Malware Analysis Report

2024-10-10 07:34

Sample ID 240616-r9bqtsxdrd
Target ryujinx-1.1.1332-win_x64.zip
SHA256 bfefc9749331cb2575abc6e87005a5316631b19b2d7ba149e28dcec6057ccd9f
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bfefc9749331cb2575abc6e87005a5316631b19b2d7ba149e28dcec6057ccd9f

Threat Level: Shows suspicious behavior

The file ryujinx-1.1.1332-win_x64.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Deletes itself

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240611-en

Max time kernel

118s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2384 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2384 wrote to memory of 2412 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2384 -s 84

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4412-0-0x000000006F000000-0x000000006F235000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

96s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 f2166314dfaaf8bba094ac4f4b60d242
SHA1 5d0adcc387e779d66da58597a990fc37ebc23ce6
SHA256 85658dda2b397e430012740eb7978387db0428970e12749d0022dd3946076a8f
SHA512 080bfe828828fbb45c2969615eceaa0aa55c9d1475d2faca6d42963c36f89e12d126337c43c0ba8454c1e0336ca8e97895c6cdfab23d3a8c957ee558cdd5abdf

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libHarfBuzzSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2324 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 2716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 2716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 2716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2212 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.0.547805855\780381356" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd314ea0-77f7-4ec9-82ae-c83535685ead} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1300 110d5258 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.1.384545285\723266756" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4437d488-6a0f-4cdc-8f6b-9730d9103b37} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1488 e72558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.2.1369094977\297156278" -childID 1 -isForBrowser -prefsHandle 940 -prefMapHandle 860 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {511d9549-60a4-4a0e-8087-a0e581c2c8e6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1068 1a295958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.3.109809501\730388042" -childID 2 -isForBrowser -prefsHandle 2412 -prefMapHandle 792 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b5108bd-4a64-42ee-9e48-12917552096d} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 2516 19b96e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.4.789885443\1881749684" -childID 3 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f990641a-02f4-4707-b984-846e2aec60a6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 2916 1cf09258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.5.1298130800\950700441" -childID 4 -isForBrowser -prefsHandle 3720 -prefMapHandle 3708 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e9e9e0d-5e1d-4b26-aef1-e4810442334f} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3724 1e7f9558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.6.1911048926\2086154872" -childID 5 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6549d5f2-c2f3-4ab1-824d-d4b1a40f3eb4} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3820 1e7f7a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.7.1662221346\1913926499" -childID 6 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b07881c-ae8f-457e-a73b-25913ebd9ea7} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3996 1e7f9b58 tab

Network

Country Destination Domain Proto
N/A 127.0.0.1:49190 tcp
N/A 127.0.0.1:49197 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 44.232.194.163:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.185.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.185.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.185.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp

Files

memory/2736-0-0x000000006F000000-0x000000006F235000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin

MD5 f27e6e94b63cb1c9def17773e48035bd
SHA1 43f5cd90395c6b855f7493a08d1c21521f5f5bac
SHA256 68cd11f02d1afa65b3a952b1339dddb473aeecb16d430f977bd78be325a94769
SHA512 f411fd7ee806698856cdd48d22ec18554783b292b675db0f72d41f3d000f6ec3975d928b2fcf2985ed2dd8208db60ecab6f3d7b950e2424c9bc538e5a7e07d0b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin

MD5 5576579fa9b1a279a7e849915ef947c5
SHA1 d36587ab99ae5cf2afefee7a21e462c2702fac21
SHA256 26783fec36b9b3f434c1e125c1931fae733bb91aea32f4c48597c8d6fd450f9b
SHA512 6bd35363e07fc14132f6457afc1cfe06e3a769977c11ea9a991920346a732858aed47fb50bff9facca7ba644ce7f0c4e27192898a9622bf88a79aa5d663875f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\8303a883-a4c8-46e1-a8e0-4182c429b2fb

