Safe
Ryujinx emulator archive; zero tier-1 detections; heuristic triggers on benign DLL loading and DNS resolver contact.
aedbc0cff468c69d9d…83cb70f83cThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file is a legitimate, widely-distributed emulator archive with zero malicious detections from high-trust engines. The triggered heuristics (T1055 process injection, direct-IP C2) fired on benign patterns: DLL loading is normal for multimedia-heavy software, and the contacted IP is a public DNS service. The 536 unique submitters and 'common_new' prevalence classification confirm this is a known, legitimate release. Dropped children are all safe or unknown, with no malicious verdicts. The absence of any tier-1 consensus on malware, combined with the file's legitimate identity and benign runtime behaviour, strongly indicates false-positive heuristic triggers.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Kaspersky, BitDefender, ESET-NOD32, Avira, Fortinet, F-Secure, Emsisoft, Ikarus, GData, DrWeb, Avast, AVG) all silent
Ryujinx is a legitimate open-source Nintendo Switch emulator; filename matches official release pattern (ryujinx-canary-1.3.308-win_x64.zip)
Prevalence: 536 unique submitters, 580 submissions, classified 'common_new' — consistent with widely-distributed legitimate software
Contacted IP 162.159.36.2 is Cloudflare public DNS (1.1.1.1 range), not a malicious C2; process injection is rundll32.exe loading multimedia DLLs (OpenAL32.dll, SDL3.dll), standard emulator behaviour
Dropped children: 4/4 cached verdicts 'safe' (scores 88-92); no malicious children; no malicious sandbox verdict; no persistence indicators
- Zero tier-1 malicious detections; 17 high-trust engines silent
- Legitimate open-source software (Ryujinx emulator) with established GitHub presence
- Common prevalence (536 submitters, 580 submissions) — widely distributed and known
- All cached dropped children verdicted safe (scores 88–92)
- No malicious sandbox verdict, no malicious contacted hosts, no persistence indicators
This file is safe. The heuristic alerts are false positives on benign emulator code. You may download and use Ryujinx from its official GitHub repository without concern.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\ProgramData\Microsoft\Windows\WER\Temp
- C:\ProgramData\Microsoft\Windows\WER\Temp\7141e594-59aa-4d3d-a600-b8ab3e9c8c29
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue
- C:\ProgramData\Microsoft\Windows\WER\Temp\3a5fd360-9316-46fe-b681-c9825c03e629
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER3812.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER462D.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A25.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER3812.tmp.dmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER462D.tmp.WERInternalMetadata.xml
- Local\WERReportingForProcess3824
- Global\AmiProviderMutex_InventoryApplicationFile
- Global\0c82ddb6-840b-4189-bcc2-7f5be7d3c852
- Local\WERReportingForProcess2936
- Global\638779d0-860e-4a29-8516-d6eaa49fc82b
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 24f7ebff5cf7766523de…65b40fNever scannednever seen before
- eb76238c9e8e41d44b5a…c14a7dClean0/75 enginesrisk 88from our cache
- 37b67ff73aa4fdd271c3…e21f5dClean0/75 enginesrisk 92from our cache
- 3d25343318ac33de9d0f…fd1a99Never scannednever seen before
- 73973db3800599ea435c…978aedNever scannednever seen before
- 9a0d95e8caaa852c70d0…a1dbcdClean0/75 enginesrisk 88from our cache
- 71b96643fc8c14c316a1…b9dccfNever scannednever seen before
- 3dcbeae25f5a38935f00…a56bc3Never scannednever seen before
- 781bbdf040b7d0286c47…2e56b4Never scannednever seen before
- 9b203e40323b49dad295…a847d4Clean0/75 enginesrisk 88from our cache
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\publish/OpenAL32.dll",#1Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 75 engines
How often this file shows up in the wild
Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.
Forensic fingerprint
- File name
- ryujinx-canary-1.3.308-win_x64.zip
- Size
- 34.78 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- aedbc0cff468c69d9d27251c5dc8d146111700dcaa1196b96cc91c83cb70f83c
- MD5
- 0296c6d667cb1c7d45c98d61d67b5007
- SHA-1
- 499892259c80bc3a3314c1a67d977cfd66fc326d
- First seen (VT)
- 5/31/2026, 6:48:32 AM
- Last analysis (VT)
- 6/10/2026, 10:03:16 AM
- First scan (MalwareTips)
- 6/10/2026, 10:11:31 AM
- Last scan (MalwareTips)
- 6/10/2026, 10:11:31 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.