Edit tour

Windows Analysis Report
Black Myth Wukong Sigma Downloader.zip

Overview

General Information

Sample name:Black Myth Wukong Sigma Downloader.zip
Analysis ID:1654174
MD5:20f570224521e29be00f00760eb19908
SHA1:cb6a2f265e8b1f1af579fe2c8891af0fed54376a
SHA256:7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • rundll32.exe (PID: 696 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: C87FA6FC1D294962EABE44509FE1921C)
  • Sigma.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe" MD5: FEF6B28CE1384A402B6F2EB2162C07AC)
    • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 428CEC6B0034E0F183EB5BAE887BE480)
    • WerFault.exe (PID: 6012 cmdline: C:\Windows\system32\WerFault.exe -u -p 6808 -s 736 MD5: 5A849C27C4796C1A7C22C572D8EAF95D)
  • OpenConsole.exe (PID: 6852 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding MD5: 10A3C05A139428FB6D17A11B9A257516)
  • WindowsTerminal.exe (PID: 6880 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding MD5: F870908D432E534A3F0E93C18D1D9EE7)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Black Myth Wukong Sigma Downloader.zipVirustotal: Detection: 52%Perma Link
Source: Black Myth Wukong Sigma Downloader.zipReversingLabs: Detection: 55%
Source: Sigma.exe, 0000000F.00000000.3552740783.00007FF6A0A7D000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c32065fe-6
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbweJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\userJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsAppsJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
Source: Joe Sandbox ViewIP Address: 104.71.182.190 104.71.182.190
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.steampowered.com
Source: Sigma.exeString found in binary or memory: http://protobuf.dev/programming-guides/enum/#cpp
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sajatypeworks.comi
Source: settings.json.tmp.18.drString found in binary or memory: https://aka.ms/terminal-documentation
Source: WindowsTerminal.exe, 00000012.00000002.4136467841.0000024E13329000.00000004.00000020.00020000.00000000.sdmp, settings.json.tmp.18.drString found in binary or memory: https://aka.ms/terminal-profiles-schema
Source: Sigma.exeString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/
Source: Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/SS
Source: Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/es
Source: Sigma.exeString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserver
Source: Sigma.exe, 0000000F.00000002.4102658587.000001F0CD12B000.00000004.00000020.00020000.00000000.sdmp, Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/t
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: Sigma.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/cascadia-code/blob/main/LICENSE).
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL
Source: WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL)
Source: unknownNetwork traffic detected: HTTP traffic on port 60873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60871 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60875 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60877 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60873
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60871
Source: unknownNetwork traffic detected: HTTP traffic on port 60880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60877
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60875
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60852
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60874
Source: unknownNetwork traffic detected: HTTP traffic on port 60874 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60880
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60844
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6808 -s 736
Source: classification engineClassification label: mal52.evad.winZIP@8/11@1/2
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeFile created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukongJump to behavior
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a984f2a7-91d7-414f-9f3b-2dbdb4bb9c77Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: Black Myth Wukong Sigma Downloader.zipVirustotal: Detection: 52%
Source: Black Myth Wukong Sigma Downloader.zipReversingLabs: Detection: 55%
Source: Sigma.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectory%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe "C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding
Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6808 -s 736
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeSection loaded: schannel.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: usp10.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: icu.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: terminalthemehelpers.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: icu.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: uiamanager.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: directxdatabasehelper.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: appextension.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: rometadata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: threadpoolwinrt.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: pfclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: globinputhost.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: windows.graphics.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Black Myth Wukong Sigma Downloader.zipStatic file information: File size 5993588 > 1048576
