Malware Analysis Report

2024-10-10 07:27

Sample ID 240615-fsgpzatcnk
Target ryujinx-1.1.1330-win_x64.zip
SHA256 d74d8f3eba3f87531e69ffcfb8c0e5dc73d9631dd63647554ba725b4e3817775
Tags
evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d74d8f3eba3f87531e69ffcfb8c0e5dc73d9631dd63647554ba725b4e3817775

Threat Level: Shows suspicious behavior

The file ryujinx-1.1.1330-win_x64.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Checks computer location settings

Deletes itself

Resource Forking

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

162s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ryujinx-1.1.1330-win_x64.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ryujinx-1.1.1330-win_x64.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win7-20240611-en

Max time kernel

118s

Max time network

127s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\LICENSE.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\LICENSE.txt

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win7-20240611-en

Max time kernel

117s

Max time network

141s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000059b267c5c0357cc60fec6da88e1833f95b869d29f3f1198ab3784e43048466f9000000000e8000000002000020000000fc9deea4e89cd48edd285a478bc36fd5b13fcb38092652ee8bf82d243d2545f390000000027849306477f9737efb143bcdf202dc45a9977221f8bd693e01793ae8741a6c617c1e3edeac50437cebf8e7dce1d1b224f7c9ef055d52a82bc9088be50e933e0d8767e0689dfd47bc16fdb7199b8d6bfb46f02e9a05e3e7b6c888c1b1e1841e762ee7a5d06d3e61eb8b8a537540ded8f36285b41a08232154563662c1e1c4475c577216d3bd3a37a9ee71df1446a4bd40000000c8bc28944c1a91480b59aec240fb88ef1eb767df49acb47d275980855cf6c134394ec26feeaacba9d7663fbef5df348fe0d488198c846fad9fdb0ee1ee283e3f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424591729" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000006021631178d88140d549010b64130c912e64a024980487be6286c8668137b973000000000e80000000020000200000005789b5055ba3089d6829c1a33fdb9b2fce0b7e38b50ccf8c8aee698acdb2f4bc200000009866af0d5c529b141d07765bfae38f085fbd59a56707af8b69783dfc7773cde0400000009afe8e07e946beb99c258c2a2446b7045a831a2f7d2ebfa8fc465423dea07ebd2583b48d505a4125b12c5a16114ac5dd4a4e50244995405c10ede5883c5b711a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60E6E831-2AD9-11EF-B98D-FE0070C7CB2B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30de6136e6beda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2668 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 2668 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 2668 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 2668 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2668 wrote to memory of 2088 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2088 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2088 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2088 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2088 wrote to memory of 2680 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8CC8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8D86.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96598cebf06ef19a0decf24ab214d8c9
SHA1 090b61111347530ea75baa751f6fb227c65a72c5
SHA256 84361c6d43e76d02885b1aee95d8e7028d4eb75f584339a5cc5f0e757bdb3de5
SHA512 2ca66fdae55834b241b700ce83ee73691d9530909732f7c4bae9f1236e189b6e87a88bf505d6c4f8e5000d758ea59d996dec02689f222019cee909c2ef0bc5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b70ff96f391352491ce56c035955d3e
SHA1 f28047929b77843a23e3831b30ce39d251f38942
SHA256 d3192a1fccd1fbe6aedfe2c0f9cb5a59dcd1352936a791035b52606ff4956c2d
SHA512 86580d775a025755e1679fdcb31a77af75acb5198661f440004761f9a8bd12d9b0fce94ab2b32e73544db9c0924082bb24d4887625f3505d76724a5d285a4978

