hxxps://github[.]com/ruffle-rs/ruffle/releases/download/nightly-2024-09-29/ruffle-nightly-2024_09_29-windows-x86_64[.]zip

Analysis

max time kernel
167s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/09/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ruffle-rs/ruffle/releases/download/nightly-2024-09-29/ruffle-nightly-2024_09_29-windows-x86_64.zip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4612	ruffle.exe
1104	ruffle.exe

Loads dropped DLL 4 IoCs

pid	Process
3692	MsiExec.exe
2932	MsiExec.exe
2932	MsiExec.exe
1896	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\ruffle\LICENSE.md	msiexec.exe
File created	C:\Program Files\ruffle\bin\ruffle.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{59EE98A0-EA6C-4090-AAD8-FA4FAE8F9CE6}\Icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC29F463CB2F6AB81.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5900c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59EE98A0-EA6C-4090-AAD8-FA4FAE8F9CE6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{59EE98A0-EA6C-4090-AAD8-FA4FAE8F9CE6}\Icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9EFB1B939610019D.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3F7AD84B2265BB8F.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF63629CE21F2DB7F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5900c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42F.tmp	msiexec.exe
File created	C:\Windows\Installer\e5900c3.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 13 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	ruffle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	ruffle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b4c6b626f29820b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b4c6b620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000b4c6b62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0b4c6b62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b4c6b6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ruffle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ruffle.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720675137297007"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.spl\shell\open\ = "Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.spl	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.ruf\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A89EE95C6AE0904AA8DAFF4EAF8C96E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.swf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.spl\shell\open\command\ = "\"C:\\Program Files\\ruffle\\bin\\ruffle.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.ruf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.ruf\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.spl\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ruffle.exe\SupportedTypes\.swf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\ruffle-nightly-2024_09_29-windows-x86_64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.spl\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.spl	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\ruffle.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.swf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\ = "Flash Movie"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.ruf\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruf\OpenWithProgids\Ruffle.ruf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.swf\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.ruf\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\ProductIcon = "C:\\Windows\\Installer\\{59EE98A0-EA6C-4090-AAD8-FA4FAE8F9CE6}\\Icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\DefaultIcon\ = "\"C:\\Program Files\\ruffle\\bin\\ruffle.exe\",1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.spl\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.ruf\DefaultIcon\ = "\"C:\\Program Files\\ruffle\\bin\\ruffle.exe\",1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A89EE95C6AE0904AA8DAFF4EAF8C96E\Environment = "Binaries"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\Version = "65536"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05AB4A6C80AF78B4B9558DA1C137D052	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "Ruffle.swf"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.spl\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.ruf\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ruf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\shell\open\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\OpenWithProgids\Ruffle.spl	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ruf\OpenWithProgids	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList\Media\DiskPrompt = "Ruffle Installation"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\shell\open\command\ = "\"C:\\Program Files\\ruffle\\bin\\ruffle.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/x-shockwave-flash"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruf\ = "Ruffle.ruf"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\ProductName = "Ruffle"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05AB4A6C80AF78B4B9558DA1C137D052\0A89EE95C6AE0904AA8DAFF4EAF8C96E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.swf\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ruffle.exe\SupportedTypes\.spl	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A89EE95C6AE0904AA8DAFF4EAF8C96E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\ruffle-nightly-2024_09_29-windows-x86_64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.swf\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ruffle.swf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\OpenWithProgids\Ruffle.swf	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.swf\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.spl\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "Ruffle.spl"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ruffle.ruf	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ruffle-nightly-2024_09_29-windows-x86_64.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
2936	msiexec.exe
2936	msiexec.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
944	7zG.exe
2396	msiexec.exe
2396	msiexec.exe
4612	ruffle.exe
1104	ruffle.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4612	ruffle.exe
1104	ruffle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 2368	3148	chrome.exe	78
PID 3148 wrote to memory of 2368	3148	chrome.exe	78
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1612	3148	chrome.exe	79
PID 3148 wrote to memory of 1832	3148	chrome.exe	80
PID 3148 wrote to memory of 1832	3148	chrome.exe	80
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81
PID 3148 wrote to memory of 4888	3148	chrome.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ruffle-rs/ruffle/releases/download/nightly-2024-09-29/ruffle-nightly-2024_09_29-windows-x86_64.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed68acc40,0x7ffed68acc4c,0x7ffed68acc58
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4348,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3496,i,9877222525316014933,11781151499437362028,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4984