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeFile opened: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong\b1\Content\Paks\pakchunk14-Windows.pak count: 36138Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeWindow / User API: threadDelayed 2961Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe TID: 7056Thread sleep count: 87 > 30Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe TID: 7088Thread sleep count: 2961 > 30Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe TID: 7024Thread sleep count: 247 > 30Jump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeLast function: Thread delayed
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbweJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\userJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsAppsJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
Source: WindowsTerminal.exe, 00000012.00000002.4147120901.0000024E15FE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#00000013CCA00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c`
Source: Sigma.exe, 0000000F.00000002.4041393181.000001F0CBDB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Windows\Fonts\SegoeIcons.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Windows\Fonts\SegoeIcons.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
12
Virtualization/Sandbox Evasion
LSASS Memory12
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32
NTDS2
File and Directory Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets11
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654174 Sample: Black Myth Wukong Sigma Dow... Startdate: 02/04/2025 Architecture: WINDOWS Score: 52 23 api.steampowered.com 2->23 29 Multi AV Scanner detection for submitted file 2->29 7 Sigma.exe 6 2->7         started        11 WindowsTerminal.exe 14 2->11         started        13 OpenConsole.exe 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 dnsIp5 25 api.steampowered.com 104.71.182.190, 443, 60844, 60851 AKAMAI-ASUS United States 7->25 27 127.0.0.1 unknown unknown 7->27 31 Opens the same file many times (likely Sandbox evasion) 7->31 17 WerFault.exe 18 7->17         started        19 conhost.exe 7->19         started        21 cmd.exe 1 7->21         started        signatures6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Black Myth Wukong Sigma Downloader.zip52%VirustotalBrowse
Black Myth Wukong Sigma Downloader.zip55%ReversingLabsWin64.Trojan.Suschil
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://protobuf.dev/programming-guides/enum/#cpp0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
api.steampowered.com
104.71.182.190
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://curl.se/docs/hsts.htmlSigma.exefalse
      high
      http://protobuf.dev/programming-guides/enum/#cppSigma.exefalse
      • Avira URL Cloud: safe
      unknown
      https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/tSigma.exe, 0000000F.00000002.4102658587.000001F0CD12B000.00000004.00000020.00020000.00000000.sdmp, Sigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://curl.se/docs/http-cookies.htmlSigma.exefalse
          high
          https://scripts.sil.org/OFLWindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/SSSigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://sajatypeworks.comiWindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://scripts.sil.org/OFL)WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://curl.se/docs/alt-svc.htmlSigma.exefalse
                    high
                    https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/Sigma.exefalse
                      high
                      https://github.com/microsoft/cascadia-code/blob/main/LICENSE).WindowsTerminal.exe, 00000012.00000002.4141048049.0000024E15A22000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/esSigma.exe, 0000000F.00000002.4109501526.000001F0CD413000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://aka.ms/terminal-documentationsettings.json.tmp.18.drfalse
                            high
                            https://api.steampowered.com/IContentServerDirectoryService/GetServersForSteamPipe/v1/responseserverSigma.exefalse
                              high
                              https://aka.ms/terminal-profiles-schemaWindowsTerminal.exe, 00000012.00000002.4136467841.0000024E13329000.00000004.00000020.00020000.00000000.sdmp, settings.json.tmp.18.drfalse
                                high
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                104.71.182.190
                                api.steampowered.comUnited States
                                16625AKAMAI-ASUSfalse
                                IP
                                127.0.0.1
                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1654174
                                Start date and time:2025-04-02 02:56:47 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 33s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                Run name:Potential for more IOCs and behavior
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Black Myth Wukong Sigma Downloader.zip
                                Detection:MAL
                                Classification:mal52.evad.winZIP@8/11@1/2
                                Cookbook Comments:
                                • Found application associated with file extension: .zip
                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 172.64.149.23, 104.18.38.233, 20.189.173.21, 4.245.163.56, 20.190.163.20
                                • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, watson.events.data.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                TimeTypeDescription
                                20:58:58API Interceptor1x Sleep call for process: WindowsTerminal.exe modified
                                20:59:44API Interceptor1x Sleep call for process: WerFault.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.71.182.190i1myxYUbbP.exeGet hashmaliciousVidarBrowse
