Edit tour

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Sample name:Black Myth Wukong Sigma Downloader.zip
Analysis ID:1654174
MD5:20f570224521e29be00f00760eb19908
SHA1:cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Abnormal high CPU Usage
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • rundll32.exe (PID: 7016 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • Sigma.exe (PID: 3024 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)
    • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6212 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • WerFault.exe (PID: 6232 cmdline: C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Sigma.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)
    • conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3768 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Black Myth Wukong Sigma Downloader.zipVirustotal: Detection: 52%Perma Link
Source: Black Myth Wukong Sigma Downloader.zipReversingLabs: Detection: 55%
Source: Sigma.exe, 0000000B.00000000.1294132273.00007FF67CEED000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_66a773e9-5
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 104.71.182.190 104.71.182.190
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.steampowered.com
Source: Sigma.exeString found in binary or memory: http://protobuf.dev/programming-guides/enum/#cpp
Source: Sigma.exeString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/
Source: Sigma.exeString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver
Source: Sigma.exe, 0000000B.00000002.1576586326.000002734BA3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/s
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.71.182.190:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess Stats: CPU usage > 24%
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048
Source: classification engineClassification label: mal52.evad.winZIP@10/6@2/2
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeFile created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukongJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3024
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\cfc5d255-23be-4b96-817c-5303beacef74Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: Black Myth Wukong Sigma Downloader.zipVirustotal: Detection: 52%
Source: Black Myth Wukong Sigma Downloader.zipReversingLabs: Detection: 55%
Source: Sigma.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectory%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048
Source: unknownProcess created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Black Myth Wukong Sigma Downloader.zipStatic file information: File size 5993588 > 1048576
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeFile opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36118Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeFile opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36116Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeWindow / User API: threadDelayed 2154Jump to behavior
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 362Jump to behavior
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 448Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Virtualization/Sandbox Evasion
LSASS Memory11
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32
NTDS1
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654174 Sample: Black Myth Wukong Sigma Dow... Startdate: 02/04/2025 Architecture: WINDOWS Score: 52 25 api.steampowered.com 2->25 31 Multi AV Scanner detection for submitted file 2->31 7 Sigma.exe 6 2->7         started        11 Sigma.exe 6 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 dnsIp5 27 api.steampowered.com 104.71.182.190, 443, 49705, 49730 AKAMAI-ASUS United States 7->27 29 127.0.0.1 unknown unknown 7->29 33 Opens the same file many times (likely Sandbox evasion) 7->33 15 WerFault.exe 3 21 7->15         started        17 conhost.exe 7->17         started        19 cmd.exe 1 7->19         started        21 conhost.exe 11->21         started        23 cmd.exe 1 11->23         started        signatures6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version
No bigger version
No bigger version
No bigger version