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\" -spe -an -ai#7zMap4654:142:7zEvent16231
1⤵
- Suspicious use of FindShellTrayWindow
PID:944

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2936
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F2178542DCB6C66809DAF8E3DF4FB9AF C
  2⤵
  - Loads dropped DLL
  PID:3692
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4216
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B0A8B855395460A7609A8F7D0051D668
  2⤵
  - Loads dropped DLL
  PID:2932
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E1A7B188FCE3DC2D8C69F094E2A4F768 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3944

C:\Program Files\ruffle\bin\ruffle.exe
"C:\Program Files\ruffle\bin\ruffle.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\ruffle.exe
"C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\ruffle.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5900c2.rbs

Filesize
12KB

MD5
862907254b67063bb06ed0d1cba8d517

SHA1
81295cc7368e22e2116998065dd614a16da60a83

SHA256
5ab08d91bc3a87a4d31ee1c035087d903d575c73246330c4ff8ad4698158b834

SHA512
55dec4bc7d60fee7819d744f37ccc7f5d078cf4607ee335854a17d60e5b499ecefb1de997f9b8ff3c49196c61b25aa0ee5db1f7e3c77c9b7e55699449d27f850

Download Submit
C:\Program Files\ruffle\LICENSE.md

Filesize
106KB

MD5
3e161cff8470383eb2d8aa9d233fdc9b

SHA1
fb2945025eefc7d89b81cc384fd92af5ca01fa28

SHA256
e39f0fe9b3f36c3508200be0c21081eaff9d2d4856325c0dacc965ffaf530f2f

SHA512
b73a124e8b0774156c4a8605fa4ed904c3ecfbe2971340a09ee52f38aad01cb55dc0736734035866f1cec67d40a77c0cedad2ec7420d9cf825e127c1a7baef87

Download Submit
C:\Program Files\ruffle\bin\ruffle.exe

Filesize
25.4MB

MD5
d7374f3198c4c49cc22b606b3650f2f0

SHA1
48168166adf10cf1fda25225e7e21ddef4d9f459

SHA256
063c63d3bc7f8c42dd1a13191aa73768e603372dd30936d43a6b43adede6983a

SHA512
c04ded349cea526644d887956270480537c192eb537fb8d276134d6dd6dc70f7990c51059ccf3eadb5bde21bdad89cb3f92f3103a3f8ea7ca1ba05efdbd43c95

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4a0dbcfcb3065bb5ce378415abd60964

SHA1
c3ce7f9b624e807c85539d56d363cdf5418e1f38

SHA256
a162b48a41ae6045cbff83216cc7b9e6881dfb62c854de1b07e70ee3955e5395

SHA512
2a44c9d56dddfd25534c780fea7dd5b3075f2ef72ffec3645cb90cff4b3f5106362deb680e7ccc5d0423daa5ab5c71d95bb410ddb76dbb6d013b3d6b4c8b9d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e86cb7fb6c7c9c844af9681bb9b7ffe

SHA1
ceeac0013f61a0a4c27d02fb4ad1b05bfbf70763

SHA256
c96b78096310a3ff6e4e6cdf8e34e11630a26e579038ece4ac8efdd47df4e67d

SHA512
1cef125a3be9a0a828251cad31fbe3bc967811e361acbe1e6c5ac324c4efc3e3a00b90344efa60d448b05842ae9c138841a50dc1e913264e9992092dcf4d82c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aa0e03ed7fa57637e47c04603fa12342

SHA1
ea552a649294013ff7795274d1b3f1a0f4a3839e

SHA256
e93e6dc23947e1b79eb9d71766e040094e956c5baeb4617f352fd2e4a0977cb6

SHA512
0119a24c4f150fe28770cf0c4dc25aa08c0d64e40ba4a29ef0a226635c2d4c23dae7d32e8327f04091668eda9db51a1c4d5880b4c6a6b72298a937709f3b7748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d1b025cb641ff05831b84517e2d99414