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b41517aef1d4fce17f77784ed60ded5
SHA1 00d7eb2a826da469b1277cdf84bb370b87a4fc26
SHA256 5c0580de29a03a7ec9ed538a84d822bf9faa958def538ee156afd007b0fbdd09
SHA512 c83c697d3d5bc437fadc99c332a5a88b7e93cefe4c19660298b3d993f93d4b72367beaf4cb31e5d3d219282619b7531aec5a609bcb1540f1751477470aea59e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bf7f8e3857310be8d94512b4f43b923
SHA1 209d4da37a8a5c3fac0ec03859448809a240c97a
SHA256 00b8f9bc37c4397290dbbb3471b9c15efacfdecff8efd7fee0481db99f1dc7f2
SHA512 474f14baefe393b13c4988c35afddee844df14e151ec147f0cc487d67e7e41ee576310315f492e9dcff87033e3e5dd8d6fcb915432a184f5227a21dfb753fd7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9d97b06a149751bc7969a2b53e7ce12
SHA1 6f602f334740b595ebb4011cab7efa8fea9be7ac
SHA256 85e3fe14447c9aeb39d380bb28082adf4fa35219cb44f3d7c2cca98c2faf659e
SHA512 2325e091a06cfa837866a89107e20c2fd20a0788b24c7933af6a010674df2d32c129cf59bbccbc8fd1b01e046563cdebbc5576e83dc8d61972f914fc81f61949

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c00a8fe16ff9f400d9a2349ecf4cb40e
SHA1 4cf43429232de63045556024910930e51f286139
SHA256 7b76281198fcd68f04502b7834c3d62a0078f25845014b8732e60ec6c3c8973e
SHA512 06dd7b7eab097c480a1210eb20f28af7695ee595b9324fdc3bc2349a3902a17578fa0929d8984d1308da85c54270ff5881f0be7232edd6216bbd96fb5c347ef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ebfc7d972cfc6709cf16bd947a4e582
SHA1 5314e082c4f648e6ac7ad5481087ef71e7f34065
SHA256 ed708356a253a202bf81d2f4c82fdf20153d7dbf5ddf3057089d60a6ba8d5363
SHA512 6b68be43f40de054476d28c85e52016409f7c109f2812fabfe97785986005308f5522f6042ee0e597d440b31855c48e33a0679c17294b7af3339a25af6d532c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c801e52a40fc429420edd4d49515251c
SHA1 33ae81b5752d3ee56b135799a43b1bc154d27e23
SHA256 9cca82012a29b6c6749a32a2f2a8fa3dc50532ae389f601aa147e3bfdb2fd139
SHA512 d666bdd02daf512f62a03e9118bb25101e08481997185828371be1c790bc1c35a8218faa4fe44566c56cb8ba46958d11f20168cccb3493199cb14a17ddf7b918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2026ce873d971dc7cdd8fbe4da0ff183
SHA1 e9c103f0e22f54115fae13d9ad3bf0e8a8ec7630
SHA256 3804d0dd87e5ba3957e12715c8ca535ae6921f9463cbadadaefd8117dd034c15
SHA512 fb1b1c6393d54ba2d547037e155b3a82d2a9e5c26523a965534de4a5cb48b260d4a8efe2565670c2eda71275fe56d49f601ad99d619a8f82a9f5d41a9186bf6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20640e1bcbb8c7d7e477b21680fbe913
SHA1 45c0688a53df69c42a51acf16fa36b6e02111d85
SHA256 1c2ad08eb0a9d16c6b7a98289b0a130247b2ceea2e0964736de32779e00490b8
SHA512 ec1e2762c2af12a5a056228f982f34ce2b919728357d09c1722b7dc5ad398bbb91c3731140e0559b9e5220832f7244d7fa7ce383dd93ed81285be860c5d7c001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41df66fcb7eb234ce241b19f058be384
SHA1 1e72e4339a655abc44457517af72aa1cc4dd2367
SHA256 1b26dd202557a76a1286ff33a2506e790337db5588a749be5f71a3f6898480b1
SHA512 22b2ef5cb65b33e8512236502a63b68042396db6f09013c6cfb2c152d6c3fa1c7824bb429a98ce47fefb999f1aa55a32e666dabe2fd5293130762b6cc7f3bf90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8126144ab738bbc6e701b9cb8fab51c3
SHA1 4b9b0f9faf6a25a847e817575874e3a94f369382
SHA256 1339dfcd5f55eca0aae2e87c8dfa185e08534e2c0d67897c10a439a2eb64b264
SHA512 bf752e489c8aa968698234605d6818f298aea80b33f5442661ff9f4cd38cd06be131a8a3d13d3d9809e2181b8c29e4289cad73e3fe5497eaad6bb88a179d8a3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9cce3f063b9c56a93da6ad901d28784
SHA1 9e218a34e9d34093ed5371c4e1cd4867238e3b58
SHA256 bb4c13ff11d967a72f8390d10096aec861c0636e4a048b8d8ee35e5780ad297e
SHA512 e4a78e03cc5bdda4e61789a0c08da67452eeafb80792279bb885695795f9051805ecf40af707273f7caf03b8ebd20db1eafcef8383406ba5d98a290588a93a2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17d2f0d86e271749f3fbfe0450191e28
SHA1 69746c47568e37e4a2a1187d958524e036660f44
SHA256 3057ed44e1dd7635fe2e3b82328ebebb308be008e306b8c67cf4c7f0fc18b28f
SHA512 9c5d0c86c27d7c201e5ca3a361bd4a4e3456425f2e953e039364ef73a4921f1a2a4911f2252acd169d5ef9def7f21fbe6a39b533c3e939703d3eb6784cacc9b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a8dc93ac1c458599425f5017153039f
SHA1 fe2267b60cee1b9c39fc37e663ee2ebf7d423065
SHA256 1c5ccfc0f0b3626fc61eab47c8d80fe49c9e68157cc85862abaa578ae6071c57
SHA512 a3cf18533d7dd1f02d2b631971857b5c0df337d87016e44cbc065bf13db9e19dc73f391167e2ac21a355617e8ef31ec6209356f145b7aea92bbf73a03e3647a2

