d7d47aa5796cad499374b284e865f715e7496efca16566add1c3a505730259de

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kkgame.exe
Size

2.0MB
MD5

21fbe3297b710bd67e3122269527653d
SHA1

5c148af03ad2fd24dd8d6eb77e6376cc8dea8cc1
SHA256

bb6b0dee37041b5aae2f0461b09a1ceeb5fd807b6147563a74bd4afa722d5110
SHA512

6554d63c0e04e0bad0589b1e0dfb9ef40a7f57ee562bfc64b21c8936c4c8431fab36cb5c0aadefd1d541cbdc949e954dc9e0bd2f6dd75a1ebcace48930e82948
SSDEEP

49152:Jjw2H60mh3SxrYy1b5ZfydPQPL3oQkBQrbr87qDAH0ydoG26byYTIq:JjHHpuAb55ZfydPQPL3oQyQrbr8+LydB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	kkgame.exe

Executes dropped EXE 11 IoCs

pid	Process
676	ksvssvc.exe
4564	ksvsext.exe
1880	ksvsupd.exe
3040	diag_repair.exe
4924	ksvssvc.exe
1592	ksvsext.exe
4484	ksvsupd.exe
3480	ksvsupd.exe
4424	ksvssvc.exe
836	ksvsupd.exe
2364	ksvssvc.exe

