Edit tour

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Sample name:	Black Myth Wukong Sigma Downloader.zip
Analysis ID:	1654174
MD5:	20f570224521e29be00f00760eb19908
SHA1:	cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:	7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Opens the same file many times (likely Sandbox evasion)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w11x64_office

rundll32.exe (PID: 696 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: C87FA6FC1D294962EABE44509FE1921C)

Sigma.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 428CEC6B0034E0F183EB5BAE887BE480)

WerFault.exe (PID: 6012 cmdline: C:\Windows\system32\WerFault.exe -u -p 6808 -s 736 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)

OpenConsole.exe (PID: 6852 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding MD5: 10A3C05A139428FB6D17A11B9A257516)

WindowsTerminal.exe (PID: 6880 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding MD5: F870908D432E534A3F0E93C18D1D9EE7)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Spreading
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Black Myth Wukong Sigma Downloader.zip	Virustotal: Detection: 52%			Perma Link
Source: Black Myth Wukong Sigma Downloader.zip	ReversingLabs: Detection: 55%

Source: Sigma.exe, 0000000F.00000000.3552740783.00007FF6A0A7D000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_c32065fe-6

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: Joe Sandbox View

IP Address: 104.71.182.190 104.71.182.190

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.steampowered.com

Source: Sigma.exe	String found in binary or memory: http://protobuf.dev/programming-guides/enum/#cpp
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sajatypeworks.comi
Source: settings.json.tmp.18.dr	String found in binary or memory: https://aka.ms/terminal-documentation
Source: WindowsTerminal.exe, 00000012.00000002.4136467841.0000024E13329000.00000004.00000020.00020000.00000000.sdmp, settings.json.tmp.18.dr	String found in binary or memory: https://aka.ms/terminal-profiles-schema
Source: Sigma.exe	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/
Source: Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/SS
Source: Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/es
Source: Sigma.exe	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver
Source: Sigma.exe, 0000000F.00000002.4102658587.000001F0CD12B000.00000004.00000020.00020000.00000000.sdmp, Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/t
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Sigma.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/cascadia-code/blob/main/LICENSE).
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL)

Source: unknown	Network traffic detected: HTTP traffic on port 60873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60871
Source: unknown	Network traffic detected: HTTP traffic on port 60880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60874
Source: unknown	Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60880
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60844

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6808 -s 736

Source: classification engine

Classification label: mal52.evad.winZIP@8/11@1/2

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

File created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a984f2a7-91d7-414f-9f3b-2dbdb4bb9c77

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Black Myth Wukong Sigma Downloader.zip	Virustotal: Detection: 52%
Source: Black Myth Wukong Sigma Downloader.zip	ReversingLabs: Detection: 55%

Source: Sigma.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectory%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6808 -s 736
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: terminalthemehelpers.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: directxdatabasehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: pfclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Black Myth Wukong Sigma Downloader.zip

Static file information: File size 5993588 > 1048576

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

File opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36138

Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

Window / User API: threadDelayed 2961

Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe TID: 7056	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe TID: 7088	Thread sleep count: 2961 > 30	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe TID: 7024	Thread sleep count: 247 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Last function: Thread delayed

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: WindowsTerminal.exe, 00000012.00000002.4147120901.0000024E15FE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#00000013CCA00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c`
Source: Sigma.exe, 0000000F.00000002.4041393181.000001F0CBDB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Black Myth Wukong Sigma Downloader.zip	52%	Virustotal		Browse
Black Myth Wukong Sigma Downloader.zip	55%	ReversingLabs	Win64.Trojan.Suschil