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\LICENSE.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\LICENSE.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

Files

C:\Users\Admin\AppData\Roaming\Ryujinx\Config.json

MD5 3a626753d8c1e8270684db2a7fbf86c8
SHA1 6ee37f65103d7cf50d0738b4cc89eb541db61f6f
SHA256 9c94eea0de582e218dbed34dd7f22255b94df9238ef597c41d0b93117ded1aa3
SHA512 b4def7780d81c1d948921921c7415b6be7b60817ceea9bd24f8d0395fd22026dd6506e8203dad3dd16ef1c36c9d57ccf83019a3ce6d13e0e6a3a455666670bb4

C:\Users\Admin\AppData\Roaming\Ryujinx\Config.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 d9be70d41561d491f34e41829a183fd6
SHA1 abff3d778bf46e1114049c1c01a96ad0b1f2332f
SHA256 f2b3d3ebe33566c1bd96b558011a4d117cda34f15db01c0f829bf74ba1fe51cd
SHA512 e034229340f16402d9bf9a16e1175f75929fec14e9b1e12c7bfb4110a62510de9a3a8badf3d4c4b844e2bd30532b6a8e0d5f69970ef210b467392ecae6c9bb5d

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_

MD5 6a2a182fab52b3e18295490ba8d0f459
SHA1 363d0d797ae2be6967c67ef9b83baf11357882bf
SHA256 acbf5b3a47e1ae1c7f26ba3769231f2362fdbd32f2ec0642c0c715652df050b0
SHA512 a51676edead6a02c7871329bd3a4fe3359befcd049259170a19f1334c722b0f9953cf745d0234c3b145c70fa3ed5bb29b9662db23a1c20673b8666b63dd69ecc

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1924 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1924 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1924 -s 80

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

123s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.27:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 27.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Network

Country Destination Domain Proto
BE 23.41.178.75:443 www.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 75.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:44

Platform

macos-20240611-en

Max time kernel

121s

Max time network

151s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/publish/libarmeilleure-jitsupport.dylib]

/bin/zsh

[/bin/zsh -c /Users/run/publish/libarmeilleure-jitsupport.dylib]

/Users/run/publish/libarmeilleure-jitsupport.dylib

[/Users/run/publish/libarmeilleure-jitsupport.dylib]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]

/usr/libexec/pkd

[/usr/libexec/pkd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.129:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 50e07abef86d4a0776feb952d0800e34
SHA1 91d17a599f6e1af6c64993ab85afcf20d70344e1
SHA256 5d9aedaa776f07c835e19b00483f7b0e5e31ffb5b0b3ca95b2a4b120f06e487a
SHA512 1492d435dac4bc5ab3395c8453a56e240b9d33a73eaa8040bfa8b542ab94432c6b1f41f9858020c693b936173edd44474537640acff344ac38a660eef1a3b8d8