windows-stand
SourceDetectionScannerLabelLink
Black Myth Wukong Sigma Downloader.zip52%VirustotalBrowse
Black Myth Wukong Sigma Downloader.zip55%ReversingLabsWin64.Trojan.Suschil
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://protobuf.dev/programming-guides/enum/#cpp0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
api.steampowered.com
104.71.182.190
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://curl.se/docs/hsts.htmlSigma.exefalse
      high
      http://protobuf.dev/programming-guides/enum/#cppSigma.exefalse
      • Avira URL Cloud: safe
      unknown
      https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/sSigma.exe, 0000000B.00000002.1576586326.000002734BA3C000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://curl.se/docs/alt-svc.htmlSigma.exefalse
          high
          https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/Sigma.exefalse
            high
            https://curl.se/docs/http-cookies.htmlSigma.exefalse
              high
              https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserverSigma.exefalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                104.71.182.190
                api.steampowered.comUnited States
                16625AKAMAI-ASUSfalse
                IP
                127.0.0.1
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1654174
                Start date and time:2025-04-02 02:50:17 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 47s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:23
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Black Myth Wukong Sigma Downloader.zip
                Detection:MAL
                Classification:mal52.evad.winZIP@10/6@2/2
                Cookbook Comments:
                • Found application associated with file extension: .zip
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.149.20.212, 23.205.30.245, 40.126.24.83, 23.57.90.149
                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                TimeTypeDescription
                20:51:38API Interceptor1x Sleep call for process: WerFault.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.71.182.190i1myxYUbbP.exeGet hashmaliciousVidarBrowse
                  https://u.to/JmY0IgGet hashmaliciousUnknownBrowse
                    random(11).exeGet hashmaliciousLummaC StealerBrowse
                      ayin.v0.1.0.exeGet hashmaliciousLummaCBrowse
                        ayin.v0.1.0.exeGet hashmaliciousLummaCBrowse
                          lunara.exeGet hashmaliciousUnknownBrowse
                            https://www.steamvr.com/de/Get hashmaliciousUnknownBrowse
                              file.exeGet hashmaliciousVidarBrowse
                                BuThoFHNNK.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    api.steampowered.comhttps://u.to/JmY0IgGet hashmaliciousUnknownBrowse
                                    • 23.204.10.89
                                    https://sceanmcommnunmnlty.com/siute/apxpw/zpqGet hashmaliciousUnknownBrowse
                                    • 104.73.234.102
                                    http://steameconmnnuity.com/f848937bf21d19cda314441b9eca9f3c/bGlua3Nob3J0LnJ1bg==/aHR0cDovL3N0ZWFtZWNvbm1ubnVpdHkuY29tLzg5ODkwODA5Lw==Get hashmaliciousUnknownBrowse
                                    • 104.73.234.102
                                    https://sreqmcoommnunlty.com/pikus/kils/nuksGet hashmaliciousUnknownBrowse
                                    • 23.197.127.21
                                    https://sreqmcoommnunlty.com/bysre/tytik/polsGet hashmaliciousUnknownBrowse
                                    • 104.73.234.102
                                    https://staemcommunuttly.com/gift/activation=Dor5Fhnm1wGet hashmaliciousUnknownBrowse
                                    • 23.197.127.21
                                    https://steamcommunurty.com/id/7656135508021645Get hashmaliciousUnknownBrowse
                                    • 104.73.234.102
                                    https://stearncommmunity.com/profiles/52829086342741Get hashmaliciousUnknownBrowse
                                    • 104.73.234.102
                                    http://gift50steam.com/50Get hashmaliciousUnknownBrowse
                                    • 23.197.127.21
                                    https://u.to/8eAUIgGet hashmaliciousHTMLPhisherBrowse
                                    • 104.73.234.102
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AKAMAI-ASUSi1myxYUbbP.exeGet hashmaliciousVidarBrowse
                                    • 104.71.182.190
                                    BIGIPEdgeClient 2024.exeGet hashmaliciousUnknownBrowse
                                    • 23.46.226.182
