Windows
Analysis Report
Black Myth Wukong Sigma Downloader.zip
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
rundll32.exe (PID: 7016 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
Sigma.exe (PID: 3024 cmdline:
"C:\Users\ user\Deskt op\Black M yth Wukong Sigma Dow nloader\Si gma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC) conhost.exe (PID: 5844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 6212 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) WerFault.exe (PID: 6232 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 024 -s 104 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
Sigma.exe (PID: 6288 cmdline:
"C:\Users\ user\Deskt op\Black M yth Wukong Sigma Dow nloader\Si gma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC) conhost.exe (PID: 1764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3768 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
- cleanup
- • AV Detection
- • Cryptography
- • Compliance
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Binary or memory string: | memstr_66a773e9-5 |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Process Stats: |
Source: | Process created: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Rundll32 | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
52% | Virustotal | Browse | ||
55% | ReversingLabs | Win64.Trojan.Suschil |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.steampowered.com | 104.71.182.190 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.71.182.190 | api.steampowered.com | United States | 16625 | AKAMAI-ASUS | false |
IP |
---|
127.0.0.1 |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1654174 |
Start date and time: | 2025-04-02 02:50:17 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Black Myth Wukong Sigma Downloader.zip |
Detection: | MAL |
Classification: | mal52.evad.winZIP@10/6@2/2 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WerFault.exe, SIHC lient.exe, backgroundTaskHost. exe, SgrmBroker.exe, conhost.e xe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 13.89.179.12, 52.1 49.20.212, 23.205.30.245, 40.1 26.24.83, 23.57.90.149 - Excluded domains from analysis
(whitelisted): www.bing.com, fs.microsoft.com, slscr.update .microsoft.com, login.live.com , blobcollector.events.data.tr afficmanager.net, umwatson.eve nts.data.microsoft.com, onedsb lobprdcus17.centralus.cloudapp .azure.com, fe3cr.delivery.mp. microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size exceeded maximum c
apacity and may have missing b ehavior information.
Time | Type | Description |
---|---|---|
20:51:38 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.71.182.190 | Get hash | malicious | Vidar | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Vidar | Browse | |||
Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader | Browse | |||
Get hash | malicious | Vidar | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api.steampowered.com | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
AKAMAI-ASUS | Get hash | malicious | Vidar | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bd0bf25947d4a37404f0424edf4db9ad | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Meduza Stealer, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7853289720975717 |
Encrypted: | false |
SSDEEP: | 96:w6DFaiIsUhWe7TvVQXIDcQODc6OgmcE1cw3hxPx2+HbHg/K1JeeonsFvHBW7ra/k:hAiI808D6x/Fj7zuiFpZ24lO8z9 |
MD5: | D9902DFCC791F26DAD76DF35C973AD6F |
SHA1: | 6518F749F616D755A4105C69275265EA54F1A76D |
SHA-256: | 407CF4AA45B567186694C7CB58E78DF25BA24FD532492EFF4063F79BC35B0D03 |
SHA-512: | 9B410D5A81A9C28D3DD022E1A27553238E08D9CC9F65FFCDCCE2C609216A0DAC921E5CC6432A3315A3C66AA22E6854F66551CB4BB3479E3D873DAD2CACC465E9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 309500 |
Entropy (8bit): | 1.307767036662427 |
Encrypted: | false |
SSDEEP: | 768:EyY5VLqiG9FoOz2E3yHFX0I24YvZlDzT9WDdNOQn:r/iG9FoOyE3yHFX0I24YvZlDcOQn |
MD5: | 5F07A30901580AA8A8CBD3A734D6DFB5 |
SHA1: | 3F631C041C89DDBA4729DC13DE0BBC289FD069C8 |
SHA-256: | DAAC69226842FC583B1F6B5005D0E285EA9EF50F66751DDB9DFA09CD108DDB1E |
SHA-512: | AAC4E6917150769B7035E1D592E24F652B352B557B5AA5DF9B4AC143E53D38B802DABD8A8BA2BD5927F4223FC68707FE1D0AA80713652C75FD4369ADDE0763AB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8746 |
Entropy (8bit): | 3.698497209428264 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJVTS6YnU/4gmfcmY2IrKprt89bYH1fkIm:R6lXJhS6YUQgmfcmY2IhYVfK |
MD5: | F434BB3914BD1F09B9174C4A57243DCD |
SHA1: | 5D01859A44252BE1756EB829C7BA6350B1F0F87E |
SHA-256: | 82FA228652B22A08DB4B039A5169C366D3459ACE06366D00EBCB15B0877CBD02 |
SHA-512: | 3D365DD30CE7B9F32E5891CED95C5A40AAA395414D4AC3ECC9376FD1F4962F0313D43AA0E86C4FBA888D7FD021757F72EDA522CE6EAF316C1A8F3F9F4B7D2C20 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4602 |
Entropy (8bit): | 4.421188312416305 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zspJg771I9FqWda80aQ6Ym8M4J726FeQoyq85Xv4Y/f2d:uIjf7I7aLdlQJCh5+4Y/f2d |
MD5: | FE13317E8D220F6169E929A293310BB7 |
SHA1: | D9273A9EBCAB3D0D21FEE6CC521277E83299C164 |
SHA-256: | 465BF27829BC865D251B126348C2D628C743EB9BE0642364EA7787F9CE93DDDA |
SHA-512: | 60D00BF4C281C3656F676135374A7161016F314B9B43548DB927A3A4FB319128C9E8BF5D8F88C299BB1185D86AE69E466CBCE7F9F0875501F81950B3BF422CE8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10039 |
Entropy (8bit): | 4.359905444201461 |
Encrypted: | false |
SSDEEP: | 192:YU9iVgKkHUIDMWAwJ+ujvyC1f6lPK9pino7BuzAFFd49nxUla5fgZljMggma:+VaV+ |
MD5: | 42477723E227FECF72DA06CC51161407 |
SHA1: | 97E4A32BC86F463888E6D307DAE4F9750666B289 |
SHA-256: | FF5982FDC40F127606CF5430A1872855A093A9B91775F87387F37DD614F23188 |
SHA-512: | 9BDAA5FA62A32062BE5F21E110A0CEB8DBEB72FA0E61B8C4F2F308C239B5F0D7CFB178D2CC2BEC0C72CFDD40179DD7C3E3E9D5A2A75B78DC1540D7604209F1A6 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.996770301859017 |
TrID: |
|
File name: | Black Myth Wukong Sigma Downloader.zip |
File size: | 5'993'588 bytes |
MD5: | 20f570224521e29be00f00760eb19908 |
SHA1: | cb6a2f265e8b1f1af579fe2c8891af0fed54376a |
SHA256: | 7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a |
SHA512: | 554864980a6009914b16435a07f3892d8277b235915220f10db12a9fa17f479788bb71ab99ef204e3e01f8ae610923a18a55bf4c9cbf7e9ba6d376d13c026d33 |
SSDEEP: | 98304:y92MnCktXhi/mziR92lYuXT9yyESogtzt50QWLGtvd9Rtahx8enkGIYRc2G5xOl6:y92CFXhRQ9kPElgV4QWId9DaL8eXa2GF |
TLSH: | 895633AB4B5956BD26ABF32C282E82F6CF09D10C3C564C60109EF5F533DA8C5D6CAD16 |