                                  https://u.to/JmY0IgGet hashmaliciousUnknownBrowse
                                    random(11).exeGet hashmaliciousLummaC StealerBrowse
                                      ayin.v0.1.0.exeGet hashmaliciousLummaCBrowse
                                        ayin.v0.1.0.exeGet hashmaliciousLummaCBrowse
                                          lunara.exeGet hashmaliciousUnknownBrowse
                                            https://www.steamvr.com/de/Get hashmaliciousUnknownBrowse
                                              file.exeGet hashmaliciousVidarBrowse
                                                BuThoFHNNK.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  api.steampowered.comhttps://u.to/JmY0IgGet hashmaliciousUnknownBrowse
                                                  • 23.204.10.89
                                                  https://sceanmcommnunmnlty.com/siute/apxpw/zpqGet hashmaliciousUnknownBrowse
                                                  • 104.73.234.102
                                                  http://steameconmnnuity.com/f848937bf21d19cda314441b9eca9f3c/bGlua3Nob3J0LnJ1bg==/aHR0cDovL3N0ZWFtZWNvbm1ubnVpdHkuY29tLzg5ODkwODA5Lw==Get hashmaliciousUnknownBrowse
                                                  • 104.73.234.102
                                                  https://sreqmcoommnunlty.com/pikus/kils/nuksGet hashmaliciousUnknownBrowse
                                                  • 23.197.127.21
                                                  https://sreqmcoommnunlty.com/bysre/tytik/polsGet hashmaliciousUnknownBrowse
                                                  • 104.73.234.102
                                                  https://staemcommunuttly.com/gift/activation=Dor5Fhnm1wGet hashmaliciousUnknownBrowse
                                                  • 23.197.127.21
                                                  https://steamcommunurty.com/id/7656135508021645Get hashmaliciousUnknownBrowse
                                                  • 104.73.234.102
                                                  https://stearncommmunity.com/profiles/52829086342741Get hashmaliciousUnknownBrowse
                                                  • 104.73.234.102
                                                  http://gift50steam.com/50Get hashmaliciousUnknownBrowse
                                                  • 23.197.127.21
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  AKAMAI-ASUSi1myxYUbbP.exeGet hashmaliciousVidarBrowse
                                                  • 104.71.182.190
                                                  BIGIPEdgeClient 2024.exeGet hashmaliciousUnknownBrowse
                                                  • 23.46.226.182
                                                  BIGIPEdgeClient.exeGet hashmaliciousUnknownBrowse
                                                  • 23.197.253.43
                                                  BIGIPEdgeClient 2024.exeGet hashmaliciousUnknownBrowse
                                                  • 23.39.37.29
                                                  https://sprayfoamsys.com/service-center/Get hashmaliciousUnknownBrowse
                                                  • 23.196.3.202
                                                  https://microwaveeng-dot-m365view-318723.uc.r.appspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 23.56.162.51
                                                  i486.elfGet hashmaliciousUnknownBrowse
                                                  • 104.106.110.98
                                                  x86_64.elfGet hashmaliciousUnknownBrowse
                                                  • 23.14.155.4
                                                  https://sprayfoamsys.comGet hashmaliciousUnknownBrowse
                                                  • 23.196.3.177
                                                  No context
                                                  No context
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (2251), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):1.1373530365658393
                                                  Encrypted:false
                                                  SSDEEP:192:So65it508D6xfKTVjfuu7F614lrJuoCm+pgxHL9:Z6sta8D6xfKTVjfuu7F614lrJVGyL
                                                  MD5:2548F4DFF38ED2693FD55E85F819182C
                                                  SHA1:66E5F9D79A0C9F6B2E86D77FEDE0B7652FC73AC0
                                                  SHA-256:CD034802374D923ADCDBDBE3990B4518B5EF4151D972909EE0F4FD31DC219374
                                                  SHA-512:E0881D359A1E8D9C862CB4D54B630C7D31F36FFB29EEB09F7A8B833268DC4460A8FEA7D207676EB336B6B34188FA803DA0DAFA37969959602D4DA76BBABB9EA9
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.0.2.9.1.7.9.5.7.1.8.3.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.0.2.9.1.8.0.8.9.3.8.3.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.1.6.3.b.9.e.-.1.7.1.9.-.4.6.1.b.-.b.d.b.8.-.e.c.c.5.8.2.a.d.e.f.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.0.d.a.0.9.5.-.9.7.c.d.-.4.f.0.a.-.b.2.3.8.-.b.e.5.b.7.f.4.4.5.2.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.i.g.m.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.3.-.9.f.3.f.-.2.a.6.9.6.a.a.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.f.d.6.1.c.3.d.8.3.0.e.f.a.b.2.7.7.c.a.e.0.1.3.5.8.3.8.0.8.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.2.8.9.d.5.7.e.0.2.9.2.c.c.9.4.5.c.1.5.9.8.4.c.6.4.5.d.a.9.4.b.3.7.9.2.5.e.0.6.e.!.S.i.g.m.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.2.6.:.1.2.:.2.0.:.1.4.!.