SHA1
f94c7eec5f6ddcbfd0fae321699ea761fe8744f5

SHA256
5b2f0f0d70bd7903da54db0d4c1b237d82f5c417a961a884b39c3d502f4e2c1c

SHA512
38d7aaf7c1f277220d0a962420ff7e299b314a3e1c66e3469b4779e2cf88013cac6dfa343b1366a082124c418964e12687aaeb2a637c18dc7f61dc9f1279f09b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ec70eaf0ee09c62905eaa1570af21625

SHA1
6502f368f2582f5d41c5265628d591f8771d2393

SHA256
c15f9de8e05946895a1c452b474606ef89ab04f03c09d1a2bfcb6339b9260943

SHA512
bdf0c946f743ca8277114c460b89e9bab435a924d953227b3ff0b0aa9f7df2d9926e1c3f2d3312803b66497b83f9e5c189d98d89faa72f45b0a0992fb29aa10b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
bf3c8f733327049c47872511d6fba1a8

SHA1
ba6434a2075df47467afa5a88d81c5029e71c1da

SHA256
830cef289920fedfaa76387a158a9b94eb71b2bae3507fbfd656a2c82d297038

SHA512
3e2cefbd20deb731ed659ee4f698f3357a8ecd1c89768cd410c8e62d3972ce9c149e8966b8fe5bb660318abbdfab06327e05faafa09772d26e3008ff8bcd53da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa73bd5d61948918821b641747c1a333

SHA1
91c924e642c6b8de2e585e7d890eb79903522173

SHA256
c838ddb13d7a29e237d5bc641d9b25c242a97d4a4c4d9fade05d3534e8061dcb

SHA512
66eb5ad713e6fb444382662b35b2915bde865ff0026dbfed67657170a65c7106dbb6550de6549f2bb0dcd602555a8097638f73b7aa9d4ed0550e57d0209522fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3de9fe84fb66fa0ab24864f1c42e482d

SHA1
6709ba11dabebc7b2dd02871f2a2a16c935da81b

SHA256
03528984c93da321612fd703996ca192a43faf5ec761e8dc93d0c9ee2e1c2581

SHA512
1cb95163777f329aa0ae5465604792e7567724c483bfd9284131e19056ed49d984b2f0868294008d04aa513861b832de48fabfd00c7f97c90975ab396882bda4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8101dad4637fe1bc35096a7a43bb24d0

SHA1
474c04d86229eda382046016cdeb3054e6b36c91

SHA256
bf1d5d037e94859c81d7ed14d6f051505b87155e7d61eb49af6f4ddf491f73bb

SHA512
63b15817b0523276b14c9b46cff8f68ea8aedb00cb8ba03671940c05a818ed80e464190e160042ac50e21a05663282e0f1fdae0d52c9c5413b9dd3069ce19b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da7054c2af9891b90d88a284dda7be9f

SHA1
067f7ae081aff0562ef48a37e056f9c58094982d

SHA256
e457deba0026d921ebcd691b219a970394137fad271e1c81742001e8e35be491

SHA512
f6c0816e942cf8f9cabb917fa9d2bd35742c080d8098047b325fea8e130f4a78852d5ca1aebf97d5deda6fc7afe357b9310518e354cb012742eec2f7db68b38a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cc5b1c3a58bda434c3c69c0449e6653

SHA1
b88b34629e0b39e41132d3d58d14f2b199452198

SHA256
c879d5a4591c48442e9b9e2e8bda145759d481f6ffcfb3f2758cbca36a8d83de

SHA512
33443d6e4bb566187c57e415021dee717d868e3894d1aa32c6c94dee436d9346660f446b51c0879bcee29f7c11b895b8a2db633b57bb6d5d4a37eee12d2db968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f26fb13c32ac901a3e0e5fcf86ff176