File Content Preview: | PK.........rzZI)...q[.........Sigma.exe...x.U..\..N..TG@.$.H..A..5........... .FPF.t..E.N$..V.=..g.u.>u6.Q6.N...H"....Wl..3! ..9.V..D.7.....}..n.{......{.{....q...c1....?.w..|........J...n1.o..2..R{..Ew........s."...;.K.....cwO.l...yw.....C.q..W.....L..9. |
Icon Hash: | 1c1c1e4e4ececedc |
Download Network PCAP: filtered – full
- Total Packets: 84
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 2, 2025 02:51:27.424815893 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:27.424904108 CEST | 443 | 49705 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:27.425012112 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:27.439996004 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:27.440032959 CEST | 443 | 49705 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:27.632494926 CEST | 443 | 49705 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:27.632605076 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:27.643201113 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:27.643280029 CEST | 443 | 49705 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:27.643374920 CEST | 49705 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554148912 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554157019 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554184914 CEST | 443 | 49730 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.554231882 CEST | 443 | 49731 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.554279089 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554299116 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554318905 CEST | 443 | 49732 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.554363012 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554413080 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554855108 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554883003 CEST | 443 | 49731 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.554960966 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.554984093 CEST | 443 | 49732 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555182934 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555191994 CEST | 443 | 49733 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555269003 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555318117 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555336952 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555336952 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555349112 CEST | 443 | 49730 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555351019 CEST | 443 | 49734 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555401087 CEST | 443 | 49735 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555453062 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555478096 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555774927 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555788040 CEST | 443 | 49733 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555795908 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555835962 CEST | 443 | 49735 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.555891991 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.555927992 CEST | 443 | 49734 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.556355000 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.556428909 CEST | 443 | 49736 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.556713104 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.556827068 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.556864977 CEST | 443 | 49737 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.556930065 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.556941032 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.556973934 CEST | 443 | 49738 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.557204962 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557444096 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557482958 CEST | 443 | 49736 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.557554007 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557571888 CEST | 443 | 49737 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.557624102 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557646990 CEST | 443 | 49739 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.557842016 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557883978 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.557903051 CEST | 443 | 49738 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.558060884 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.558069944 CEST | 443 | 49740 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.558084965 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.558103085 CEST | 443 | 49739 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.558196068 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.558693886 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.558705091 CEST | 443 | 49740 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.559382915 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.559393883 CEST | 443 | 49741 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.559516907 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.559856892 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.559870005 CEST | 443 | 49741 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.742086887 CEST | 443 | 49731 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.742234945 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.743299961 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.743355036 CEST | 443 | 49731 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.743411064 CEST | 49731 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.745239019 CEST | 443 | 49733 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.745342970 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.746562004 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.746609926 CEST | 443 | 49733 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.746690989 CEST | 49733 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.750247955 CEST | 443 | 49734 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.750413895 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.751267910 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.751332045 