Source	Detection	Scanner	Label	Link
http://protobuf.dev/programming-guides/enum/#cpp	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.steampowered.com	104.71.182.190	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Sigma.exe	false		high
http://protobuf.dev/programming-guides/enum/#cpp	Sigma.exe	false	Avira URL Cloud: safe	unknown
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/t	Sigma.exe, 0000000F.00000002.4102658587.000001F0CD12B000.00000004.00000020.00020000.00000000.sdmp, Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	Sigma.exe	false		high
https://scripts.sil.org/OFL	WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/SS	Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sajatypeworks.comi	WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL)	WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	Sigma.exe	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/	Sigma.exe	false		high
https://github.com/microsoft/cascadia-code/blob/main/LICENSE).	WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/es	Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/terminal-documentation	settings.json.tmp.18.dr	false		high
https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver	Sigma.exe	false		high
https://aka.ms/terminal-profiles-schema	WindowsTerminal.exe, 00000012.00000002.4136467841.0000024E13329000.00000004.00000020.00020000.00000000.sdmp, settings.json.tmp.18.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.71.182.190	api.steampowered.com	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654174
Start date and time:	2025-04-02 02:56:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Black Myth Wukong Sigma Downloader.zip
Detection:	MAL
Classification:	mal52.evad.winZIP@8/11@1/2
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.64.149.23, 104.18.38.233, 20.189.173.21, 4.245.163.56, 20.190.163.20
Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, watson.events.data.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:58	API Interceptor	1x Sleep call for process: WindowsTerminal.exe modified
20:59:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.71.182.190	i1myxYUbbP.exe	Get hash	malicious	Vidar	Browse
	https://u.to/JmY0Ig	Get hash	malicious	Unknown	Browse
	random(11).exe	Get hash	malicious	LummaC Stealer	Browse
	ayin.v0.1.0.exe	Get hash	malicious	LummaC	Browse
	ayin.v0.1.0.exe	Get hash	malicious	LummaC	Browse
	lunara.exe	Get hash	malicious	Unknown	Browse
	https://www.steamvr.com/de/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.steampowered.com	https://u.to/JmY0Ig	Get hash	malicious	Unknown	Browse	23.204.10.89
	https://sceanmcommnunmnlty.com/siute/apxpw/zpq	Get hash	malicious	Unknown	Browse	104.73.234.102
	http://steameconmnnuity.com/f848937bf21d19cda314441b9eca9f3c/bGlua3Nob3J0LnJ1bg==/aHR0cDovL3N0ZWFtZWNvbm1ubnVpdHkuY29tLzg5ODkwODA5Lw==	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://sreqmcoommnunlty.com/pikus/kils/nuks	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://sreqmcoommnunlty.com/bysre/tytik/pols	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://staemcommunuttly.com/gift/activation=Dor5Fhnm1w	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://steamcommunurty.com/id/7656135508021645	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://stearncommmunity.com/profiles/52829086342741	Get hash	malicious	Unknown	Browse	104.73.234.102
	http://gift50steam.com/50	Get hash	malicious	Unknown	Browse	23.197.127.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	i1myxYUbbP.exe	Get hash	malicious	Vidar	Browse	104.71.182.190
	BIGIPEdgeClient 2024.exe	Get hash	malicious	Unknown	Browse	23.46.226.182
	BIGIPEdgeClient.exe	Get hash	malicious	Unknown	Browse	23.197.253.43
	BIGIPEdgeClient 2024.exe	Get hash	malicious	Unknown	Browse	23.39.37.29
	https://sprayfoamsys.com/service-center/	Get hash	malicious	Unknown	Browse	23.196.3.202
	https://microwaveeng-dot-m365view-318723.uc.r.appspot.com/	Get hash	malicious	HTMLPhisher	Browse	23.56.162.51
	i486.elf	Get hash	malicious	Unknown	Browse	104.106.110.98
	x86_64.elf	Get hash	malicious	Unknown	Browse	23.14.155.4
	https://sprayfoamsys.com	Get hash	malicious	Unknown	Browse	23.196.3.177