Loads dropped DLL 28 IoCs

pid	Process
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
676	ksvssvc.exe
676	ksvssvc.exe
676	ksvssvc.exe
676	ksvssvc.exe
4388	regsvr32.exe
4540	regsvr32.exe
1804	ksvs_setup.exe
1804	ksvs_setup.exe
4924	ksvssvc.exe
4924	ksvssvc.exe
4924	ksvssvc.exe
4924	ksvssvc.exe
2600	regsvr32.exe
1384	regsvr32.exe
4424	ksvssvc.exe
4424	ksvssvc.exe
2364	ksvssvc.exe
2364	ksvssvc.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\DLEngine.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\P2PCore.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\P2SCore.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\reg_tool.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\7zra.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\cache_readme.dat	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsdrv.sys	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\server_list.dat	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsextPS.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\starter.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\datasyn_client.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\libexpatw.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\simple_logger.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\P2SPStat.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\uninst.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvcPS.dll	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\dep_ins.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsdlhelper.exe	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\blacklist.dat	ksvs_setup.exe
File created	C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\KKAppHelper.exe	ksvs_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1A0CF6C-81BF-441B-8DD7-463B2EFB8118}\ = "IKsvsPackageCallbackEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDA0CE98-8C9C-48A2-893D-CB6298BDE67C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3775B0D-480C-49AA-9F5F-340CA4A956D6}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0E6F24E-E9C5-4356-90D2-45A36CDA8862}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC8A934-3E8B-42D0-9F0B-38ED47A912A7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FB3A327-55F6-4243-B65A-A7865907EC81}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}\ = "IKsvsPackageOpenCallback2"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E862CC6D-77C8-42A2-B605-6BC302D764CD}\ = "IKsvsPackageOpenCallback3"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26A7F9D7-BD6E-492B-B81C-66C5023ED497}\ = "IKsvsInstallCallback"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B581762-7369-441A-A246-FB0C251B6206}\ProxyStubClsid32\ = "{E3775B0D-480C-49AA-9F5F-340CA4A956D6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B581762-7369-441A-A246-FB0C251B6206}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B581762-7369-441A-A246-FB0C251B6206}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26A7F9D7-BD6E-492B-B81C-66C5023ED497}\NumMethods\ = "6"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\ = "PSFactoryBuffer"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAD81485-0AA7-4814-824B-1239272A4994}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\ProxyStubClsid32	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}\ = "IKsvsPackageIO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15A8A5B1-6AF8-4023-9400-C04150A22196}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB1F764-EDA3-46A5-99BA-1F59EE125D3F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\InProcServer32	ksvssvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\TypeLib	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\TypeLib	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B581762-7369-441A-A246-FB0C251B6206}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ksvssvc.KsvsService\CLSID\ = "{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEFE3A09-7FB7-4396-8CA6-F9322A86B4EE}\NumMethods\ = "27"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDA0CE98-8C9C-48A2-893D-CB6298BDE67C}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91D593B0-2162-4400-ABBE-FCF7610B9268}\NumMethods\ = "10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD0F55FC-6F49-4AB5-AA6F-35770EBBAE20}\NumMethods	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{718081FD-2A38-43D0-B916-0FA80DA70068}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15A8A5B1-6AF8-4023-9400-C04150A22196}	ksvssvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B2DFAA6-BAC8-42C4-80AE-177D9C808A93}\ProgID	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\ = "IKsvsInitCallback"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C46E83F-00AD-48BB-91B0-E317692DF0ED}\ProxyStubClsid32	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEFE3A09-7FB7-4396-8CA6-F9322A86B4EE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26A7F9D7-BD6E-492B-B81C-66C5023ED497}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B814E28F-71FC-4300-A6B1-D246651FB301}\1.0\ = "ksvssvc 1.0 Type Library"	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C14B05E0-9F64-42EA-894D-C57B72866606}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}\ = "IKsvsDataSynManager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC8A934-3E8B-42D0-9F0B-38ED47A912A7}	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15A8A5B1-6AF8-4023-9400-C04150A22196}\ProxyStubClsid32	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1A0CF6C-81BF-441B-8DD7-463B2EFB8118}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC8A934-3E8B-42D0-9F0B-38ED47A912A7}	ksvssvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA9EE27E-E121-4B38-A3C7-654239B4667D}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0E6F24E-E9C5-4356-90D2-45A36CDA8862}\ = "IKsvsPrefetchFileProxy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A5A1B5B-63D9-45E7-B42B-66C28D9D7188}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26A7F9D7-BD6E-492B-B81C-66C5023ED497}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C46E83F-00AD-48BB-91B0-E317692DF0ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C46E83F-00AD-48BB-91B0-E317692DF0ED}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1A0CF6C-81BF-441B-8DD7-463B2EFB8118}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB1F764-EDA3-46A5-99BA-1F59EE125D3F}\ = "IKsvsPrefetchKeyProxy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E862CC6D-77C8-42A2-B605-6BC302D764CD}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C14B05E0-9F64-42EA-894D-C57B72866606}\ProxyStubClsid32\ = "{D9548102-54AD-4EB0-B9AB-6E5E9B19E3C6}"	ksvssvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1A0CF6C-81BF-441B-8DD7-463B2EFB8118}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A5A1B5B-63D9-45E7-B42B-66C28D9D7188}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494EC20F-F6F2-40F9-AAB8-C8C1B2DBEDA4}	ksvssvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1804	ksvs_setup.exe
1804	ksvs_setup.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4424	ksvssvc.exe
Token: SeRestorePrivilege	4424	ksvssvc.exe
Token: SeAssignPrimaryTokenPrivilege	4424	ksvssvc.exe
Token: SeIncreaseQuotaPrivilege	4424	ksvssvc.exe
Token: SeBackupPrivilege	2364	ksvssvc.exe
Token: SeRestorePrivilege	2364	ksvssvc.exe
Token: SeAssignPrimaryTokenPrivilege	2364	ksvssvc.exe
Token: SeIncreaseQuotaPrivilege	2364	ksvssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4884	kkgame.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4884	kkgame.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1804	4884	kkgame.exe	79
PID 4884 wrote to memory of 1804	4884	kkgame.exe	79
PID 4884 wrote to memory of 1804	4884	kkgame.exe	79
PID 1804 wrote to memory of 2992	1804	ksvs_setup.exe	80
PID 1804 wrote to memory of 2992	1804	ksvs_setup.exe	80
PID 1804 wrote to memory of 2992	1804	ksvs_setup.exe	80
PID 2992 wrote to memory of 3268	2992	net.exe	82
PID 2992 wrote to memory of 3268	2992	net.exe	82
PID 2992 wrote to memory of 3268	2992	net.exe	82
PID 1804 wrote to memory of 676	1804	ksvs_setup.exe	83
PID 1804 wrote to memory of 676	1804	ksvs_setup.exe	83
PID 1804 wrote to memory of 676	1804	ksvs_setup.exe	83
PID 1804 wrote to memory of 4388	1804	ksvs_setup.exe	84
PID 1804 wrote to memory of 4388	1804	ksvs_setup.exe	84
PID 1804 wrote to memory of 4388	1804	ksvs_setup.exe	84
PID 1804 wrote to memory of 4564	1804	ksvs_setup.exe	85
PID 1804 wrote to memory of 4564	1804	ksvs_setup.exe	85
PID 1804 wrote to memory of 4564	1804	ksvs_setup.exe	85
PID 1804 wrote to memory of 4540	1804	ksvs_setup.exe	86
PID 1804 wrote to memory of 4540	1804	ksvs_setup.exe	86
PID 1804 wrote to memory of 4540	1804	ksvs_setup.exe	86
PID 1804 wrote to memory of 1880	1804	ksvs_setup.exe	87
PID 1804 wrote to memory of 1880	1804	ksvs_setup.exe	87
PID 1804 wrote to memory of 1880	1804	ksvs_setup.exe	87
PID 1804 wrote to memory of 3040	1804	ksvs_setup.exe	88
PID 1804 wrote to memory of 3040	1804	ksvs_setup.exe	88
PID 1804 wrote to memory of 3040	1804	ksvs_setup.exe	88
PID 3040 wrote to memory of 2852	3040	diag_repair.exe	90
PID 3040 wrote to memory of 2852	3040	diag_repair.exe	90
PID 3040 wrote to memory of 2852	3040	diag_repair.exe	90
PID 2852 wrote to memory of 4924	2852	cmd.exe	91
PID 2852 wrote to memory of 4924	2852	cmd.exe	91
PID 2852 wrote to memory of 4924	2852	cmd.exe	91
PID 3040 wrote to memory of 4412	3040	diag_repair.exe	92
PID 3040 wrote to memory of 4412	3040	diag_repair.exe	92
PID 3040 wrote to memory of 4412	3040	diag_repair.exe	92
PID 4412 wrote to memory of 1592	4412	cmd.exe	93
PID 4412 wrote to memory of 1592	4412	cmd.exe	93
PID 4412 wrote to memory of 1592	4412	cmd.exe	93
PID 3040 wrote to memory of 2052	3040	diag_repair.exe	94
PID 3040 wrote to memory of 2052	3040	diag_repair.exe	94
PID 3040 wrote to memory of 2052	3040	diag_repair.exe	94
PID 2052 wrote to memory of 2600	2052	cmd.exe	95
PID 2052 wrote to memory of 2600	2052	cmd.exe	95
PID 2052 wrote to memory of 2600	2052	cmd.exe	95
PID 3040 wrote to memory of 4656	3040	diag_repair.exe	96
PID 3040 wrote to memory of 4656	3040	diag_repair.exe	96
PID 3040 wrote to memory of 4656	3040	diag_repair.exe	96
PID 4656 wrote to memory of 1384	4656	cmd.exe	97
PID 4656 wrote to memory of 1384	4656	cmd.exe	97
PID 4656 wrote to memory of 1384	4656	cmd.exe	97
PID 3040 wrote to memory of 3328	3040	diag_repair.exe	98
PID 3040 wrote to memory of 3328	3040	diag_repair.exe	98
PID 3040 wrote to memory of 3328	3040	diag_repair.exe	98
PID 3328 wrote to memory of 4484	3328	cmd.exe	99
PID 3328 wrote to memory of 4484	3328	cmd.exe	99
PID 3328 wrote to memory of 4484	3328	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\kkgame.exe
"C:\Users\Admin\AppData\Local\Temp\kkgame.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\ksvs_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ksvs_setup.exe" /S
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\net.exe
    net stop "KSVSUPD"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "KSVSUPD"
      4⤵
      PID:3268
- - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
    "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe" /service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:676
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvcPS.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4388
- - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe
    "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe" /RegServer
    3⤵
    - Executes dropped EXE
    PID:4564
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsextPS.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4540
- - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
    "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe" -install -noconsole
    3⤵
    - Executes dropped EXE
    PID:1880
- - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe
    "C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe" /repair /nowait
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ksvssvc.exe /service
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
        