/Users/run/Library/Cookies/HSTS.plist

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win7-20240611-en

Max time kernel

122s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Network

N/A

Files

memory/2976-0-0x000000006F000000-0x000000006F235000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
BE 23.41.178.88:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 88.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3912-0-0x00007FF8F7E10000-0x00007FF8F7E20000-memory.dmp

memory/3912-2-0x00007FF937D90000-0x00007FF937F85000-memory.dmp

memory/3912-1-0x00007FF937E2D000-0x00007FF937E2E000-memory.dmp

memory/3912-3-0x00007FF937D90000-0x00007FF937F85000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240611-en

Max time kernel

139s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp

Files

memory/2212-0-0x000000013F947000-0x000000013F949000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 b9c275593f63ee91531a0b885fbc22ca
SHA1 41a45307575587152c5a546c1c34e78debcbfa93
SHA256 dee2a3b349a28e8870004c31e443c6b16f0f83b48e32afcb09503771df6d3253
SHA512 ab509a871e58368cab2cbebb58a2bf39ed036db2dd915314f6714abf99a21a3414c855c2f752293e52aec03f42a5bab1122216140aa27fe8201aca4e32a53529

memory/2212-29-0x000000013F947000-0x000000013F949000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab74C5.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 1304efe9e80b5666e4a78be4e7acaacc
SHA1 0adc37ca190119c22000de2f6c273582b679d841
SHA256 97b3ddfeb02f7aa3bc0e1bf8243199baa1e1bed13be17a9a8d942b03af237afd
SHA512 2fbcd0c0946325c8aa5881db93e5d7e8367f3b0146d5fec97e45bc320a34d3677563cc5cb108f285fc26c1c58eb055e3cf24ed968da0aded056617bb416bca9c

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 23.41.178.59:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4368-0-0x00007FFA31270000-0x00007FFA31443000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

52s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\alsoft.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\alsoft.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 23.41.178.80:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 80.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3624-0-0x000000006F000000-0x000000006F235000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\edit C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.md C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.md\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ⶹ숐㠀耀\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ⶸ숗㜀蠀撠‾ʮ C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ⶸ숗㜀蠀撠‾ʮ\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ⶹ숐㠀耀 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\edit\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\md_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 676 wrote to memory of 5104 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 676 wrote to memory of 5104 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 23.41.178.58:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240611-en

Max time kernel

142s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2804 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2804 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2804 -s 96

Network

N/A

Files

memory/2804-0-0x000007FEF5890000-0x000007FEF5A63000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

N/A

Files

memory/836-0-0x000000013F877000-0x000000013F879000-memory.dmp

memory/2796-1-0x00000001404C7000-0x00000001404C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 307dd26b2bf752e9f97154bbe5a6a91a
SHA1 3abe68083ead89def3ee73b1b0557b19e3c4c357
SHA256 8b83d3f21ccdfbac6a031ef5cc94df7a602d196660ef70653c37ef8a3f94a2b4
SHA512 67e92f847e217846f842f03ee1a6014140890db45a3820842bdf2900185703bbb0436804d634b3946d66aa372e42f3e089c1479746f7278c64b7975d4bf91517

memory/2796-30-0x00000001404C7000-0x00000001404C9000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
BE 23.41.178.75:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\alsoft.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\publish\alsoft.ini

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:40

Platform

win7-20240611-en

Max time kernel

118s

Max time network

125s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ryujinx-1.1.1330-win_x64.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ryujinx-1.1.1330-win_x64.zip

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\publish\THIRDPARTY.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f56c3a782428d0a76fd5711dfa835e83
SHA1 bbc096c7e1a896fe4a8ebec58f156b4efc64c291
SHA256 54039473a5e0da1c5d78cddade77418e23083a58090d56399b781c515a13afc6
SHA512 3308a9ebd5a3e2d2df44f64b39ba282870a421e004a10102e775391676ba8b4c75a5795cdfe1e8c86a5a009548339edefebefc83d17d60192b31485eff81f11f

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-15 05:07

Reported

2024-06-15 05:39

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2132 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2132 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2132 -s 88

Network

N/A

Files

N/A