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:Mini DuMP crash report, 14 streams, Wed Apr 2 00:59:40 2025, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):306748
                                                  Entropy (8bit):1.3661022678684078
                                                  Encrypted:false
                                                  SSDEEP:384:v+8GAowALVAJqM73EyPsq+nIPZApYzv1/z+Fr8B1BzCriZK1uJZsy:v+qALVAJqM70y0q+nIPZApKdhK16f
                                                  MD5:9C2FAE1689C004715390EAA3EDB5980D
                                                  SHA1:9C9E8B58F9877C2DBCF39C9E7EA235458BD95D99
                                                  SHA-256:CFEE7315CCFCDC9D0CFA2F99C35F4A3483CE833AC241FC44A8351A7F99026821
                                                  SHA-512:8815B26F9E3283CC20B8F9B599E3BABCC81D53C85D10DEE53EB7D3276E961A7245FE8898DD58A9521E79A6F47AA9D73167DBBFD83960E533DBA4C621E210D2F8
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:MDMP..]..... ..........g........................................j...........T.......8...........T...........($..........................................................................................................gX......T.......Lw...............*.G....T.............g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (380), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):11028
                                                  Entropy (8bit):3.747666367532872
                                                  Encrypted:false
                                                  SSDEEP:192:RHl7CwNzawaMKxaMy9IMLu9X9iaMy9IMLu9X9ca4uGo9R6Y0HVcFgmfctYppr/8c:RHlnNzawaMKxaMYIMINiaMYIMINca4Pw
                                                  MD5:86C7AC2E52FA1B3B311A2971D0A6F712
                                                  SHA1:99643620533340A9F77213CF13C156720D570F49
                                                  SHA-256:ED40F77A2FE143D5516038AAFE8963848A4AC09CC2C5C9790D1DE3176A6EDE13
                                                  SHA-512:9C6F58B30EC8E0B81C0FD418E9C6E3E75B1227B62421F74F2BAEDBF866878281DA25E1EB9EBC1DE4514E4D6DA39FD951338CF37945D796449AC4ACE5FF200D68
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.2.2.6.3.1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.2.2.6.2.1...4.1.6.9...a.m.d.6.4.f.r.e...n.i._.r.e.l.e.a.s.e...2.2.0.5.0.6.-.1.2.5.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.4.1.6.9.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.........<.B.u.i.l.d.L.a.y.e.r.s.>...........<.B.u.i.l.d.L.a.y.e.r. .L.a.y.e.r.N.a.m.e.=.".2.2.6.2.1...1...a.m.d.6.4.f.r.e...n.i._.r.
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with very long lines (2272), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):7283
                                                  Entropy (8bit):4.815769238047287
                                                  Encrypted:false
                                                  SSDEEP:192:uItqy64+VM1HyL3/g9eT8OpByO7MsT5VDk9cadsfGznV6yCccmfL:QX2tVUccmfL
                                                  MD5:8AE12A55D554766B6D681812C9ED7C94
                                                  SHA1:FCCD70A2D7066EC796620571179CE71B580FA0D4
                                                  SHA-256:4FCE86E3A5F428A4D8C7C30E1544E86A9F6CF4B7D587B6FEF0DBAED34AFA8FBD
                                                  SHA-512:D43195D8A9A7FA50F12F0CC464622D7B06D25B1B520FBBB22EB4DC6858E9B7F490B821830A7E16F73215FB88291AE45E8F748C99AB75202C496A5531CF6BBAAE
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="22631" />.. <arg nm="vercsdbld" val="4169" />.. <arg nm="verqfe" val="4169" />.. <arg nm="csdbld" val="4169" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="163129" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.1.22621.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096"
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):1923
                                                  Entropy (8bit):4.050816653534426
                                                  Encrypted:false
                                                  SSDEEP:24:NqxpqbJi3i/2/upfvVObUpkf/O/upiXqPKviTCEh3WwUwd1pQ/SAiw/BwVih2E:aFS/2anYbUp7aoBlI3UADQLiMapE
                                                  MD5:7D17062107BB3B08436E2C8674EA4436
                                                  SHA1:E9F69AB04DBBBF2C12B23DD9088109010475E52A
                                                  SHA-256:894FB5EF8822AE2BA2ABB89C2EA7332535B2B2CB6F1B7B63439D1D565108F1AC
                                                  SHA-512:579746CCA2D576D7746F2B627890CFE259F9A93499A52D5D61E51967C32A0818D112E4AB1646E7A48B11186772E6583A4EB885AEBB244142D0116382FF574624
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:{. "$help": "https://aka.ms/terminal-documentation",. "$schema": "https://aka.ms/terminal-profiles-schema",. "actions": . [. {. "command": . {. "action": "copy",. "singleLine": false. },. "id": "User.copy.644BA8F2",. "keys": "ctrl+c". },. {. "command": "paste",. "id": "User.paste",. "keys": "ctrl+v". },. {. "command": "find",. "id": "User.find",. "keys": "ctrl+shift+f". },. {. "command": . {. "action": "splitPane",. "split": "auto",. "splitMode": "duplicate". },. "id": "User.splitPane.A6751878",. "keys": "alt+shift+d". }. ],. "copyFormatting": "none",. "copyOnSelect": false,. "defaultProfile": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",. "newTabMenu": . [.