        ksvssvc.exe /service
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ksvsext.exe /RegServer
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe
        
        ksvsext.exe /RegServer
        5⤵
        Executes dropped EXE
        
        PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c regsvr32 /s ksvssvcPS.dll
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s ksvssvcPS.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c regsvr32 /s ksvsextPS.dll
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s ksvsextPS.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ksvsupd.exe -install -noconsole
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
        
        ksvsupd.exe -install -noconsole
        5⤵
        Executes dropped EXE
        
        PID:4484

C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
"C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe" -service
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
"C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe
"C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe" -service
1⤵
- Executes dropped EXE
PID:836

C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe
"C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\datasyn_client.exe

Filesize
194KB

MD5
3aa7a2df29adee7009fc78fdca106a87

SHA1
557e7d4d133ce04d492517224c834b26579f4f3d

SHA256
0fe776a0dd4841c7fb7f353510909eab7ffc585639c4384e6618c8e2415abdd3

SHA512
08e7852b32a8f55013b689ef90f9239c7e744dfa53c5d51980957859eb9792c591d6cb1c96b4b1a9cec7916941763e46a73673d5b3d7728a6b5bbb64d94c5b6a

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\dep_ins.exe

Filesize
206KB

MD5
02f317539245629bef955679f634d719

SHA1
42fc5a43313af4c219c15f539d5625d6379fc2cd

SHA256
09f0409e397e670b1080565f9061debbfe317b163c7f30b50308a92b973a9223

SHA512
86ce767e7dc166bd37ff09ff15cc6c7092e465f439d0e32ae063e70390c0c8bc3c63bc57f3994743d9a42f0bef7ae3baac4b25e074b5e26181879c525a761fcb

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\diag_repair.exe

Filesize
84KB

MD5
5cdc26751b1911070158d4513cb5a693

SHA1
91add097056493fd769441154d574ed9dc5bd052

SHA256
420ab5dc847a379e2f9165aba1e3b1d47436cdb5162a5ed5e99130b524d91fec

SHA512
e383785b5d2350c442aea641054dd8e4a84d5f850489e421268165497d2a6df017957383c64314ba658974264521679ab8ce331dc8740aede85aff9760a2a31c

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsdlhelper.exe

Filesize
271KB

MD5
dc139349940170cf9a4acecc5cc1fa6c

SHA1
21c53be81003a7d2ef1f9c601da90cc24f99655f

SHA256
36811fd860db74db2727ad3d0d472ea66134741aeb344a3b8b63e9558b20a021

SHA512
f999a3132566d37f4ce9217b80443bf2f852db8f4946bfd07df4ea4b13c73f8634188b2f18b67d474d5b1e740bc68fe330bf775d4fda5063de326d2e7c07ab8c

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsext.exe

Filesize
124KB

MD5
2eccaa5958f35db3a421fa5114bebd64

SHA1
600d073a1482b6ebe0994b62f3c2cbb40ea37623

SHA256
a12205965eb814a6b7ad6109c08b3b73adb04f3a01fefe07ae8f4c46c0a4bc0b

SHA512
f72b4ea95d4001dae648edffc3f2628f8b3c6fbb964c8aadaa3f31d1574f894e53fb0195cb59b378751a303794346e33915fca631ad47562bcefceb493a35ec0

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsextPS.dll

Filesize
51KB

MD5
4c990a1730fda8b475a563c901fd83ed

SHA1
52874943d3719b4d998def71b58b83fc292a2757

SHA256
9391d4d4e01c120676e0ec1a7580d9025ea7a05dfb0e5ff8cd5d53bd2955f107

SHA512
233d7e2fb6841e98439ef67765656f20456a19ff228f0d1675baa04a9325379159fa256ce8c4547d9b6c24c511166825eb5dbcfc407bbe24ec8654df48b0398a

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvc.exe

Filesize
948KB

MD5
6d070d2628060b62b20179c175cc92a4

SHA1
e84db1287e8b3751e257e3c8e481170665f10ac4

SHA256
824ad2a89b596c58e735d4e38c05bcc84b111a30de9fce2d6ff97c64e76bcc83

SHA512
cca2ff00d12937de50dbdb242913e48c685fcbcd63ccfe11002ad3d8f77bdc10b4601191759fe88fd5e33209b9acb4900d13e820d43bb4685dbe24c6bba3445a

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvssvcPS.dll

Filesize
58KB

MD5
fbe3dfe400b596557c72bececf5a696e

SHA1
4903f7d5c11c820a900a51492318435b4336ee70

SHA256
7fae47e32d1def569d12f611fbe572cdebc6aee4dd17581b9f867cd0ad89745f

SHA512
cf9110b00233c17c366987133bc49fb5553ee34aefd898918fc2348c6956aee01e3ed12ca94eab9768f5f6472cad2b48f7f0a86af28dd3d4c471d7aa0765d9e3