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigma.exe_144c8af7cd7c54c2c2253da73a2bfa3ff06fe5ad_500bce02_ab163b9e-1719-461b-bdb8-ecc582adef5a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (2251), with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1373530365658393
Encrypted:	false
SSDEEP:	192:So65it508D6xfKTVjfuu7F614lrJuoCm+pgxHL9:Z6sta8D6xfKTVjfuu7F614lrJVGyL
MD5:	2548F4DFF38ED2693FD55E85F819182C
SHA1:	66E5F9D79A0C9F6B2E86D77FEDE0B7652FC73AC0
SHA-256:	CD034802374D923ADCDBDBE3990B4518B5EF4151D972909EE0F4FD31DC219374
SHA-512:	E0881D359A1E8D9C862CB4D54B630C7D31F36FFB29EEB09F7A8B833268DC4460A8FEA7D207676EB336B6B34188FA803DA0DAFA37969959602D4DA76BBABB9EA9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.0.2.9.1.7.9.5.7.1.8.3.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.0.2.9.1.8.0.8.9.3.8.3.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.1.6.3.b.9.e.-.1.7.1.9.-.4.6.1.b.-.b.d.b.8.-.e.c.c.5.8.2.a.d.e.f.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.0.d.a.0.9.5.-.9.7.c.d.-.4.f.0.a.-.b.2.3.8.-.b.e.5.b.7.f.4.4.5.2.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.i.g.m.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.3.-.9.f.3.f.-.2.a.6.9.6.a.a.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.f.d.6.1.c.3.d.8.3.0.e.f.a.b.2.7.7.c.a.e.0.1.3.5.8.3.8.0.8.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.2.8.9.d.5.7.e.0.2.9.2.c.c.9.4.5.c.1.5.9.8.4.c.6.4.5.d.a.9.4.b.3.7.9.2.5.e.0.6.e.!.S.i.g.m.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.2.6.:.1.2.:.2.0.:.1.4.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.5df3aabb-efee-488a-9ead-61fedcfc283b.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 2 00:59:40 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	306748
Entropy (8bit):	1.3661022678684078
Encrypted:	false
SSDEEP:	384:v+8GAowALVAJqM73EyPsq+nIPZApYzv1/z+Fr8B1BzCriZK1uJZsy:v+qALVAJqM70y0q+nIPZApKdhK16f
MD5:	9C2FAE1689C004715390EAA3EDB5980D
SHA1:	9C9E8B58F9877C2DBCF39C9E7EA235458BD95D99
SHA-256:	CFEE7315CCFCDC9D0CFA2F99C35F4A3483CE833AC241FC44A8351A7F99026821
SHA-512:	8815B26F9E3283CC20B8F9B599E3BABCC81D53C85D10DEE53EB7D3276E961A7245FE8898DD58A9521E79A6F47AA9D73167DBBFD83960E533DBA4C621E210D2F8
Malicious:	false
Reputation:	low
Preview:	MDMP..]..... ..........g........................................j...........T.......8...........T...........($..........................................................................................................gX......T.......Lw...............*.G....T.............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b6b065d3-2dc7-46c0-a6b3-eece292cf848.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (380), with CRLF line terminators
Category:	dropped
Size (bytes):	11028
Entropy (8bit):	3.747666367532872
Encrypted:	false
SSDEEP:	192:RHl7CwNzawaMKxaMy9IMLu9X9iaMy9IMLu9X9ca4uGo9R6Y0HVcFgmfctYppr/8c:RHlnNzawaMKxaMYIMINiaMYIMINca4Pw
MD5:	86C7AC2E52FA1B3B311A2971D0A6F712
SHA1:	99643620533340A9F77213CF13C156720D570F49
SHA-256:	ED40F77A2FE143D5516038AAFE8963848A4AC09CC2C5C9790D1DE3176A6EDE13
SHA-512:	9C6F58B30EC8E0B81C0FD418E9C6E3E75B1227B62421F74F2BAEDBF866878281DA25E1EB9EBC1DE4514E4D6DA39FD951338CF37945D796449AC4ACE5FF200D68
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.2.2.6.3.1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.2.2.6.2.1...4.1.6.9...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.4.1.6.9.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.........<.B.u.i.l.d.L.a.y.e.r.s.>...........<.B.u.i.l.d.L.a.y.e.r. .L.a.y.e.r.N.a.m.e.=.".2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.f0b59343-d24c-471d-b3da-707df8576e4d.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2272), with CRLF line terminators
Category:	dropped
Size (bytes):	7283
Entropy (8bit):	4.815769238047287
Encrypted:	false
SSDEEP:	192:uItqy64+VM1HyL3/g9eT8OpByO7MsT5VDk9cadsfGznV6yCccmfL:QX2tVUccmfL
MD5:	8AE12A55D554766B6D681812C9ED7C94
SHA1:	FCCD70A2D7066EC796620571179CE71B580FA0D4
SHA-256:	4FCE86E3A5F428A4D8C7C30E1544E86A9F6CF4B7D587B6FEF0DBAED34AFA8FBD
SHA-512:	D43195D8A9A7FA50F12F0CC464622D7B06D25B1B520FBBB22EB4DC6858E9B7F490B821830A7E16F73215FB88291AE45E8F748C99AB75202C496A5531CF6BBAAE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="22631" />.. <arg nm="vercsdbld" val="4169" />.. <arg nm="verqfe" val="4169" />.. <arg nm="csdbld" val="4169" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="163129" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.1.22621.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096"