SHA1
f35a066f0130e5b2a8174ba637e22d200f9ceecb

SHA256
dc040343b0aa47701568268e0e804688f6a91755c68fc22f984c27b0a25da8ed

SHA512
d9a92b8cdc7dbaf6f08f568972bc1eab09602bd4d02e84708d7b6ecd41b491027ec247735dfb6911bf35bc94ebce070772876197d06bbf5928f8683d1dc215f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45ab1f65bf2e503c8e2b1d03aedc056e

SHA1
5068a2870549e9db4348afa809b99fe72db88cdb

SHA256
a6c07ba9c90b4844c766a335f472efec8d6b86fbe4db029b55c908aaf9079ef9

SHA512
6cb117f4c7c0e2b6bcf6c2ad79bb7d49d73e453798533f92d199569b021876c0d4da9a7eeabbfe626638dac6798da7c256bec5b9bb112a2e59b42cbcbc97f85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ae150e5b132cfe34c685e671d966906

SHA1
922af1216e441fdc11e7398b82081cf2e2237750

SHA256
a82f31a0ee2c1868b3f98da789c10afa7c5f2cd3c4cc041ce3ef00b12a54f72a

SHA512
67008ec1f1f8642b56fd4b9993773cc7bd02e7868ca23d081a07a3a66a34858148f9ed2525267facda533913411fa59f951ccd3b1f76e0b9b3c335f207678618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8419f9a2ed306dfd025cf29caf9fcf79

SHA1
32498583489623f601772800782197609a6e71d1

SHA256
28991d5fbbc1b6feaea27cec8d60304d0da4290b6d4cc9ad2ab11ab3a385cc9f

SHA512
bdbc1a4e6d9f1a03e189dde6d748286123fd7f7268ef9f1af4af77d99527746a3f479b19f35db9f8bf4894809a18d589611a6c973b21fef5a191e00d535d0f69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa4b5567808b0eb1eb9a2fcc2f27ad9e

SHA1
adce02e0d0b9c0f0c35624267a38b8c02f567737

SHA256
62d874781804283803538808f885de7f2d89ee813de28d26e26e23b72ddddade

SHA512
34dfca53207dec8b6d675c825a199319fe8608330c2aee1f3f331ab4fe479d392a7f2be9f55e3451622e106c81184d39a5c308f42838ab17d0c93147008a396d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
7788c7187056e5e0e798d05b11670f89

SHA1
5a5f25cbed8f42b98a201ad9ee702fd659ed7207

SHA256
6dbc6a1f939854e429c3116d0592799451cca2ddd1e18cc8b121237684678911

SHA512
93aa706a0cfc57e0a0e7958ac3caa4ab1c361d3e80b63a5f4a88abffcd148e62ec50a80f0344de1dde945f3263c9d51ac84f19fb2e50fdd70594f9ff46ce8985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
75bbad6c7938f67dd6bb89337a9d072d

SHA1
db012b63f1d396b58625894e826b8ca9723a97cf

SHA256
60f09df2e37d68a3748d194e7082c7314bac9e92a5caabbb005d9054f85180b8

SHA512
47961cf27933d606e77e830e51dae31cbba0c58d9ef4e0d78fad57277f7232de8ab33a711815a3becd9ced9e60fb4d89cafd4d79018358eee70cf9d9da50281c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDFBC.tmp

Filesize
175KB

MD5
56c7e714273bebf7a279eb1fb9f1486d

SHA1
9dfd0c2bf77ab16da21468baa353d7dcb3c414f3

SHA256
4ec5060e204d840c0787ff4369e4b259becaf9f1f3c947feb92ca2bf8385e99d

SHA512
3e2faa8aec4253547f3db5fe97b90546fe36b7c289bdd93bace1fa06af534b350295ca06bb03361f20d7cdf3417f27ef9bd7b5676626d0bd8a1706537edae8e9

