download| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | June 24, 2021, 11:11 p.m. | June 24, 2021, 11:16 p.m. |
-
-
KLUpdateSetup.exe "C:\Users\test22\AppData\Local\Temp\KLUpdateSetup.exe" /install "appguid={AB01C5D1-7F78-4A4E-A89B-0415F6466BCA}&needsadmin=True&autoclose=True"
2228-
KLUpdate.exe "C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLUpdate.exe" /install "appguid={AB01C5D1-7F78-4A4E-A89B-0415F6466BCA}&needsadmin=True&autoclose=True"
1444-
KLUpdate.exe "C:\Program Files (x86)\KL\Update\KLUpdate.exe" /regsvc
2044 -
-
KLUpdateComRegisterShell64.exe "C:\Program Files (x86)\KL\Update\1.3.36.71\KLUpdateComRegisterShell64.exe"
2492 -
KLUpdateComRegisterShell64.exe "C:\Program Files (x86)\KL\Update\1.3.36.71\KLUpdateComRegisterShell64.exe"
3020 -
KLUpdateComRegisterShell64.exe "C:\Program Files (x86)\KL\Update\1.3.36.71\KLUpdateComRegisterShell64.exe"
1032
-
-
KLUpdate.exe "C:\Program Files (x86)\KL\Update\KLUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi43MSIgc2hlbGxfdmVyc2lvbj0iMS4zLjM2LjcxIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezgwQzRGNTdFLTBGRTUtNEQ1Ny1CRTQ4LUM0OUVCODUxRDdDQ30iIHVzZXJpZD0iezVFRDI3NjAzLTAxNDctNDI4NC04MTU3LTA5RkQ2MUZENzg2Rn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7QkQzQ0I0RTItRjYzRi00OTVCLUJGN0EtNUQ4NDY2Mzc0RDlFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI1IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYuNzEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjkzOCIvPjwvYXBwPjwvcmVxdWVzdD4
1080 -
KLUpdate.exe "C:\Program Files (x86)\KL\Update\KLUpdate.exe" /handoff "appguid={AB01C5D1-7F78-4A4E-A89B-0415F6466BCA}&needsadmin=True&autoclose=True" /installsource otherinstallcmd /sessionid "{80C4F57E-0FE5-4D57-BE48-C49EB851D7CC}"
2232
-
-
-
| IP Address | Status | Action |
|---|---|---|
| 13.225.134.82 | Active | Moloch |
| 142.250.196.131 | Active | Moloch |
| 142.250.199.77 | Active | Moloch |
| 142.250.207.78 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 172.67.223.135 | Active | Moloch |
| 172.217.161.65 | Active | Moloch |
| 172.217.26.35 | Active | Moloch |
| 172.217.31.131 | Active | Moloch |
| 193.70.47.128 | Active | Moloch |
| 59.18.30.144 | Active | Moloch |
| 59.18.44.80 | Active | Moloch |
| 34.104.35.123 | Active | Moloch |
| 35.83.118.206 | Active | Moloch |
| 52.54.193.222 | Active | Moloch |
| 65.8.17.57 | Active | Moloch |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 172.67.223.135:80 -> 192.168.56.101:49221 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 192.168.56.101:49216 -> 172.67.223.135:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49217 -> 172.67.223.135:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49305 -> 193.70.47.128:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49315 -> 172.67.223.135:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49216 172.67.223.135:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 58:02:7f:64:99:8c:33:d7:44:80:ce:b8:4a:40:da:1b:4a:2d:a5:52 |
|
TLS 1.2 192.168.56.101:49217 172.67.223.135:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 58:02:7f:64:99:8c:33:d7:44:80:ce:b8:4a:40:da:1b:4a:2d:a5:52 |
|
TLS 1.3 192.168.56.101:49300 142.250.199.77:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49301 216.58.200.78:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49304 59.18.44.80:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49306 59.18.30.144:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49307 142.250.207.78:443 |
None | None | None |
|
TLSv1 192.168.56.101:49305 193.70.47.128:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=soloyama.com | 2c:79:5b:29:8f:93:e2:61:60:7f:ba:5e:de:b3:cb:de:24:ef:0b:f2 |
|
TLS 1.3 192.168.56.101:49317 8.8.8.8:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49308 65.8.17.57:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49318 8.8.4.4:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49319 142.250.196.131:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49322 13.225.134.82:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49321 172.217.161.65:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49324 172.217.26.35:443 |
None | None | None |
|
TLS 1.2 192.168.56.101:49310 35.83.118.206:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=mywot.com | ae:ee:12:ae:1a:81:d0:1b:e1:c1:0a:da:d9:0c:33:ce:20:b1:e9:50 |
|
TLS 1.2 192.168.56.101:49311 52.54.193.222:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=mywot.com | 7b:68:a6:5e:ec:e3:81:e6:28:1c:8e:a7:a2:95:28:21:86:b1:ec:df |
|
TLS 1.2 192.168.56.101:49315 172.67.223.135:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 58:02:7f:64:99:8c:33:d7:44:80:ce:b8:4a:40:da:1b:4a:2d:a5:52 |
|
TLS 1.3 192.168.56.101:49323 13.225.134.82:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49302 216.58.200.78:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49320 172.217.26.35:443 |
None | None | None |
|
TLS 1.3 192.168.56.101:49325 172.217.31.131:443 |
None | None | None |
|
UNDETERMINED 192.168.56.101:49309 35.83.118.206:443 |
None | None | None |
| section | .ndata |
| suspicious_features | POST method with no referer header | suspicious_request | POST https://flownetserv.com/service/update2 | ||||||
| suspicious_features | POST method with no referer header | suspicious_request | POST https://flownetserv.com/service/update2?cup2key=10:2041637316&cup2hreq=c44ca074fab98820e0ddea4abd5bbe7984d55eefb00cbc75bdb2c1c68dce87ec | ||||||
| request | HEAD http://flownetserv.com/static/media/build/Flow%20Browser%20-%20SearchBip/stable/win/x64/97856822509658/Setup.exe |
| request | GET http://flownetserv.com/static/media/build/Flow%20Browser%20-%20SearchBip/stable/win/x64/97856822509658/Setup.exe |