MD5 a28cd5ad22e98d1fe2aaf88bdd879e43
SHA1 174c08d6743dcd9725269bf6808b068d7e438cf8
SHA256 67fe6e8ff7c9b6ee18e409e07381348391e61837686cf1eedd1a5250a30e2493
SHA512 b51635a0d32189eef59443cc367acc30cd44d95aecf134cea15bd1c571025c6cc2dae0daf0741c30996ca65e58ce076e697a2199d35deb26e90decda4b84362d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\3867796c-8d0f-4109-8cbd-2e3d2e0424b2

MD5 b065df1f41b785b22a5851c8659b5edb
SHA1 d2ac3f7f769425ec9ecc5f68a7b7ff973193fcc1
SHA256 8b52c2c0474d0fa6c08d9e1769039627a14c05e1fed8d5cce88725565dc642fe
SHA512 0ae531b9084d5db497b8ab74b13463a37f8a4567d872f2ff3167b046acefda89fb651b65d82b789fb5b015a5d2132a43e95bc030fb471f651687098d0491cac6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4

MD5 03b69c1c5b905e918e2ee4dd356531d3
SHA1 d9a83eb96b0bc844cfc1fa3b29299b141694ca7f
SHA256 3bdd3f6dd9141ab5ba192ea2ea4ccbd566ab89f6d8ff845ee4ad9e11477e27e2
SHA512 60605323743407d74498672faf6e4fe73ad6b81366b0f3870d74d8327a2cecd8a9d07591bf663ae54e12d9311ab3dff6467356b9baa287061001c2058bcc2295

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js

MD5 c190bbfa9735ee1732dca0f19fa55289
SHA1 a014cd68055f6356f33a450a7ca9efa25868f2e8
SHA256 030d01c8b7c2f5e44b3b970edb1c4af10644d281096b763d8467a456107d6ac4
SHA512 13a47b00e293402a3d288e6e41b2defacaf8e4e1e63f60884d47984b6c9abe5ba863da109f69f67adabb5c831b42618ee676ccf92d42d5a66e0981531f4524a8

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a2ffce9200aae731041efd2af9dc9b00
SHA1 79f47c99dbbfd8f103309538516887265c087adb
SHA256 c9757e1d7b33333d4306f9e3478f7fbef91b208a7e6a684b38a07b510adc8930
SHA512 dcfb64d8ca2fc018de57d4662db6ba0195f4c3f9bcc6f570b784571852c2039497adb4b7edf83d6b461ecb68f779242619076903707ee31f891474d552664dfa

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 cc24e5541e7dcadd4b1b56b90894f1b3
SHA1 ddc2f5cd5da64fe74d007af5eb39a95f20831d48
SHA256 9a514dbe5f17f59608462d039071b3eb375411c10ab53c60c478576a6d857620
SHA512 883d985f06990b8213fb6fc1b12d82a9bc6ac1786ed0378192e18b25d8cef0d624c7c8699d5a04ee63bc1a0191eb0673119401d0b5c39a87ed44d16a1ec6b48f

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Ryujinx\Config.json

MD5 3a626753d8c1e8270684db2a7fbf86c8
SHA1 6ee37f65103d7cf50d0738b4cc89eb541db61f6f
SHA256 9c94eea0de582e218dbed34dd7f22255b94df9238ef597c41d0b93117ded1aa3
SHA512 b4def7780d81c1d948921921c7415b6be7b60817ceea9bd24f8d0395fd22026dd6506e8203dad3dd16ef1c36c9d57ccf83019a3ce6d13e0e6a3a455666670bb4

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 5128087db232b6eefcf2b6f3b6094dd8
SHA1 534af183d50ca1b14f2f4015d3f8666d77607a97
SHA256 091f8fe85801923886ce2da547762ae89ca822928ce0c80625685b668e4da3a1
SHA512 c102646722d0c8300c1a98dfc2d04aeb37ed42c299a9f86a0e6647486cd6128d4527a4f6e68c7476db77a0b6ec9e73b0ed93868d04da1e723b10104b686db19f