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1923
Entropy (8bit):	4.050816653534426
Encrypted:	false
SSDEEP:	24:NqxpqbJi3i/2/upfvVObUpkf/O/upiXqPKviTCEh3WwUwd1pQ/SAiw/BwVih2E:aFS/2anYbUp7aoBlI3UADQLiMapE
MD5:	7D17062107BB3B08436E2C8674EA4436
SHA1:	E9F69AB04DBBBF2C12B23DD9088109010475E52A
SHA-256:	894FB5EF8822AE2BA2ABB89C2EA7332535B2B2CB6F1B7B63439D1D565108F1AC
SHA-512:	579746CCA2D576D7746F2B627890CFE259F9A93499A52D5D61E51967C32A0818D112E4AB1646E7A48B11186772E6583A4EB885AEBB244142D0116382FF574624
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "$help": "https://aka.ms/terminal-documentation",. "$schema": "https://aka.ms/terminal-profiles-schema",. "actions": . [. {. "command": . {. "action": "copy",. "singleLine": false. },. "id": "User.copy.644BA8F2",. "keys": "ctrl+c". },. {. "command": "paste",. "id": "User.paste",. "keys": "ctrl+v". },. {. "command": "find",. "id": "User.find",. "keys": "ctrl+shift+f". },. {. "command": . {. "action": "splitPane",. "split": "auto",. "splitMode": "duplicate". },. "id": "User.splitPane.A6751878",. "keys": "alt+shift+d". }. ],. "copyFormatting": "none",. "copyOnSelect": false,. "defaultProfile": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",. "newTabMenu": . [.

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json.tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1923
Entropy (8bit):	4.050816653534426
Encrypted:	false
SSDEEP:	24:NqxpqbJi3i/2/upfvVObUpkf/O/upiXqPKviTCEh3WwUwd1pQ/SAiw/BwVih2E:aFS/2anYbUp7aoBlI3UADQLiMapE
MD5:	7D17062107BB3B08436E2C8674EA4436
SHA1:	E9F69AB04DBBBF2C12B23DD9088109010475E52A
SHA-256:	894FB5EF8822AE2BA2ABB89C2EA7332535B2B2CB6F1B7B63439D1D565108F1AC
SHA-512:	579746CCA2D576D7746F2B627890CFE259F9A93499A52D5D61E51967C32A0818D112E4AB1646E7A48B11186772E6583A4EB885AEBB244142D0116382FF574624
Malicious:	false
Preview:	{. "$help": "https://aka.ms/terminal-documentation",. "$schema": "https://aka.ms/terminal-profiles-schema",. "actions": . [. {. "command": . {. "action": "copy",. "singleLine": false. },. "id": "User.copy.644BA8F2",. "keys": "ctrl+c". },. {. "command": "paste",. "id": "User.paste",. "keys": "ctrl+v". },. {. "command": "find",. "id": "User.find",. "keys": "ctrl+shift+f". },. {. "command": . {. "action": "splitPane",. "split": "auto",. "splitMode": "duplicate". },. "id": "User.splitPane.A6751878",. "keys": "alt+shift+d". }. ],. "copyFormatting": "none",. "copyOnSelect": false,. "defaultProfile": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",. "newTabMenu": . [.