                                    BIGIPEdgeClient.exeGet hashmaliciousUnknownBrowse
                                    • 23.197.253.43
                                    BIGIPEdgeClient 2024.exeGet hashmaliciousUnknownBrowse
                                    • 23.39.37.29
                                    https://sprayfoamsys.com/service-center/Get hashmaliciousUnknownBrowse
                                    • 23.196.3.202
                                    https://microwaveeng-dot-m365view-318723.uc.r.appspot.com/Get hashmaliciousHTMLPhisherBrowse
                                    • 23.56.162.51
                                    i486.elfGet hashmaliciousUnknownBrowse
                                    • 104.106.110.98
                                    x86_64.elfGet hashmaliciousUnknownBrowse
                                    • 23.14.155.4
                                    https://sprayfoamsys.comGet hashmaliciousUnknownBrowse
                                    • 23.196.3.177
                                    VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
                                    • 23.196.9.175
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bd0bf25947d4a37404f0424edf4db9adtaskthow.exeGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    core.vapvapGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    d#U043e.xlsmGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    Windows Service.exeGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    xpmg.exeGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    Talksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
                                    • 104.71.182.190
                                    aisolution_a.exeGet hashmaliciousRHADAMANTHYSBrowse
                                    • 104.71.182.190
                                    Talksy.exeGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    Talksy.exeGet hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    CPANEL(1)..ps1Get hashmaliciousUnknownBrowse
                                    • 104.71.182.190
                                    No context
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.7853289720975717
                                    Encrypted:false
                                    SSDEEP:96:w6DFaiIsUhWe7TvVQXIDcQODc6OgmcE1cw3hxPx2+HbHg/K1JeeonsFvHBW7ra/k:hAiI808D6x/Fj7zuiFpZ24lO8z9
                                    MD5:D9902DFCC791F26DAD76DF35C973AD6F
                                    SHA1:6518F749F616D755A4105C69275265EA54F1A76D
                                    SHA-256:407CF4AA45B567186694C7CB58E78DF25BA24FD532492EFF4063F79BC35B0D03
                                    SHA-512:9B410D5A81A9C28D3DD022E1A27553238E08D9CC9F65FFCDCCE2C609216A0DAC921E5CC6432A3315A3C66AA22E6854F66551CB4BB3479E3D873DAD2CACC465E9
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.0.2.8.6.9.6.3.7.9.3.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.0.2.8.6.9.6.8.0.8.3.6.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.f.5.5.c.a.2.-.9.2.7.8.-.4.6.4.0.-.b.0.a.f.-.0.3.e.c.c.5.5.c.6.8.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.0.c.e.b.d.-.1.a.1.7.-.4.8.e.5.-.a.c.9.9.-.e.1.b.a.a.0.b.4.2.6.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.i.g.m.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.d.0.-.0.0.0.1.-.0.0.1.9.-.a.0.a.f.-.4.1.5.3.6.9.a.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.f.d.6.1.c.3.d.8.3.0.e.f.a.b.2.7.7.c.a.e.0.1.3.5.8.3.8.0.8.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.2.8.9.d.5.7.e.0.2.9.2.c.c.9.4.5.c.1.5.9.8.4.c.6.4.5.d.a.9.4.b.3.7.9.2.5.e.0.6.e.!.S.i.g.m.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.2.6.:.1.2.:.2.0.:.1.4.!.
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Mini DuMP crash report, 14 streams, Wed Apr 2 00:51:36 2025, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):309500
                                    Entropy (8bit):1.307767036662427
                                    Encrypted:false
                                    SSDEEP:768:EyY5VLqiG9FoOz2E3yHFX0I24YvZlDzT9WDdNOQn:r/iG9FoOyE3yHFX0I24YvZlDcOQn
                                    MD5:5F07A30901580AA8A8CBD3A734D6DFB5
                                    SHA1:3F631C041C89DDBA4729DC13DE0BBC289FD069C8
                                    SHA-256:DAAC69226842FC583B1F6B5005D0E285EA9EF50F66751DDB9DFA09CD108DDB1E
                                    SHA-512:AAC4E6917150769B7035E1D592E24F652B352B557B5AA5DF9B4AC143E53D38B802DABD8A8BA2BD5927F4223FC68707FE1D0AA80713652C75FD4369ADDE0763AB
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... ..........g............$...............,......................T.......8...........T...............\.......................................................................................................eJ......@.......Lw......................T..............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8746
