Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 9, 2021, 10:49 p.m.	June 9, 2021, 10:51 p.m.

Size	695.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`07e40ca846dfb2ce2aa739f424f232bf`
SHA256	`3ee942b6d2a6027495f479300a20b6667a3e34afb584ea23390524a291e7798e`
CRC32	`B1929263`
ssdeep	`12288:zM4lLHjPsR+qI+UVia1RIM58twhtIydngpf/zAm1lSR3gBRQyVBk9h6TgSzInsvW:zM4lLbsHEiawM582nIydgpXnf8yIb60P`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

7k7kGame_1.0.4.0.exe "C:\Users\test22\AppData\Local\Temp\7k7kGame_1.0.4.0.exe"
1016
- QKGame.exe "C:\Program Files (x86)\7k7kGame\QKGame.exe" Createlnk:7k7kÓÎÏ·
  1204
- QKGame.exe "C:\Program Files (x86)\7k7kGame\QKGame.exe"
  1976
  - update.exe "C:\Program Files (x86)\7k7kGame\update.exe" 1.0.4.0 http://down.7k7k.com/www/ver.json http://down.7k7k.com/www/ 983616
    2656
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
web.7k7k.com	A 14.0.113.218 CNAME web.7k7k.com.cdn20.com	14.0.113.218
www.7k7k.com	A 119.206.200.181 CNAME www.7k7k.com.cdn20.com	119.206.200.181
libs.baidu.com	CNAME developer.n.shifen.com A 39.156.66.111	39.156.66.111
n.7k7kimg.cn	CNAME n.7k7kimg.cn.cdn20.com A 14.0.113.218	14.0.113.218
g.7k7k.com	A 119.206.200.181 CNAME g.7k7k.com.wswebpic.com	119.206.200.181
down.7k7k.com	CNAME down.7k7k.com.cdn20.com A 119.206.200.180	119.206.200.180
login.7k7k.com	A 117.50.14.72	117.50.14.72
hm.baidu.com	A 103.235.46.191 CNAME hm.e.shifen.com	103.235.46.191

IP Address	Status	Action
103.235.46.191	Active	Moloch
117.50.14.72	Active	Moloch
119.206.200.180	Active	Moloch
119.206.200.181	Active	Moloch
14.0.113.218	Active	Moloch
164.124.101.2	Active	Moloch
39.156.66.111	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49220 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49241 -> 103.235.46.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49238 -> 14.0.113.218:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 103.235.46.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49220 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49219 14.0.113.218:443	C=US, O=DigiCert Inc, CN=GeoTrust RSA CN CA G2	C=CN, ST=北京市, O=北京迦游网络科技有限公司, CN=*.7k7kimg.cn	3f:87:76:1b:3d:a0:48:ff:98:9a:83:23:12:fa:a9:e9:d5:5c:01:0e
TLSv1 192.168.56.101:49218 14.0.113.218:443	C=US, O=DigiCert Inc, CN=GeoTrust RSA CN CA G2	C=CN, ST=北京市, O=北京迦游网络科技有限公司, CN=*.7k7kimg.cn	3f:87:76:1b:3d:a0:48:ff:98:9a:83:23:12:fa:a9:e9:d5:5c:01:0e
TLSv1 192.168.56.101:49225 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49226 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49228 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49234 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49236 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49241 103.235.46.191:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	1a:fd:44:9a:f4:5b:3e:9d:58:95:e7:5d:0b:e4:ea:a3:54:5d:85:b7
TLSv1 192.168.56.101:49230 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49231 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49238 14.0.113.218:443	None	None	None
TLSv1 192.168.56.101:49242 103.235.46.191:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=CN, ST=beijing, L=beijing, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	1a:fd:44:9a:f4:5b:3e:9d:58:95:e7:5d:0b:e4:ea:a3:54:5d:85:b7

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2021, 10:49 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 9, 2021, 10:49 p.m.	stacktrace: RtlIntegerToUnicodeString+0x20b RtlpUnWaitCriticalSection-0x1c4 ntdll+0x38cb8 @ 0x773d8cb8 FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76a894b4 _Close+0x1f _GetSize-0x4f locate+0x37db @ 0x36537db 7k7kgame_1+0x13cd @ 0x4013cd 7k7kgame_1+0x13cd @ 0x4013cd exception.instruction_r: ff 40 14 8b 5d f4 8b 7d f0 80 3d 82 03 fe 7f 00 exception.symbol: RtlIntegerToUnicodeString+0x2fc RtlpUnWaitCriticalSection-0xd3 ntdll+0x38da9 exception.instruction: inc dword ptr [eax + 0x14] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 232873 exception.address: 0x773d8da9 registers.esp: 1636704 registers.edi: 5255896 registers.eax: 0 registers.ebp: 1636784 registers.edx: 4 registers.ebx: 4294967292 registers.esi: 5255892 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://login.7k7k.com/box_post_login
suspicious_features	GET method with no useragent header				suspicious_request	GET http://down.7k7k.com/www/ver.json