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\state.json (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	163
Entropy (8bit):	5.074817553158053
Encrypted:	false
SSDEEP:	3:NyE2dKQbBssh2XkI0eicCGRyD4huVKBKbBOot1YqdDAEBUMdWMdIqC:NmIQbBNhxIVicJpyBFt+5EBNdBnC
MD5:	A88ADBF16875B7635DBD7A6E6CF20D23
SHA1:	B6DB4EEFAA39A75E09056882248F4C193000437B
SHA-256:	86A8390B4675FE11F5F4AED15195F586DFEB29F36631FE085620C1939A3B7894
SHA-512:	D3D84BFCE2CB695226431D9771D9F23D15B14E3EF5441DF30217B8DD66183A613CB1FEA179643C316C6601EDFECB01E2211D738C30992C13133D07782E3966BD
Malicious:	false
Preview:	{.."generatedProfiles" : ..[..."{b453ae62-4e3d-5e58-b989-0a998ec441b8}"..],.."persistedWindowLayouts" : [],.."settingsHash" : "4c8af8fead18d583-01dba36a6a0e347b".}

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\state.json.tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	163
Entropy (8bit):	5.074817553158053
Encrypted:	false
SSDEEP:	3:NyE2dKQbBssh2XkI0eicCGRyD4huVKBKbBOot1YqdDAEBUMdWMdIqC:NmIQbBNhxIVicJpyBFt+5EBNdBnC
MD5:	A88ADBF16875B7635DBD7A6E6CF20D23
SHA1:	B6DB4EEFAA39A75E09056882248F4C193000437B
SHA-256:	86A8390B4675FE11F5F4AED15195F586DFEB29F36631FE085620C1939A3B7894
SHA-512:	D3D84BFCE2CB695226431D9771D9F23D15B14E3EF5441DF30217B8DD66183A613CB1FEA179643C316C6601EDFECB01E2211D738C30992C13133D07782E3966BD
Malicious:	false
Preview:	{.."generatedProfiles" : ..[..."{b453ae62-4e3d-5e58-b989-0a998ec441b8}"..],.."persistedWindowLayouts" : [],.."settingsHash" : "4c8af8fead18d583-01dba36a6a0e347b".}