                                    Entropy (8bit):3.698497209428264
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJVTS6YnU/4gmfcmY2IrKprt89bYH1fkIm:R6lXJhS6YUQgmfcmY2IhYVfK
                                    MD5:F434BB3914BD1F09B9174C4A57243DCD
                                    SHA1:5D01859A44252BE1756EB829C7BA6350B1F0F87E
                                    SHA-256:82FA228652B22A08DB4B039A5169C366D3459ACE06366D00EBCB15B0877CBD02
                                    SHA-512:3D365DD30CE7B9F32E5891CED95C5A40AAA395414D4AC3ECC9376FD1F4962F0313D43AA0E86C4FBA888D7FD021757F72EDA522CE6EAF316C1A8F3F9F4B7D2C20
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.2.4.<./.P.i.
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4602
                                    Entropy (8bit):4.421188312416305
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zspJg771I9FqWda80aQ6Ym8M4J726FeQoyq85Xv4Y/f2d:uIjf7I7aLdlQJCh5+4Y/f2d
                                    MD5:FE13317E8D220F6169E929A293310BB7
                                    SHA1:D9273A9EBCAB3D0D21FEE6CC521277E83299C164
                                    SHA-256:465BF27829BC865D251B126348C2D628C743EB9BE0642364EA7787F9CE93DDDA
                                    SHA-512:60D00BF4C281C3656F676135374A7161016F314B9B43548DB927A3A4FB319128C9E8BF5D8F88C299BB1185D86AE69E466CBCE7F9F0875501F81950B3BF422CE8
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="787194" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                    Process:C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
                                    File Type:ASCII text, with very long lines (8866), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):10039
                                    Entropy (8bit):4.359905444201461
                                    Encrypted:false
                                    SSDEEP:192:YU9iVgKkHUIDMWAwJ+ujvyC1f6lPK9pino7BuzAFFd49nxUla5fgZljMggma:+VaV+
                                    MD5:42477723E227FECF72DA06CC51161407
                                    SHA1:97E4A32BC86F463888E6D307DAE4F9750666B289
                                    SHA-256:FF5982FDC40F127606CF5430A1872855A093A9B91775F87387F37DD614F23188
                                    SHA-512:9BDAA5FA62A32062BE5F21E110A0CEB8DBEB72FA0E61B8C4F2F308C239B5F0D7CFB178D2CC2BEC0C72CFDD40179DD7C3E3E9D5A2A75B78DC1540D7604209F1A6
                                    Malicious:false
                                    Reputation:low
                                    Preview:discord.gg/pubslounge.... .. /$$$$$$$ /$$$$$$$ /$$ ..| $$__ $$ | $$__ $$ | $$ ..| $$ \ $$ /$$$$$$ /$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$ | $$ \ $$ /$$ /$$| $$$$$$$ ..| $$ | $$ /$$__ $$| $$__ $$| $$ | $$| $$ /$$//$$__ $$ | $$$$$$$/| $$ | $$| $$__ $$ ..| $$ | $$| $$$$$$$$| $$ \ $$| $$ | $$ \ $$/$$/| $$ \ $$ | $$____/ | $$ | $$| $$ \ $$ ..| $$ | $$| $$_____/| $$ | $$| $$ | $$ \ $$$/ | $$ | $$ | $$ | $$ | $$| $$ | $$ ..| $$$$$$$/| $$$$$$$| $$ | $$| $$$$$$/ \ $/ | $$$$$$/ | $$ | $$$$$$/| $$$$$$$/ ..|_______/ \_______/|__/ |__/ \______/ \_/ \______/ |__/ \______/ |_______/ ....Game: Black Myth Wukong ..Path: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong..------------------------------------------------------------..[>
                                    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Entropy (8bit):7.996770301859017
                                    TrID:
                                    • ZIP compressed archive (8000/1) 100.00%
                                    File name:Black Myth Wukong Sigma Downloader.zip
                                    File size:5'993'588 bytes
                                    MD5:20f570224521e29be00f00760eb19908
                                    SHA1:cb6a2f265e8b1f1af579fe2c8891af0fed54376a
                                    SHA256:7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
                                    SHA512:554864980a6009914b16435a07f3892d8277b235915220f10db12a9fa17f479788bb71ab99ef204e3e01f8ae610923a18a55bf4c9cbf7e9ba6d376d13c026d33
                                    SSDEEP:98304:y92MnCktXhi/mziR92lYuXT9yyESogtzt50QWLGtvd9Rtahx8enkGIYRc2G5xOl6:y92CFXhRQ9kPElgV4QWId9DaL8eXa2GF
                                    TLSH:895633AB4B5956BD26ABF32C282E82F6CF09D10C3C564C60109EF5F533DA8C5D6CAD16
                                    File Content Preview:PK.........rzZI)...q[.........Sigma.exe...x.U..\..N..TG@.$.H..A..5........... .FPF.t..E.N$..V.=..g.u.>u6.Q6.N...H"....Wl..3! ..9.V..D.7.....}..n.{......{.{....q...c1....?.w..|........J...n1.o..2..R{..Ew........s."...;.K.....cwO.l...yw.....C.q..W.....L..9.
                                    Icon Hash:1c1c1e4e4ececedc