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_

MD5 e659ad65193c6cebaea6eb132b3176b1
SHA1 32febfab1dee2c1d566c363f0e7426ac43d3b3e3
SHA256 0c6b058e15c7cd1bf66c7eb5315d26a7512c4bd5c0e109df0b06f971d9ecc02b
SHA512 7938f76f980873aa247e1d5171b29641cbea976a66e40c012067370164c709a0a64c085ba01a7b0648974aaf0c26a8555290f5f6caf4733656162b0bbdd6f50f

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 15:02

Platform

macos-20240611-en

Max time kernel

91s

Max time network

149s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/publish/libarmeilleure-jitsupport.dylib"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/publish/libarmeilleure-jitsupport.dylib]

/bin/zsh

[/bin/zsh -c /Users/run/publish/libarmeilleure-jitsupport.dylib]

/Users/run/publish/libarmeilleure-jitsupport.dylib

[/Users/run/publish/libarmeilleure-jitsupport.dylib]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.65.93:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 151.101.195.6:443 h3.apis.apple.map.fastly.net tcp
US 151.101.131.6:443 h3.apis.apple.map.fastly.net tcp
US 151.101.67.6:443 h3.apis.apple.map.fastly.net tcp
GB 17.253.77.201:80 valid.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240508-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libsoundio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

memory/1932-0-0x00007FFF67360000-0x00007FFF67533000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240508-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\glfw3.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240508-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2580 wrote to memory of 1512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\av_libglesv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2580 -s 88

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240508-en

Max time kernel

77s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avcodec-59.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240611-en

Max time kernel

142s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\avutil-57.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2192 -s 96

Network

N/A

Files

memory/2192-0-0x000007FEF60F0000-0x000007FEF62C3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240508-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\libSkiaSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20231129-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

N/A

Files

memory/2344-0-0x000000013FBA7000-0x000000013FBA9000-memory.dmp

memory/2144-1-0x000000013F1A0000-0x000000013FB0F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

MD5 0052b36964fb752d4560f141ea1a76e4
SHA1 6c493ec3db4a0a060b95938e9b77f63f8cf4cbc3
SHA256 0f2da26763b1793cca4ca30eac488774d70d34e3507aea78c8f8a3cc1984bbb0
SHA512 e01277d7dfb98130bea63077ded80e53a74941eab02a95ef6d8947f31d747c89aaea5afddc17d9108a83a2ec32606df5f8e6cc6f7d37f582d85352e798898024

memory/2144-30-0x000000013F1A0000-0x000000013FB0F000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win7-20240611-en

Max time kernel

122s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe

"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"

Network

N/A

Files

memory/1520-0-0x0000000140377000-0x0000000140379000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData0

MD5 6d92289be7aba1d1b3962ace4000b13c
SHA1 1f64240aaee854253a3956643e94caabd4a7d4a3
SHA256 1d17c36ca470af095c58329fcb601fbb084b4e6f494eb73ba480e2a55bba36da
SHA512 db2aebf66ba476745af037abe1842bc8227d7e89b3eb532320e3cb3e82e501d787d16dbf122e673d83b8a3443ebf75925b8f056a32967da02b1a8730882f751a

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData0

MD5 4ced1f31ead6b0568e8dca4c7932bdb4
SHA1 e91e39ddb09f3574053df2fc9803502dd4d0e711
SHA256 7cec1524d213e019e78955351e6c8aa9d46a03679363c4fca782054c23ee3da8
SHA512 449bbeab78d27e7e6136d902c1566c7308c458d5553b7dd191c3da697c671f2839ae83ab0ca1589f8d27febdadf902e3f76859294555de5d39ad8bb0be189cf4

memory/1520-29-0x0000000140377000-0x0000000140379000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 14:53

Reported

2024-06-16 14:57

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\SDL2.dll,#1

Network

Files

N/A