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16f2f0042ddbe0e8.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	data
Category:	dropped
Size (bytes):	4461
Entropy (8bit):	5.0468960121765205
Encrypted:	false
SSDEEP:	48:0pDlRmeHnRwZDabs+J3osJipD6RtNHnRwZDabsiHqJEmRsohH9JipD6RtNHnRwZc:GLBCaZJOi3Ca+J1gi3Ca+JkZ
MD5:	561FB4E7BF468917F28E68FA3F293D59
SHA1:	82E0A737313C67B696FD7026AFC40EE637AA76DD
SHA-256:	FD36517943E02EB2B6EB9DEE043EDAE9FC9F7116D95413DFBE0A400223D9FFE8
SHA-512:	A4139E42493ADCBF93FD634973B3F6361666392F6A7051757A275E6037B5647830E5E0DAFB0F280CF6B8145E996FACB1A974345EC87D5073A473B260BF51F9D8
Malicious:	false
Preview:	...................................FL..................F.... ...g...8J..g...8J..g...8J............................:..IG..Yr?.D..U..k0.&...&......p...eJ...TO<j....5.jj.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Yf..Z].....x........................A.p.p.D.a.t.a...B.P.1......Y....Local.<......Y...Y...............................L.o.c.a.l.....\.1......Y....MICROS~1..D......Y...Y...............................M.i.c.r.o.s.o.f.t.....`.1.. ...Y.z..WINDOW~1..H......Y..qZ+p............................y.W.i.n.d.o.w.s.A.p.p.s.......1......Y.e..MICROS~2.WIN.........Y.e.Y.e.....p........................M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.T.e.r.m.i.n.a.l._.8.w.e.k.y.b.3.d.8.b.b.w.e.....T.2......Y.e .wt.exe..>......Y.e.Y.e.....p........................w.t...e.x.e.......................-...........................C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe..).-.p. .{.6.1.c.5.4.b.b.d.-.c.2.c.6.-.5.2.7.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\549V3HIY8YH2BEWYN0CF.temp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
File Type:	data
Category:	dropped
Size (bytes):	4461
Entropy (8bit):	5.0468960121765205
Encrypted:	false
SSDEEP:	48:0pDlRmeHnRwZDabs+J3osJipD6RtNHnRwZDabsiHqJEmRsohH9JipD6RtNHnRwZc:GLBCaZJOi3Ca+J1gi3Ca+JkZ
MD5:	561FB4E7BF468917F28E68FA3F293D59
SHA1:	82E0A737313C67B696FD7026AFC40EE637AA76DD
SHA-256:	FD36517943E02EB2B6EB9DEE043EDAE9FC9F7116D95413DFBE0A400223D9FFE8
SHA-512:	A4139E42493ADCBF93FD634973B3F6361666392F6A7051757A275E6037B5647830E5E0DAFB0F280CF6B8145E996FACB1A974345EC87D5073A473B260BF51F9D8
Malicious:	false
Preview:	...................................FL..................F.... ...g...8J..g...8J..g...8J............................:..IG..Yr?.D..U..k0.&...&......p...eJ...TO<j....5.jj.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Yf..Z].....x........................A.p.p.D.a.t.a...B.P.1......Y....Local.<......Y...Y...............................L.o.c.a.l.....\.1......Y....MICROS~1..D......Y...Y...............................M.i.c.r.o.s.o.f.t.....`.1.. ...Y.z..WINDOW~1..H......Y..qZ+p............................y.W.i.n.d.o.w.s.A.p.p.s.......1......Y.e..MICROS~2.WIN.........Y.e.Y.e.....p........................M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.T.e.r.m.i.n.a.l._.8.w.e.k.y.b.3.d.8.b.b.w.e.....T.2......Y.e .wt.exe..>......Y.e.Y.e.....p........................w.t...e.x.e.......................-...........................C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe..).-.p. .{.6.1.c.5.4.b.b.d.-.c.2.c.6.-.5.2.7.

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
File Type:	ASCII text, with very long lines (11304), with CRLF line terminators
Category:	dropped
Size (bytes):	12478
Entropy (8bit):	4.228608924835732
Encrypted:	false
SSDEEP:	192:YU5iCu4B/a8Rwy+uDQ80au6tgqDnkOOYbqQK3BXXaCehmqfA/vMHQnnm21uqajz4:3aJ5
MD5:	3A06251FE258A858D6713DF6067DFA94
SHA1:	5B2490553286E3A63B4281CCC3C2A9AC1C84258D
SHA-256:	99CAE25845C25CE3D152EA12993A1283A9A409019DFC103F6273A4FE74359D37
SHA-512:	56BFDE660E8348478BFA5D8FECFFC74B1398FFD1E7D7B159A273D918EA3B35A9CC2F5DC112E4DC92D1BB5DD596C15E981BA336165377BA6AEFC762BFC404F2A8
Malicious:	false
Preview:	discord.gg/pubslounge.... .. /$$$$$$$ /$$$$$$$ /$$ ..\| $$__ $$ \| $$__ $$ \| $$ ..\| $$ \ $$ /$$$$$$ /$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$ \| $$ \ $$ /$$ /$$\| $$$$$$$ ..\| $$ \| $$ /$$__ $$\| $$__ $$\| $$ \| $$\| $$ /$$//$$__ $$ \| $$$$$$$/\| $$ \| $$\| $$__ $$ ..\| $$ \| $$\| $$$$$$$$\| $$ \ $$\| $$ \| $$ \ $$/$$/\| $$ \ $$ \| $$____/ \| $$ \| $$\| $$ \ $$ ..\| $$ \| $$\| $$_____/\| $$ \| $$\| $$ \| $$ \ $$$/ \| $$ \| $$ \| $$ \| $$ \| $$\| $$ \| $$ ..\| $$$$$$$/\| $$$$$$$\| $$ \| $$\| $$$$$$/ \ $/ \| $$$$$$/ \| $$ \| $$$$$$/\| $$$$$$$/ ..\|_______/ \_______/\|__/ \|__/ \______/ \_/ \______/ \|__/ \______/ \|_______/ ....Game: Black Myth Wukong ..Path: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong..------------------------------------------------------------..[>