                                    Download Network PCAP: filteredfull

                                    • Total Packets: 84
                                    • 443 (HTTPS)
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 2, 2025 02:51:27.424815893 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:27.424904108 CEST44349705104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:27.425012112 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:27.439996004 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:27.440032959 CEST44349705104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:27.632494926 CEST44349705104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:27.632605076 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:27.643201113 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:27.643280029 CEST44349705104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:27.643374920 CEST49705443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554148912 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554157019 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554184914 CEST44349730104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.554231882 CEST44349731104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.554279089 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554299116 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554318905 CEST44349732104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.554363012 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554413080 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554855108 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554883003 CEST44349731104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.554960966 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.554984093 CEST44349732104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555182934 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555191994 CEST44349733104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555269003 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555318117 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555336952 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555336952 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555349112 CEST44349730104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555351019 CEST44349734104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555401087 CEST44349735104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555453062 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555478096 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555774927 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555788040 CEST44349733104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555795908 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555835962 CEST44349735104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.555891991 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.555927992 CEST44349734104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.556355000 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.556428909 CEST44349736104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.556713104 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.556827068 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.556864977 CEST44349737104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.556930065 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.556941032 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.556973934 CEST44349738104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.557204962 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557444096 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557482958 CEST44349736104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.557554007 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557571888 CEST44349737104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.557624102 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557646990 CEST44349739104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.557842016 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557883978 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.557903051 CEST44349738104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.558060884 CEST49740443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.558069944 CEST44349740104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.558084965 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.558103085 CEST44349739104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.558196068 CEST49740443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.558693886 CEST49740443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.558705091 CEST44349740104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.559382915 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.559393883 CEST44349741104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.559516907 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.559856892 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.559870005 CEST44349741104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.742086887 CEST44349731104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.742234945 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.743299961 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.743355036 CEST44349731104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.743411064 CEST49731443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.745239019 CEST44349733104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.745342970 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.746562004 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.746609926 CEST44349733104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.746690989 CEST49733443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.750247955 CEST44349734104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.750413895 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.751267910 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.751332045 CEST44349734104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.751463890 CEST44349734104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.751497030 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.751524925 CEST49734443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.751801014 CEST44349739104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.751940966 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.752624035 CEST44349735104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.752775908 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.753077030 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.753113985 CEST44349739104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.753202915 CEST44349739104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.753256083 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.753256083 CEST49739443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.753643036 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.753706932 CEST44349735104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.753814936 CEST49735443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.755317926 CEST44349738104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.755412102 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.755965948 CEST44349732104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.756043911 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.756247044 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.756462097 CEST44349738104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.756531954 CEST49738443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.756819963 CEST44349736104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.756899118 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.756931067 CEST44349741104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.756989956 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757035017 CEST44349730104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.757172108 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757328033 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757368088 CEST44349732104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.757416010 CEST49732443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757776022 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757819891 CEST44349736104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.757945061 CEST44349736104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.757972956 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.757981062 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.758009911 CEST49736443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.758023024 CEST44349741104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.758066893 CEST49741443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.758269072 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.758296967 CEST44349730104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.758394957 CEST44349730104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.758475065 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.758475065 CEST49730443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.760317087 CEST44349737104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.760467052 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.760685921 CEST44349740104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.760762930 CEST49740443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.761240959 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.761400938 CEST44349737104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.761471033 CEST49737443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.761977911 CEST49740443192.168.2.16104.71.182.190
                                    Apr 2, 2025 02:51:36.762171030 CEST44349740104.71.182.190192.168.2.16
                                    Apr 2, 2025 02:51:36.762273073 CEST49740443192.168.2.16104.71.182.190
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 2, 2025 02:51:27.302573919 CEST5407553192.168.2.161.1.1.1
                                    Apr 2, 2025 02:51:27.405354023 CEST53540751.1.1.1192.168.2.16
                                    Apr 2, 2025 02:51:36.452719927 CEST5594753192.168.2.161.1.1.1
                                    Apr 2, 2025 02:51:36.551925898 CEST53559471.1.1.1192.168.2.16
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 2, 2025 02:51:27.302573919 CEST192.168.2.161.1.1.10x3dbStandard query (0)api.steampowered.comA (IP address)IN (0x0001)false
                                    Apr 2, 2025 02:51:36.452719927 CEST192.168.2.161.1.1.10xc224Standard query (0)api.steampowered.comA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 2, 2025 02:51:27.405354023 CEST1.1.1.1192.168.2.160x3dbNo error (0)api.steampowered.com104.71.182.190A (IP address)IN (0x0001)false
                                    Apr 2, 2025 02:51:36.551925898 CEST1.1.1.1192.168.2.160xc224No error (0)api.steampowered.com104.71.182.190A (IP address)IN (0x0001)false

                                    Click to jump to process

                                    Click to jump to process

                                    • File
                                    • Registry
                                    • Network

                                    Click to dive into process behavior distribution

                                    Target ID:0
                                    Start time:20:50:48
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\rundll32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    Imagebase:0x7ff7174e0000
                                    File size:71'680 bytes
                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:11
                                    Start time:20:51:10
                                    Start date:01/04/2025
                                    Path:C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
                                    Imagebase:0x7ff67cd10000
                                    File size:8'707'584 bytes
                                    MD5 hash:FEF6B28CE1384A402B6F2EB2162C07AC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Target ID:12
                                    Start time:20:51:10
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6aa7d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:13
                                    Start time:20:51:10
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c cls
                                    Imagebase:0x7ff7d1030000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:16
                                    Start time:20:51:36
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 3024 -s 1048
                                    Imagebase:0x7ff674fb0000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:19
                                    Start time:20:52:20
                                    Start date:01/04/2025
                                    Path:C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
                                    Imagebase:0x7ff67cd10000
                                    File size:8'707'584 bytes
                                    MD5 hash:FEF6B28CE1384A402B6F2EB2162C07AC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    Target ID:20
                                    Start time:20:52:20
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6aa7d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Target ID:21
                                    Start time:20:52:20
                                    Start date:01/04/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c cls
                                    Imagebase:0x7ff7d1030000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    No disassembly