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):1923
                                                  Entropy (8bit):4.050816653534426
                                                  Encrypted:false
                                                  SSDEEP:24:NqxpqbJi3i/2/upfvVObUpkf/O/upiXqPKviTCEh3WwUwd1pQ/SAiw/BwVih2E:aFS/2anYbUp7aoBlI3UADQLiMapE
                                                  MD5:7D17062107BB3B08436E2C8674EA4436
                                                  SHA1:E9F69AB04DBBBF2C12B23DD9088109010475E52A
                                                  SHA-256:894FB5EF8822AE2BA2ABB89C2EA7332535B2B2CB6F1B7B63439D1D565108F1AC
                                                  SHA-512:579746CCA2D576D7746F2B627890CFE259F9A93499A52D5D61E51967C32A0818D112E4AB1646E7A48B11186772E6583A4EB885AEBB244142D0116382FF574624
                                                  Malicious:false
                                                  Preview:{. "$help": "https://aka.ms/terminal-documentation",. "$schema": "https://aka.ms/terminal-profiles-schema",. "actions": . [. {. "command": . {. "action": "copy",. "singleLine": false. },. "id": "User.copy.644BA8F2",. "keys": "ctrl+c". },. {. "command": "paste",. "id": "User.paste",. "keys": "ctrl+v". },. {. "command": "find",. "id": "User.find",. "keys": "ctrl+shift+f". },. {. "command": . {. "action": "splitPane",. "split": "auto",. "splitMode": "duplicate". },. "id": "User.splitPane.A6751878",. "keys": "alt+shift+d". }. ],. "copyFormatting": "none",. "copyOnSelect": false,. "defaultProfile": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",. "newTabMenu": . [.
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):163
                                                  Entropy (8bit):5.074817553158053
                                                  Encrypted:false
                                                  SSDEEP:3:NyE2dKQbBssh2XkI0eicCGRyD4huVKBKbBOot1YqdDAEBUMdWMdIqC:NmIQbBNhxIVicJpyBFt+5EBNdBnC
                                                  MD5:A88ADBF16875B7635DBD7A6E6CF20D23
                                                  SHA1:B6DB4EEFAA39A75E09056882248F4C193000437B
                                                  SHA-256:86A8390B4675FE11F5F4AED15195F586DFEB29F36631FE085620C1939A3B7894
                                                  SHA-512:D3D84BFCE2CB695226431D9771D9F23D15B14E3EF5441DF30217B8DD66183A613CB1FEA179643C316C6601EDFECB01E2211D738C30992C13133D07782E3966BD
                                                  Malicious:false
                                                  Preview:{.."generatedProfiles" : ..[..."{b453ae62-4e3d-5e58-b989-0a998ec441b8}"..],.."persistedWindowLayouts" : [],.."settingsHash" : "4c8af8fead18d583-01dba36a6a0e347b".}
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):163
                                                  Entropy (8bit):5.074817553158053
                                                  Encrypted:false
                                                  SSDEEP:3:NyE2dKQbBssh2XkI0eicCGRyD4huVKBKbBOot1YqdDAEBUMdWMdIqC:NmIQbBNhxIVicJpyBFt+5EBNdBnC
                                                  MD5:A88ADBF16875B7635DBD7A6E6CF20D23
                                                  SHA1:B6DB4EEFAA39A75E09056882248F4C193000437B
                                                  SHA-256:86A8390B4675FE11F5F4AED15195F586DFEB29F36631FE085620C1939A3B7894
                                                  SHA-512:D3D84BFCE2CB695226431D9771D9F23D15B14E3EF5441DF30217B8DD66183A613CB1FEA179643C316C6601EDFECB01E2211D738C30992C13133D07782E3966BD
                                                  Malicious:false
                                                  Preview:{.."generatedProfiles" : ..[..."{b453ae62-4e3d-5e58-b989-0a998ec441b8}"..],.."persistedWindowLayouts" : [],.."settingsHash" : "4c8af8fead18d583-01dba36a6a0e347b".}