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.996770301859017
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Black Myth Wukong Sigma Downloader.zip
File size:	5'993'588 bytes
MD5:	20f570224521e29be00f00760eb19908
SHA1:	cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:	7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
SHA512:	554864980a6009914b16435a07f3892d8277b235915220f10db12a9fa17f479788bb71ab99ef204e3e01f8ae610923a18a55bf4c9cbf7e9ba6d376d13c026d33
SSDEEP:	98304:y92MnCktXhi/mziR92lYuXT9yyESogtzt50QWLGtvd9Rtahx8enkGIYRc2G5xOl6:y92CFXhRQ9kPElgV4QWId9DaL8eXa2GF
TLSH:	895633AB4B5956BD26ABF32C282E82F6CF09D10C3C564C60109EF5F533DA8C5D6CAD16
File Content Preview:	PK.........rzZI)...q[.........Sigma.exe...x.U..\..N..TG@.$.H..A..5........... .FPF.t..E.N$..V.=..g.u.>u6.Q6.N...H"....Wl..3! ..9.V..D.7.....}..n.{......{.{....q...c1....?.w..\|........J...n1.o..2..R{..Ew........s."...;.K.....cwO.l...yw.....C.q..W.....L..9.

File Icon


Icon Hash:	03f1b9752babe989

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 92
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 02:59:26.594815016 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.594857931 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.595065117 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.601934910 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.601953983 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.793041945 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.798414946 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.798444033 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.800014019 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.800124884 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.814357996 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:26.814416885 CEST	443	60844	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:26.814524889 CEST	60844	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.983381987 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.983469009 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:38.983567953 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.984242916 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.984267950 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:38.984330893 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.987277985 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.987313986 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:38.988971949 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:38.988996983 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.000649929 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.000715017 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.000905991 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.001158953 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.001255989 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.001338959 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.001667976 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.001713991 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.001770973 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.001943111 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.002012014 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.002084970 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.004466057 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.004498959 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.004605055 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.004623890 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.004673958 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.004715919 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.004717112 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.004754066 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.007493019 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.007580042 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.007688999 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008029938 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008055925 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.008127928 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008248091 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008287907 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.008358955 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008613110 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.008620977 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.008671045 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.009021044 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.009061098 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.009118080 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.010874987 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.010880947 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.010896921 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.010922909 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.010987043 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.011018991 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.012023926 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.012037992 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.012351990 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.012382030 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.012788057 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.012819052 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.012902021 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.013892889 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.013919115 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.172477961 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.174427986 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.175148964 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.175177097 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.175790071 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.175803900 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.176326036 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.176402092 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.177263975 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.177334070 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.179435968 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.179476976 CEST	443	60852	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.179538012 CEST	60852	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.179662943 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.179704905 CEST	443	60851	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.179761887 CEST	60851	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.197964907 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.199631929 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.199692011 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.200582027 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.200980902 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.201828957 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.201858044 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.202527046 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.202543020 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.202544928 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.202907085 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.202982903 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.203674078 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.203754902 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.203834057 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.203871965 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.204217911 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.204286098 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.204982996 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.205061913 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206274033 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206320047 CEST	443	60877	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.206398010 CEST	60877	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206705093 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206743002 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206793070 CEST	443	60872	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.206834078 CEST	443	60871	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.206852913 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206859112 CEST	60872	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206897974 CEST	60871	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.206907034 CEST	443	60873	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.206959963 CEST	60873	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.207365990 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.207613945 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.208583117 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.208645105 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.209184885 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.209198952 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.209245920 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.209563017 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.209635019 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.210235119 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.210335016 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.210390091 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.210782051 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.210850000 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.212090015 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.212106943 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.212908030 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.212930918 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.213017941 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.213027000 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.213162899 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.213181973 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.213700056 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.213774920 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.214503050 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.214585066 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.214608908 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.214648008 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.214675903 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.214713097 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.217849970 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.217912912 CEST	443	60876	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218040943 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218050003 CEST	60876	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218051910 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218091965 CEST	443	60878	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218096018 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218111038 CEST	443	60879	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218146086 CEST	443	60875	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218148947 CEST	60878	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218178988 CEST	60879	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218200922 CEST	60875	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218420982 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218506098 CEST	443	60874	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218534946 CEST	60880	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218571901 CEST	60874	443	192.168.2.24	104.71.182.190
Apr 2, 2025 02:59:39.218590021 CEST	443	60880	104.71.182.190	192.168.2.24
Apr 2, 2025 02:59:39.218641043 CEST	60880	443	192.168.2.24	104.71.182.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 02:59:26.484397888 CEST	55516	53	192.168.2.24	1.1.1.1
Apr 2, 2025 02:59:26.585645914 CEST	53	55516	1.1.1.1	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 02:59:26.484397888 CEST	192.168.2.24	1.1.1.1	0x51ad	Standard query (0)	api.steampowered.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 02:59:26.585645914 CEST	1.1.1.1	192.168.2.24	0x51ad	No error (0)	api.steampowered.com		104.71.182.190	A (IP address)	IN (0x0001)	false