CEST | 443 | 49734 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.751463890 CEST | 443 | 49734 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.751497030 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.751524925 CEST | 49734 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.751801014 CEST | 443 | 49739 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.751940966 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.752624035 CEST | 443 | 49735 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.752775908 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.753077030 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.753113985 CEST | 443 | 49739 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.753202915 CEST | 443 | 49739 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.753256083 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.753256083 CEST | 49739 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.753643036 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.753706932 CEST | 443 | 49735 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.753814936 CEST | 49735 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.755317926 CEST | 443 | 49738 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.755412102 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.755965948 CEST | 443 | 49732 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.756043911 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.756247044 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.756462097 CEST | 443 | 49738 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.756531954 CEST | 49738 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.756819963 CEST | 443 | 49736 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.756899118 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.756931067 CEST | 443 | 49741 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.756989956 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757035017 CEST | 443 | 49730 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.757172108 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757328033 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757368088 CEST | 443 | 49732 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.757416010 CEST | 49732 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757776022 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757819891 CEST | 443 | 49736 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.757945061 CEST | 443 | 49736 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.757972956 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.757981062 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.758009911 CEST | 49736 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.758023024 CEST | 443 | 49741 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.758066893 CEST | 49741 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.758269072 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.758296967 CEST | 443 | 49730 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.758394957 CEST | 443 | 49730 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.758475065 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.758475065 CEST | 49730 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.760317087 CEST | 443 | 49737 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.760467052 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.760685921 CEST | 443 | 49740 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.760762930 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.761240959 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.761400938 CEST | 443 | 49737 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.761471033 CEST | 49737 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.761977911 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Apr 2, 2025 02:51:36.762171030 CEST | 443 | 49740 | 104.71.182.190 | 192.168.2.16 |
Apr 2, 2025 02:51:36.762273073 CEST | 49740 | 443 | 192.168.2.16 | 104.71.182.190 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 2, 2025 02:51:27.302573919 CEST | 54075 | 53 | 192.168.2.16 | 1.1.1.1 |
Apr 2, 2025 02:51:27.405354023 CEST | 53 | 54075 | 1.1.1.1 | 192.168.2.16 |
Apr 2, 2025 02:51:36.452719927 CEST | 55947 | 53 | 192.168.2.16 | 1.1.1.1 |
Apr 2, 2025 02:51:36.551925898 CEST | 53 | 55947 | 1.1.1.1 | 192.168.2.16 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 2, 2025 02:51:27.302573919 CEST | 192.168.2.16 | 1.1.1.1 | 0x3db | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Apr 2, 2025 02:51:36.452719927 CEST | 192.168.2.16 | 1.1.1.1 | 0xc224 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 2, 2025 02:51:27.405354023 CEST | 1.1.1.1 | 192.168.2.16 | 0x3db | No error (0) | 104.71.182.190 | A (IP address) | IN (0x0001) | false | ||
Apr 2, 2025 02:51:36.551925898 CEST | 1.1.1.1 | 192.168.2.16 | 0xc224 | No error (0) | 104.71.182.190 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:50:48 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7174e0000 |
File size: | 71'680 bytes |
MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 20:51:10 |
Start date: | 01/04/2025 |
Path: | C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff67cd10000 |
File size: | 8'707'584 bytes |
MD5 hash: | FEF6B28CE1384A402B6F2EB2162C07AC |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 12 |
Start time: | 20:51:10 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6aa7d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 20:51:10 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d1030000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 16 |
Start time: | 20:51:36 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff674fb0000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 19 |
Start time: | 20:52:20 |
Start date: | 01/04/2025 |
Path: | C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff67cd10000 |
File size: | 8'707'584 bytes |
MD5 hash: | FEF6B28CE1384A402B6F2EB2162C07AC |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 20 |
Start time: | 20:52:20 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6aa7d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 21 |
Start time: | 20:52:20 |
Start date: | 01/04/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d1030000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |