0000018E804A2000-memory.dmp

Filesize
8KB

Download
memory/3056-167-0x0000018E804A0000-0x0000018E804A2000-memory.dmp

Filesize
8KB

Download
memory/3216-174-0x0000000000000000-mapping.dmp

Download
memory/3780-193-0x0000028115A70000-0x0000028115A72000-memory.dmp

Filesize
8KB

Download
memory/3780-198-0x0000028115A70000-0x0000028115A72000-memory.dmp

Filesize
8KB

Download
memory/3780-180-0x0000000000000000-mapping.dmp

Download
memory/3780-184-0x0000028115A70000-0x0000028115A72000-memory.dmp

Filesize
8KB

Download
memory/3780-187-0x0000028115A70000-0x0000028115A72000-memory.dmp

Filesize
8KB

Download
memory/3780-179-0x00000281159C9000-0x00000281159CA000-memory.dmp

Filesize
4KB

Download
memory/3780-182-0x00007FF887000000-0x00007FF887001000-memory.dmp

Filesize
4KB

Download
memory/4468-195-0x0000022AFC6E0000-0x0000022AFC6E2000-memory.dmp

Filesize
8KB

Download
memory/4468-200-0x0000022AFC6E0000-0x0000022AFC6E2000-memory.dmp

Filesize
8KB

Download
memory/4468-196-0x0000022AFC6E0000-0x0000022AFC6E2000-memory.dmp

Filesize
8KB

Download
memory/4468-191-0x0000000000000000-mapping.dmp

Download
memory/4468-205-0x0000022AFC6E0000-0x0000022AFC6E2000-memory.dmp

Filesize
8KB

Download
memory/4556-188-0x000001C701BC0000-0x000001C701BC2000-memory.dmp

Filesize
8KB

Download
memory/4556-183-0x0000000000000000-mapping.dmp

Download
memory/4556-186-0x000001C701BC0000-0x000001C701BC2000-memory.dmp

Filesize
8KB

Download
memory/4616-164-0x0000000000000000-mapping.dmp

Download
memory/4956-147-0x000002A778AA0000-0x000002A778AB0000-memory.dmp

Filesize
64KB

Download
memory/4956-148-0x000002A77AEB0000-0x000002A77AEB4000-memory.dmp

Filesize
16KB

Download
memory/4956-146-0x000002A778860000-0x000002A778870000-memory.dmp

Filesize
64KB

Download
memory/4956-224-0x000002A77B180000-0x000002A77B184000-memory.dmp

Filesize
16KB

Download
memory/4956-225-0x000002A77B140000-0x000002A77B141000-memory.dmp

Filesize
4KB

Download
memory/4956-226-0x000002A77AEE0000-0x000002A77AEE4000-memory.dmp

Filesize
16KB

Download
memory/4956-227-0x000002A77AED0000-0x000002A77AED1000-memory.dmp

Filesize
4KB

Download
memory/4956-228-0x000002A77AED0000-0x000002A77AED4000-memory.dmp

Filesize
16KB

Download
memory/4956-229-0x000002A778BB0000-0x000002A778BB1000-memory.dmp

Filesize
4KB

Download