Performs some HTTP requests (50 out of 124 events)

request	POST http://login.7k7k.com/box_post_login
request	GET http://www.7k7k.com/client
request	GET http://g.7k7k.com/
request	GET http://web.7k7k.com/g/css/index.css?rev=3da80293
request	GET http://down.7k7k.com/www/ver.json
request	GET http://n.7k7kimg.cn/uploads/cdn/web_sq/img/u_photo.png?v3
request	GET http://n.7k7kimg.cn/uploads/gameimg/202009/c89a7.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/c7841.jpg
request	GET http://web.7k7k.com/g/img/ban_bg.jpg
request	GET http://web.7k7k.com/g/img/logo.png
request	GET http://libs.baidu.com/jquery/1.7.2/jquery.min.js
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/73aaf.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/6691e.jpg
request	GET http://web.7k7k.com/g/img/btn_bg_b.png?v5
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/ddd11.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201803/55d64.jpg
request	GET http://web.7k7k.com/g/img/n_bg.jpg
request	GET http://web.7k7k.com/g/img/i_home.png
request	GET http://web.7k7k.com/g/img/i_hot_n.png
request	GET http://web.7k7k.com/g/img/i_game_n.png
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/0570b.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/a15bf.jpg
request	GET http://web.7k7k.com/g/img/i_charge_n.png
request	GET http://web.7k7k.com/g/img/i_server_n.png
request	GET http://web.7k7k.com/g/img/i_vip_n.png
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/01440.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/b2801.jpg
request	GET http://web.7k7k.com/g/img/shearch_bg.png?v4
request	GET http://web.7k7k.com/g/img/i_search.png
request	GET http://web.7k7k.com/g/img/i_allgame.png
request	GET http://web.7k7k.com/g/img/i_newgame.png
request	GET http://web.7k7k.com/g/img/i_arrow.png
request	GET http://web.7k7k.com/g/img/rep_png.png
request	GET http://web.7k7k.com/g/img/vip_year0.png
request	GET http://web.7k7k.com/g/img/vip_gzhy0.png
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/523db.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/a28d9.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/e0b62.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/29cb2.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201801/17c9a.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201912/08358.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201912/0aa11.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201912/36c66.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201912/a3e9b.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201912/3d17b.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201704/0c7c9.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201901/f26e4.png
request	GET http://n.7k7kimg.cn/uploads/gameimg/201703/ec43a.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201703/104e7.jpg
request	GET http://n.7k7kimg.cn/uploads/gameimg/201703/0907f.jpg

Sends data using the HTTP POST Method (1 event)

request

POST http://login.7k7k.com/box_post_login

Allocates read-write-execute memory (usually to unpack itself) (50 out of 405 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10003000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10003000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72581000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f6d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f611000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041b4000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 101 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13725421568 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:50 p.m.	total_number_of_free_bytes: 13721767936 free_bytes_available: 13721767936 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723770880 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723766784 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723557888 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723557888 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723557888 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723553792 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723439104 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723435008 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723435008 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723353088 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723348992 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723344896 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723340800 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723258880 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723258880 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13723258880 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722976256 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722976256 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722587136 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722587136 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722419200 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722316800 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722218496 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13722083328 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721825280 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721817088 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721800704 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721792512 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721784320 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721776128 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721755648 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721755648 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721718784 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721690112 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721538560 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721538560 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721530368 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721522176 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721501696 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721481216 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721444352 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721436160 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721427968 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721419776 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721411584 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721399296 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721391104 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 9, 2021, 10:49 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13721358336 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00043138

size

0x00000394

Creates executable files on the filesystem (19 events)

file	C:\Program Files (x86)\7k7kGame\update.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\index[1].js
file	C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\locate.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\layer[1].js
file	C:\Program Files (x86)\7k7kGame\DuiLib_u.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\hwSlider.min[1].js
file	C:\Program Files (x86)\7k7kGame\uninst.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\logFn_dm.min[1].js
file	C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\System.dll
file	C:\Program Files (x86)\7k7kGame\QKGame.exe
file	C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\KillProcDLL.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\hm[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\jquery.min[3].js
file	C:\Users\test22\AppData\Local\Temp\nsr6432.tmp\ShellLink.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\hm[1].js
file	C:\Program Files (x86)\7k7kGame\7k7kÓÎÏ·.lnk
file	C:\Users\Public\Desktop\7k7k踏狗.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\Ð¶ÔØ7k7kÓÎÏ·.lnk

Creates a shortcut to an executable file (24 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\Ð¶ÔØ7k7kÓÎÏ·.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk
file	C:\Program Files (x86)\7k7kGame\7k7kÓÎÏ·.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\7k7kÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\7k7kÓÎÏ·.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\Public\Desktop\7k7k踏狗.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7kÓÎÏ·\Ð¶ÔØ7k7kÓÎÏ·.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\Users\test22\Desktop\7k7k踏狗.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7k7k游戏\7k7k踏狗.lnk

Drops a binary and executes it (1 event)

file	C:\Program Files (x86)\7k7kGame\update.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 9, 2021, 10:49 p.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x041b0000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (11 events)

description	Communications use DNS	rule	Network_DNS
description	Communications smtp	rule	network_smtp_raw
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA June 9, 2021, 10:49 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7k7kGame base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7k7kGame		2	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Zillya	Backdoor.AgentCRTD.Win32.9556
K7AntiVirus	Riskware ( 0040eff71 )
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Comodo	ApplicUnwnt@#23sk9tjsv86ue
VIPRE	Trojan.Win32.Generic!BT
Microsoft	PUA:Win32/Presenoker
AegisLab	Trojan.Win32.Generic.4!c
Fortinet	PossibleThreat
Webroot	W32.Malware.Gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (D)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Network activity contains more than one unique useragent (2 events)

process	QKGame.exe				useragent	QKGameBox
process	QKGame.exe				useragent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1976 resumed a thread in remote process 2656
NtResumeThread June 9, 2021, 10:49 p.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2656	1	0	0

7k7kGame_1.0.4.0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All