#Support ruffianed

<@&872407642302197760>

shouldn't create multiple

I think

yeah a lot of them were created and it’s a bit suspicious to me

and the function virustotal is saying it does is also anomalous

someone explain why it’s editing registry keys and creating a non native .exe (loaddll64.exe), it doesn’t seem like this mod has any reason to be messing with registry keys or anything of that nature

https://www.virustotal.com/gui/file/6454fc0502c50a6553ff18d625e22c0f6686e5cc5574d5cdc0515537e22884ff/behavior

have to say, it is only flagging on one vendor
have you tried just deleting the whole thing and seeing if your game still runs?
also I'm assuming you're on windows?

yes i am on windows. i deleted it but also removed everything else skyblock related in case it is something malicious. despite only one vendor flagging it, the operations of the file seem very strange

the filename points to what it says - a repo used for brotli that's included in skytils

not sure about it creating dlls and a bunch of folders tho

why is it messing with my registry keys?

not a clue

do you know which ones

check the behavior on virustotal

does anyone have an answer to this???

i believe this is an important security issue that needs to be addressed

I think when downloading stuff it gets temp stored in there and maybe it just doesn't finish the download or it just doesn't clear the temp files after the download (and/or this is a bug that downloads the file on every start-up, but I don't got time to verify any of this)

the file itself just seems a bit suspicious

So who flagged it and what for?

im not sure, but I would like for the developers to look into it because now I'm concerned if my computer has been infected from this mod

Well if we can't tell by who or for what there isn't a lot to look into

Probably just the normal virustotal behavior

no, look at the behavior of the file... thats not normal what it's doing

Then what's it doing?

it's altering key registries

Yeah all I really see is permission checks and windows error reporting

Anyway I think the code can be found at https://github.com/hyperxpro/Brotli4j

why is it accessing all of those folders and keys?

why does it install an external executable "loaddll64.exe"?

why is it messing with werfault which is commonly what malware will hijack?

and why does it need to access all these folders? it's very strange..

• So it can run
• Because there's probably only a loaddll32.exe installed natively
• Just using Windows Error Reporting shouldn't really be of any concern
• For specific reasons/implementations I would just check the source code if I were you

heres what chatgpt has to say. i entered the source code as well as the virustotal analysis

Conclusion:

ChatGPT is dumb

If you tell it "accessing xyz is possibly malicious" it'll tell you that it's malicious

Also, in the Conclusion it's saying it like that Library is for hypixel skyblock, but it isn't, it's a java port of google's brotli stuff

(the exception is, if it's something that's already well known for not being malicious, but that's not the case here)

ChatGPT is good for:

• Asking what something is
• Asking how something may affect something else

ChatGPT is not good for:

• Malware analysis

ok so let me ask you something-

Adobe modifies some registry keys
Notepad++ modifies some registry keys
A ton more programs free or paid have to modify registry keys

Are those programs malicious?

And to counter the other points too, other programs have to install an external executable, sometimes multiple. Those are malicious... right?

Also, werfault is, you know, the place to report problems that happen. So, you know, other programs are malicious too because they have to mess with it, right?

also, what folders? Unless you mean registry key folders, in which case see above.