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4461
                                                  Entropy (8bit):5.0468960121765205
                                                  Encrypted:false
                                                  SSDEEP:48:0pDlRmeHnRwZDabs+J3osJipD6RtNHnRwZDabsiHqJEmRsohH9JipD6RtNHnRwZc:GLBCaZJOi3Ca+J1gi3Ca+JkZ
                                                  MD5:561FB4E7BF468917F28E68FA3F293D59
                                                  SHA1:82E0A737313C67B696FD7026AFC40EE637AA76DD
                                                  SHA-256:FD36517943E02EB2B6EB9DEE043EDAE9FC9F7116D95413DFBE0A400223D9FFE8
                                                  SHA-512:A4139E42493ADCBF93FD634973B3F6361666392F6A7051757A275E6037B5647830E5E0DAFB0F280CF6B8145E996FACB1A974345EC87D5073A473B260BF51F9D8
                                                  Malicious:false
                                                  Preview:...................................FL..................F.... ...g...8J..g...8J..g...8J............................:..IG..Yr?.D..U..k0.&...&......p...eJ...TO<j....5.jj.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Yf..Z].....x........................A.p.p.D.a.t.a...B.P.1......Y....Local.<......Y...Y...............................L.o.c.a.l.....\.1......Y....MICROS~1..D......Y...Y...............................M.i.c.r.o.s.o.f.t.....`.1.. ...Y.z..WINDOW~1..H......Y..qZ+p............................y.W.i.n.d.o.w.s.A.p.p.s.......1......Y.e..MICROS~2.WIN.........Y.e.Y.e.....p........................M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.T.e.r.m.i.n.a.l._.8.w.e.k.y.b.3.d.8.b.b.w.e.....T.2......Y.e .wt.exe..>......Y.e.Y.e.....p........................w.t...e.x.e.......................-...........................C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe..).-.p. .{.6.1.c.5.4.b.b.d.-.c.2.c.6.-.5.2.7.
                                                  Process:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4461
                                                  Entropy (8bit):5.0468960121765205
                                                  Encrypted:false
                                                  SSDEEP:48:0pDlRmeHnRwZDabs+J3osJipD6RtNHnRwZDabsiHqJEmRsohH9JipD6RtNHnRwZc:GLBCaZJOi3Ca+J1gi3Ca+JkZ
                                                  MD5:561FB4E7BF468917F28E68FA3F293D59
                                                  SHA1:82E0A737313C67B696FD7026AFC40EE637AA76DD
                                                  SHA-256:FD36517943E02EB2B6EB9DEE043EDAE9FC9F7116D95413DFBE0A400223D9FFE8
                                                  SHA-512:A4139E42493ADCBF93FD634973B3F6361666392F6A7051757A275E6037B5647830E5E0DAFB0F280CF6B8145E996FACB1A974345EC87D5073A473B260BF51F9D8
                                                  Malicious:false
                                                  Preview:...................................FL..................F.... ...g...8J..g...8J..g...8J............................:..IG..Yr?.D..U..k0.&...&......p...eJ...TO<j....5.jj.......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Yf..Z].....x........................A.p.p.D.a.t.a...B.P.1......Y....Local.<......Y...Y...............................L.o.c.a.l.....\.1......Y....MICROS~1..D......Y...Y...............................M.i.c.r.o.s.o.f.t.....`.1.. ...Y.z..WINDOW~1..H......Y..qZ+p............................y.W.i.n.d.o.w.s.A.p.p.s.......1......Y.e..MICROS~2.WIN.........Y.e.Y.e.....p........................M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.T.e.r.m.i.n.a.l._.8.w.e.k.y.b.3.d.8.b.b.w.e.....T.2......Y.e .wt.exe..>......Y.e.Y.e.....p........................w.t...e.x.e.......................-...........................C:\Users\user\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe..).-.p. .{.6.1.c.5.4.b.b.d.-.c.2.c.6.-.5.2.7.
                                                  Process:C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
                                                  File Type:ASCII text, with very long lines (11304), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):12478
                                                  Entropy (8bit):4.228608924835732
                                                  Encrypted:false
                                                  SSDEEP:192:YU5iCu4B/a8Rwy+uDQ80au6tgqDnkOOYbqQK3BXXaCehmqfA/vMHQnnm21uqajz4:3aJ5
                                                  MD5:3A06251FE258A858D6713DF6067DFA94
                                                  SHA1:5B2490553286E3A63B4281CCC3C2A9AC1C84258D
                                                  SHA-256:99CAE25845C25CE3D152EA12993A1283A9A409019DFC103F6273A4FE74359D37
                                                  SHA-512:56BFDE660E8348478BFA5D8FECFFC74B1398FFD1E7D7B159A273D918EA3B35A9CC2F5DC112E4DC92D1BB5DD596C15E981BA336165377BA6AEFC762BFC404F2A8
                                                  Malicious:false
                                                  Preview:discord.gg/pubslounge.... .. /$$$$$$$ /$$$$$$$ /$$ ..| $$__ $$ | $$__ $$ | $$ ..| $$ \ $$ /$$$$$$ /$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$ | $$ \ $$ /$$ /$$| $$$$$$$ ..| $$ | $$ /$$__ $$| $$__ $$| $$ | $$| $$ /$$//$$__ $$ | $$$$$$$/| $$ | $$| $$__ $$ ..| $$ | $$| $$$$$$$$| $$ \ $$| $$ | $$ \ $$/$$/| $$ \ $$ | $$____/ | $$ | $$| $$ \ $$ ..| $$ | $$| $$_____/| $$ | $$| $$ | $$ \ $$$/ | $$ | $$ | $$ | $$ | $$| $$ | $$ ..| $$$$$$$/| $$$$$$$| $$ | $$| $$$$$$/ \ $/ | $$$$$$/ | $$ | $$$$$$/| $$$$$$$/ ..|_______/ \_______/|__/ |__/ \______/ \_/ \______/ |__/ \______/ |_______/ ....Game: Black Myth Wukong ..Path: C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\BlackMythWukong..------------------------------------------------------------..[>
                                                  File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                  Entropy (8bit):7.996770301859017
                                                  TrID:
                                                  • ZIP compressed archive (8000/1) 100.00%
                                                  File name:Black Myth Wukong Sigma Downloader.zip
                                                  File size:5'993'588 bytes
                                                  MD5:20f570224521e29be00f00760eb19908
                                                  SHA1:cb6a2f265e8b1f1af579fe2c8891af0fed54376a
                                                  SHA256:7d77f7e3bc6e29e690679416e1bfd9eec3d4c38d5f62fd57cbfbd5ea2eed8f4a
                                                  SHA512:554864980a6009914b16435a07f3892d8277b235915220f10db12a9fa17f479788bb71ab99ef204e3e01f8ae610923a18a55bf4c9cbf7e9ba6d376d13c026d33
                                                  SSDEEP:98304:y92MnCktXhi/mziR92lYuXT9yyESogtzt50QWLGtvd9Rtahx8enkGIYRc2G5xOl6:y92CFXhRQ9kPElgV4QWId9DaL8eXa2GF
                                                  TLSH:895633AB4B5956BD26ABF32C282E82F6CF09D10C3C564C60109EF5F533DA8C5D6CAD16
                                                  File Content Preview:PK.........rzZI)...q[.........Sigma.exe...x.U..\..N..TG@.$.H..A..5........... .FPF.t..E.N$..V.=..g.u.>u6.Q6.N...H"....Wl..3! ..9.V..D.7.....}..n.{......{.{....q...c1....?.w..|........J...n1.o..2..R{..Ew........s."...;.K.....cwO.l...yw.....C.q..W.....L..9.
                                                  Icon Hash:03f1b9752babe989

                                                  Download Network PCAP: filteredfull

                                                  • Total Packets: 92
                                                  • 443 (HTTPS)
                                                  • 53 (DNS)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 2, 2025 02:59:26.594815016 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.594857931 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.595065117 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.601934910 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.601953983 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.793041945 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.798414946 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.798444033 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.800014019 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.800124884 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.814357996 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:26.814416885 CEST44360844104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:26.814524889 CEST60844443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.983381987 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.983469009 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:38.983567953 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.984242916 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.984267950 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:38.984330893 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.987277985 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.987313986 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:38.988971949 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:38.988996983 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.000649929 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.000715017 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.000905991 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.001158953 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.001255989 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.001338959 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.001667976 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.001713991 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.001770973 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.001943111 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.002012014 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.002084970 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.004466057 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.004498959 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.004605055 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.004623890 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.004673958 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.004715919 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.004717112 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.004754066 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.007493019 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.007580042 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.007688999 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008029938 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008055925 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.008127928 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008248091 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008287907 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.008358955 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008613110 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.008620977 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.008671045 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.009021044 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.009061098 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.009118080 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.010874987 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.010880947 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.010896921 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.010922909 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.010987043 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.011018991 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.012023926 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.012037992 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.012351990 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.012382030 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.012788057 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.012819052 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.012902021 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.013892889 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.013919115 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.172477961 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.174427986 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.175148964 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.175177097 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.175790071 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.175803900 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.176326036 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.176402092 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.177263975 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.177334070 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.179435968 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.179476976 CEST44360852104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.179538012 CEST60852443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.179662943 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.179704905 CEST44360851104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.179761887 CEST60851443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.197964907 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.199631929 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.199692011 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.200582027 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.200980902 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.201828957 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.201858044 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.202527046 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.202543020 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.202544928 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.202907085 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.202982903 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.203674078 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.203754902 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.203834057 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.203871965 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.204217911 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.204286098 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.204982996 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.205061913 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206274033 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206320047 CEST44360877104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.206398010 CEST60877443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206705093 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206743002 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206793070 CEST44360872104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.206834078 CEST44360871104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.206852913 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206859112 CEST60872443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206897974 CEST60871443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.206907034 CEST44360873104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.206959963 CEST60873443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.207365990 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.207613945 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.208583117 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.208645105 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.209184885 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.209198952 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.209245920 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.209563017 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.209635019 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.210235119 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.210335016 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.210390091 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.210782051 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.210850000 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.212090015 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.212106943 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.212908030 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.212930918 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.213017941 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.213027000 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.213162899 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.213181973 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.213700056 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.213774920 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.214503050 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.214585066 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.214608908 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.214648008 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.214675903 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.214713097 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.217849970 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.217912912 CEST44360876104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218040943 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218050003 CEST60876443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218051910 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218091965 CEST44360878104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218096018 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218111038 CEST44360879104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218146086 CEST44360875104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218148947 CEST60878443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218178988 CEST60879443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218200922 CEST60875443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218420982 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218506098 CEST44360874104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218534946 CEST60880443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218571901 CEST60874443192.168.2.24104.71.182.190
                                                  Apr 2, 2025 02:59:39.218590021 CEST44360880104.71.182.190192.168.2.24
                                                  Apr 2, 2025 02:59:39.218641043 CEST60880443192.168.2.24104.71.182.190
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 2, 2025 02:59:26.484397888 CEST5551653192.168.2.241.1.1.1
                                                  Apr 2, 2025 02:59:26.585645914 CEST53555161.1.1.1192.168.2.24
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Apr 2, 2025 02:59:26.484397888 CEST192.168.2.241.1.1.10x51adStandard query (0)api.steampowered.comA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Apr 2, 2025 02:59:26.585645914 CEST1.1.1.1192.168.2.240x51adNo error (0)api.steampowered.com104.71.182.190A (IP address)IN (0x0001)false

                                                  Click to jump to process

                                                  Click to jump to process

                                                  • File
                                                  • Registry
                                                  • Network

                                                  Click to dive into process behavior distribution

                                                  Target ID:1
                                                  Start time:20:57:53
                                                  Start date:01/04/2025
                                                  Path:C:\Windows\System32\rundll32.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  Imagebase:0x7ff6421e0000
                                                  File size:90'112 bytes
                                                  MD5 hash:C87FA6FC1D294962EABE44509FE1921C
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  Target ID:15
                                                  Start time:20:58:56
                                                  Start date:01/04/2025
                                                  Path:C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\Black Myth Wukong Sigma Downloader\Sigma.exe"
                                                  Imagebase:0x7ff6a08a0000
                                                  File size:8'707'584 bytes
                                                  MD5 hash:FEF6B28CE1384A402B6F2EB2162C07AC
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:16
                                                  Start time:20:58:56
                                                  Start date:01/04/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7bdef0000
                                                  File size:1'040'384 bytes
                                                  MD5 hash:9698384842DA735D80D278A427A229AB
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  Target ID:17
                                                  Start time:20:58:56
                                                  Start date:01/04/2025
                                                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding
                                                  Imagebase:0x7ff6948f0000
                                                  File size:1'261'096 bytes
                                                  MD5 hash:10A3C05A139428FB6D17A11B9A257516
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  Target ID:18
                                                  Start time:20:58:57
                                                  Start date:01/04/2025
                                                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding
                                                  Imagebase:0x7ff708400000
                                                  File size:720'432 bytes
                                                  MD5 hash:F870908D432E534A3F0E93C18D1D9EE7
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Target ID:20
                                                  Start time:20:58:59
                                                  Start date:01/04/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c cls
                                                  Imagebase:0x7ff647b30000
                                                  File size:323'584 bytes
                                                  MD5 hash:428CEC6B0034E0F183EB5BAE887BE480
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  Target ID:23
                                                  Start time:20:59:39
                                                  Start date:01/04/2025
                                                  Path:C:\Windows\System32\WerFault.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6808 -s 736
                                                  Imagebase:0x7ff7b4d40000
                                                  File size:628'208 bytes
                                                  MD5 hash:5A849C27C4796C1A7C22C572D8EAF95D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  No disassembly