Download Submit
C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\README.md

Filesize
8KB

MD5
9896f18f4bcdfecdce7a0f0059378f9f

SHA1
4abaf2229a26170cb34d6e32d2243e97ae0c4592

SHA256
42e8cb163b1d7bdc384bcd3221c5beeb5b7fe7893b42efdd3e71ae5ea4f4d03c

SHA512
88cd77df9bfcc82d588c31f4f5ed45a410ae48c7c8ffda6e9e56664774d88969c6a17cb78ed80ae60bde5e65fe75fcc10ba5056fc8799cb66104e5a334b3ac0a

Download Submit
C:\Users\Admin\Desktop\ruffle-nightly-2024_09_29-windows-x86_64\setup.msi

Filesize
9.5MB

MD5
a68ac6aad54a2b01f65e8ccff61ca156

SHA1
f868136937aedf11847d92e9171906947dbbb0c8

SHA256
53c61f19d9240c883154673e6b94fd4af748a2e981f43a83f20536ed488d93fb

SHA512
0e2f05337df5fc57a381fe0e562e16165f40dfbf28d7f00fdc6d6111e5417a356df96d062b96ba143ce909eba5f86d85f65ebdbcd1a1da90e1ce90bd03044d27

Download Submit
C:\Users\Admin\Downloads\ruffle-nightly-2024_09_29-windows-x86_64.zip.crdownload

Filesize
19.2MB

MD5
55858cb8e66dcd437a29732e3de49289

SHA1
5a32ab0e12d1e87b3f7d5ee35e3267b36c20a1a7

SHA256
fbcc740db69d71309cdf5a6339c7062a74514595662720b07873b923af851726

SHA512
61f76608d81ec8531d57b1b3ef9de6a7ac2378c48efbc79006bad03da430693e794891e703f7c4df98f28f695901ceeecd40b59667b772c4bd51f21720b82a04

Download Submit
C:\Users\Admin\Downloads\ruffle-nightly-2024_09_29-windows-x86_64.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSI1BC.tmp

Filesize
390KB

MD5
50b7b3b911194a3dddd6ee1e1e18279e

SHA1
5605ea9a1e919ba16183beb1006031d5749d05ab

SHA256
ca9193c79df2446ab974ce5de4ad038f4cba28a7228b5469d41c326b6f29b371

SHA512
918d11d006fa17be6a77ed84c26c837545654dcf6187bd256cc031d97d18acb8833ffa68c94e13f1c865650b7b3a23826d2d4e427aa2749e01b6b1080a0a17d4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
5fae0aece3deeaa54afa8bccb577de51

SHA1
520045c9a1a620f7730877fee2bc43abc5b950c3

SHA256
cead3342e1bece41af866278976650cd56e3653ca3ae906576c84b867ce420a0

SHA512
a12f2ac0366d27891d7484077d3e98e65d6cea4c2f9348cf0b105d3868d0b545e5b6503cc2b89f6be39faf249ad0cdf5592cedc124f829e5eb20849c65d6fee0

Download Submit
\??\Volume{626b4c0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{11f3b772-140c-495e-bd52-8a17928ad24b}_OnDiskSnapshotProp

Filesize
6KB

MD5
519622d26210df6f561a898ab348e620

SHA1
0591360b97ed31c1589e668258406c073f89e4bc

SHA256
366519e0cd77bc18f90b81d0735cfc358df416a597e6c752b5965dcd75dd8832

SHA512
952de5ef73980352e36ef579b7c47ba65b96c7ff283dd7029a2a78cece3762d8ae8a67bff91105575772f9e0f452027374d7a1dcf7421f0ef0018bdf31e60271

Download Submit
memory/4612-198-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-217-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-215-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-214-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-212-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-210-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-206-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-205-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-208-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-207-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-204-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-203-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-213-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-218-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-219-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-211-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-216-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-209-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-197-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-199-0x0000010BBFC80000-0x0000010BBFC82000-memory.dmp

Filesize
8KB

Download
memory/4612-194-0x0000010BBFA20000-0x0000010BBFA21000-memory.dmp

Filesize
4KB

Download
memory/4612-195-0x0000010BBFA20000-0x0000010BBFA21000-memory.dmp

Filesize
4KB

Download
memory/4612-196-0x0000010BBFA20000-0x0000010BBFA21000-memory.dmp

Filesize
4KB

Download