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\ksvsupd.exe

Filesize
206KB

MD5
490acb3a1179546b96d78c431b9db3b2

SHA1
3bca7236421084ef71d77125b1ec84c265ed81c6

SHA256
ba0f100d7b0b2a082978cd7cad1dfd85dfa92e5d278c3d4d043293d1d749b969

SHA512
ccef037376b897d5986b15c1c814a9faa1d056ac0103811b818bd7173a76f64e2a8a4d47fa25f26b2a66a64067d1916cf25896783bc3e0783d7da8afa68ad483

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\libexpatw.dll

Filesize
148KB

MD5
226e01d42edd35c3c87bc7084b61bc10

SHA1
c640234a4988edc5ce2fc7263b27788b9ed79073

SHA256
fc580ba332907a472f8f89a4bd97d05d8fa9103aca535918f62093a230013bad

SHA512
1bbebf740619b9b8d0e2a50109717a679318bfb1cf7e8cfee1067262ed5034e13f45a49d1b83e16a85ff21ca67804209fc7999bf9d923150f478cf2cfadeadd6

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\server_list.dat

Filesize
1KB

MD5
968aea85143b343bdddc2edec7a85b81

SHA1
6e27c48dd181ad77dfe6de3c7846fce9a94e2aed

SHA256
81adb7d422e243077fd5423c5cc8ee9eb2b8b9446e2c0d70ac8a999fa0be9b37

SHA512
50420166104a99aab4e37fe55be93e85c988c9dc066f98e223388e3902ecdbf5b0d475a048833a0a9aeb9570b4fe68e771d41efed385bee57adb24da01551045

Download Submit
C:\Program Files (x86)\Common Files\KuaiKuai\ksvs\simple_logger.dll

Filesize
80KB

MD5
4c7912ce9ba3698dc51de2c2c2f1b4db

SHA1
c1738063819f08d81006de36f4a338edbeeef410

SHA256
e0773000a7deababc47ae88736966bb15532e0c9778763bc6f22ccad029dd2d1

SHA512
eea2855d9d677dace520a188584868272618e9c5559d98588f02ac35d0f47ae7998569809117d0883db057c2b687d6b9d3b1b6d585e61bc1aee8468d8cd259c7

Download Submit
C:\ProgramData\KuaiKuai\KKGame\mesosphere.ini

Filesize
45B

MD5
fc5863ba824dee9e8ddc5a3e4155205b

SHA1
71542ef80e4f7618ce357dc8fd6dd81588fbe53b

SHA256
c6af87ee68898593ad1bc7892074417289d9853a173e2eb8c3bd324bc1f272c1

SHA512
322450fd2dadedb58a22c4c7d858921a7e4af02182a3f55e73af18c961918d6d736bb468ac6786287517c468dbc26a28a5c4592330d668c7027dcf89bb9cb99a

Download Submit
C:\ProgramData\KuaiKuai\KKGame\user_data

Filesize
43B

MD5
fd53c346e3ea5dae6723b4c759eb16fd

SHA1
4286fc02726b5cf90264431f1db45f08c8619f70

SHA256
ca7ab826dc48dbc0dd73731f01a8fbfd2ee813d8954799273be179528ae4b392

SHA512
ebf66bfed28a9911015d807fb7ac6ae73eb8a49ca3f4b334860f607e5a1c6cf7e20b93e7777087be122ab404039defe0488b8214858a078c1a3d39532af44b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn67A5.tmp\CheckKsvsSvcDLL.dll

Filesize
80KB

MD5
32f9654b0355069a7dc7f287ccec2cb9

SHA1
73da44871678020e47292c941ee9258c51159635

SHA256
d65aeac5af5afabea81ee5c8804496dee7c0f4458e3469ad3d3d45eec8ee6078

SHA512
3a3dccb502e02f82f77625c3977484e9bdb6755de2e2f632fa6f1016a13fdef49716953c63ebb6ed298965aea18eac7c992f034eaa5165bfe51f1f76dd3a503b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn67A5.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn67A5.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn67A5.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
memory/676-87-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/1804-26-0x00000000021A0000-0x00000000021B9000-memory.dmp

Filesize
100KB

Download
memory/4884-0-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4884-8-0x0000000004FA0000-0x0000000004FE7000-memory.dmp

Filesize
284KB

Download
memory/4884-6-0x0000000004C60000-0x0000000004D1A000-memory.dmp

Filesize
744KB

Download
memory/4884-135-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/4884-136-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4924-114-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download