Statistics

Click to jump to process

Memory Usage

• rundll32.exe
• Sigma.exe
• conhost.exe
• OpenConsole.exe
• WindowsTerminal.exe
• cmd.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• rundll32.exe
• Sigma.exe
• conhost.exe
• OpenConsole.exe
• WindowsTerminal.exe
• cmd.exe
• WerFault.exe

Click to jump to process

Target ID:	1
Start time:	20:57:53
Start date:	01/04/2025
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6421e0000
File size:	90'112 bytes
MD5 hash:	C87FA6FC1D294962EABE44509FE1921C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:58:56
Start date:	01/04/2025
Path:	C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Imagebase:	0x7ff6a08a0000
File size:	8'707'584 bytes
MD5 hash:	FEF6B28CE1384A402B6F2EB2162C07AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:58:56
Start date:	01/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7bdef0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:58:56
Start date:	01/04/2025
Path:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding
Imagebase:	0x7ff6948f0000
File size:	1'261'096 bytes
MD5 hash:	10A3C05A139428FB6D17A11B9A257516
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:58:57
Start date:	01/04/2025
Path:	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding
Imagebase:	0x7ff708400000
File size:	720'432 bytes
MD5 hash:	F870908D432E534A3F0E93C18D1D9EE7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	20:58:59
Start date:	01/04/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff647b30000
File size:	323'584 bytes
MD5 hash:	428CEC6B0034E0F183EB5BAE887BE480
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	20:59:39
Start date:	01/04/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6808 -s 736
Imagebase:	0x7ff7b4d40000
File size:	628'208 bytes
MD5 hash:	5A849C27C4796C1A7C22C572D8EAF95D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\SegoeIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\SegoeIcons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation	Jump to behavior

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sigma.exe_144c8af7cd7c54c2c2253da73a2bfa3ff06fe5ad_500bce02_ab163b9e-1719-461b-bdb8-ecc582adef5a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.5df3aabb-efee-488a-9ead-61fedcfc283b.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.b6b065d3-2dc7-46c0-a6b3-eece292cf848.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.f0b59343-d24c-471d-b3da-707df8576e4d.tmp.xml

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json.tmp

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\state.json (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\state.json.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16f2f0042ddbe0e8.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\549V3HIY8YH2BEWYN0CF.temp

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip