Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 9, 2021, 10:49 p.m. | June 9, 2021, 10:51 p.m. |
-
-
QKGame.exe "C:\Program Files (x86)\7k7kGame\QKGame.exe" Createlnk:7k7kÓÎÏ·
1204 -
-
update.exe "C:\Program Files (x86)\7k7kGame\update.exe" 1.0.4.0 http://down.7k7k.com/www/ver.json http://down.7k7k.com/www/ 983616
2656
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
Name | Response | Post-Analysis Lookup |
---|---|---|
web.7k7k.com |
CNAME
web.7k7k.com.cdn20.com
|
14.0.113.218 |
www.7k7k.com |
CNAME
www.7k7k.com.cdn20.com
|
119.206.200.181 |
libs.baidu.com |
CNAME
developer.n.shifen.com
|
39.156.66.111 |
n.7k7kimg.cn |
CNAME
n.7k7kimg.cn.cdn20.com
|
14.0.113.218 |
g.7k7k.com |
CNAME
g.7k7k.com.wswebpic.com
|
119.206.200.181 |
down.7k7k.com |
CNAME
down.7k7k.com.cdn20.com
|
119.206.200.180 |
login.7k7k.com | 117.50.14.72 | |
hm.baidu.com |
CNAME
hm.e.shifen.com
|
103.235.46.191 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49220 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49219 14.0.113.218:443 |
C=US, O=DigiCert Inc, CN=GeoTrust RSA CN CA G2 | C=CN, ST=北京市, O=北京迦游网络科技有限公司, CN=*.7k7kimg.cn | 3f:87:76:1b:3d:a0:48:ff:98:9a:83:23:12:fa:a9:e9:d5:5c:01:0e |
TLSv1 192.168.56.101:49218 14.0.113.218:443 |
C=US, O=DigiCert Inc, CN=GeoTrust RSA CN CA G2 | C=CN, ST=北京市, O=北京迦游网络科技有限公司, CN=*.7k7kimg.cn | 3f:87:76:1b:3d:a0:48:ff:98:9a:83:23:12:fa:a9:e9:d5:5c:01:0e |
TLSv1 192.168.56.101:49225 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49226 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49228 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49234 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49236 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49241 103.235.46.191:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com | 1a:fd:44:9a:f4:5b:3e:9d:58:95:e7:5d:0b:e4:ea:a3:54:5d:85:b7 |
TLSv1 192.168.56.101:49230 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49231 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49238 14.0.113.218:443 |
None | None | None |
TLSv1 192.168.56.101:49242 103.235.46.191:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com | 1a:fd:44:9a:f4:5b:3e:9d:58:95:e7:5d:0b:e4:ea:a3:54:5d:85:b7 |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
section | .ndata |
suspicious_features | POST method with no referer header | suspicious_request | POST http://login.7k7k.com/box_post_login | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://down.7k7k.com/www/ver.json |
request | POST http://login.7k7k.com/box_post_login |
request | GET http://www.7k7k.com/client |
request | GET http://g.7k7k.com/ |
request | GET http://web.7k7k.com/g/css/index.css?rev=3da80293 |
request | GET http://down.7k7k.com/www/ver.json |
request | GET http://n.7k7kimg.cn/uploads/cdn/web_sq/img/u_photo.png?v3 |
request | GET http://n.7k7kimg.cn/uploads/gameimg/202009/c89a7.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/c7841.jpg |
request | GET http://web.7k7k.com/g/img/ban_bg.jpg |
request | GET http://web.7k7k.com/g/img/logo.png |
request | GET http://libs.baidu.com/jquery/1.7.2/jquery.min.js |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/73aaf.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/6691e.jpg |
request | GET http://web.7k7k.com/g/img/btn_bg_b.png?v5 |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/ddd11.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201803/55d64.jpg |
request | GET http://web.7k7k.com/g/img/n_bg.jpg |
request | GET http://web.7k7k.com/g/img/i_home.png |
request | GET http://web.7k7k.com/g/img/i_hot_n.png |
request | GET http://web.7k7k.com/g/img/i_game_n.png |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/0570b.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/a15bf.jpg |
request | GET http://web.7k7k.com/g/img/i_charge_n.png |
request | GET http://web.7k7k.com/g/img/i_server_n.png |
request | GET http://web.7k7k.com/g/img/i_vip_n.png |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/01440.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/b2801.jpg |
request | GET http://web.7k7k.com/g/img/shearch_bg.png?v4 |
request | GET http://web.7k7k.com/g/img/i_search.png |
request | GET http://web.7k7k.com/g/img/i_allgame.png |
request | GET http://web.7k7k.com/g/img/i_newgame.png |
request | GET http://web.7k7k.com/g/img/i_arrow.png |
request | GET http://web.7k7k.com/g/img/rep_png.png |
request | GET http://web.7k7k.com/g/img/vip_year0.png |
request | GET http://web.7k7k.com/g/img/vip_gzhy0.png |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/523db.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/a28d9.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/e0b62.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/29cb2.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201801/17c9a.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201912/08358.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201912/0aa11.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201912/36c66.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201912/a3e9b.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201912/3d17b.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201704/0c7c9.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201901/f26e4.png |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201703/ec43a.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201703/104e7.jpg |
request | GET http://n.7k7kimg.cn/uploads/gameimg/201703/0907f.jpg |
request | POST http://login.7k7k.com/box_post_login |
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00043138 | size | 0x00000394 |
file | C:\Program Files (x86)\7k7kGame\update.exe |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\index[1].js |
file | C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\locate.dll |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\layer[1].js |
file | C:\Program Files (x86)\7k7kGame\DuiLib_u.dll |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\hwSlider.min[1].js |
file | C:\Program Files (x86)\7k7kGame\uninst.exe |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\logFn_dm.min[1].js |
file | C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\System.dll |
file | C:\Program Files (x86)\7k7kGame\QKGame.exe |
file | C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\KillProcDLL.dll |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\hm[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\jquery.min[3].js |
file | C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\ShellLink.dll |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\hm[1].js |
file | C:\Program Files (x86)\7k7kGame\7k7kÓÎÏ·.lnk |
file | C:\Users\Public\Desktop\7k7k踏狗.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\жÔØ7k7kÓÎÏ·.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\жÔØ7k7kÓÎÏ·.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk |
file | C:\Program Files (x86)\7k7kGame\7k7kÓÎÏ·.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\7k7kÓÎÏ·.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk |
file | C:\Users\Public\Desktop\7k7k踏狗.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\жÔØ7k7kÓÎÏ·.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk |
file | C:\Users\test22\Desktop\7k7k踏狗.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7k游戏\7k7k踏狗.lnk |
file | C:\Program Files (x86)\7k7kGame\update.exe |
url | http://curl.haxx.se/docs/http-cookies.html |
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications smtp | rule | network_smtp_raw | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
Zillya | Backdoor.AgentCRTD.Win32.9556 |
K7AntiVirus | Riskware ( 0040eff71 ) |
APEX | Malicious |
Kaspersky | UDS:DangerousObject.Multi.Generic |
Comodo | ApplicUnwnt@#23sk9tjsv86ue |
VIPRE | Trojan.Win32.Generic!BT |
Microsoft | PUA:Win32/Presenoker |
AegisLab | Trojan.Win32.Generic.4!c |
Fortinet | PossibleThreat |
Webroot | W32.Malware.Gen |
Panda | Trj/CI.A |
CrowdStrike | win/malicious_confidence_80% (D) |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob |
process | QKGame.exe | useragent | QKGameBox | ||||||
process | QKGame.exe | useragent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) |