| request | HEAD http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFUTGhWQUViMUVlUQ/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx |
| request | GET http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFUTGhWQUViMUVlUQ/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx |
| request | POST https://flownetserv.com/service/update2 |
| request | POST https://flownetserv.com/service/update2?cup2key=10:2041637316&cup2hreq=c44ca074fab98820e0ddea4abd5bbe7984d55eefb00cbc75bdb2c1c68dce87ec |
| request | GET https://soloyama.com/app.php?ping=f%3D1%26a%3D3100%26u%3Dfldk-20210619-4126222-fbchff02%26p%3Dpa%26ck%3D430179789257580636%2F |
| request | POST https://flownetserv.com/service/update2 |
| request | POST https://flownetserv.com/service/update2?cup2key=10:2041637316&cup2hreq=c44ca074fab98820e0ddea4abd5bbe7984d55eefb00cbc75bdb2c1c68dce87ec |
| file | C:\Users\test22\AppData\Local\Temp\KLUpdateSetup.exe |
| file | C:\Users\test22\AppData\Local\Temp\nsxFA58.tmp\INetC.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLUpdateComRegisterShell64.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_sl.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\psuser.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLCrashHandler.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_id.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_lv.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_de.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_is.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLUpdateBroker.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_nl.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_bn.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_sr.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ta.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_es-419.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_es.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_el.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_te.dll |
| file | C:\Users\test22\AppData\Local\Temp\nsxFA58.tmp\System.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_fi.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_lt.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_sw.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_hu.dll |
| file | C:\Program Files (x86)\KL\uninstall.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_mr.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_sv.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_da.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_fr.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_cs.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ko.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_zh-CN.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ja.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_hr.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_fil.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_kn.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_sk.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_uk.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ru.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_pt-BR.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ro.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLUpdateOnDemand.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_tr.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_en.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\KLUpdateCore.exe |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\psuser_64.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_ml.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_am.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_zh-TW.dll |
| file | C:\Program Files (x86)\KL\Temp\GUM6356.tmp\goopdateres_pl.dll |
| file | C:\Users\test22\AppData\Local\Temp\nsxFA58.tmp\System.dll |
| file | C:\Users\test22\AppData\Local\Temp\nsxFA58.tmp\INetC.dll |
| process | klupdate.exe |
| cmdline | "C:\Program Files (x86)\KL\Update\KLUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi43MSIgc2hlbGxfdmVyc2lvbj0iMS4zLjM2LjcxIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezgwQzRGNTdFLTBGRTUtNEQ1Ny1CRTQ4LUM0OUVCODUxRDdDQ30iIHVzZXJpZD0iezVFRDI3NjAzLTAxNDctNDI4NC04MTU3LTA5RkQ2MUZENzg2Rn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7QkQzQ0I0RTItRjYzRi00OTVCLUJGN0EtNUQ4NDY2Mzc0RDlFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI1IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYuNzEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjkzOCIvPjwvYXBwPjwvcmVxdWVzdD4 |
| host | 13.225.134.82 | |||
| host | 142.250.196.131 | |||
| host | 172.217.161.65 | |||
| host | 172.217.26.35 | |||
| host | 172.217.31.131 | |||
| service_name | flow | service_path | C:\Program Files (x86)\KL\Update\1.3.36.71\"C:\Program Files (x86)\KL\Update\KLUpdate.exe" \svc | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E12AFBF-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA092DAD-07DF-443D-9A5A-4434474353ED}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06B2AB2A-2D81-467C-9F30-F46C42EB5050}\InProcServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E12AFBF-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA092DAD-07DF-443D-9A5A-4434474353ED}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06B2AB2A-2D81-467C-9F30-F46C42EB5050}\InProcServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E12AFBF-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA092DAD-07DF-443D-9A5A-4434474353ED}\InprocServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06B2AB2A-2D81-467C-9F30-F46C42EB5050}\InProcServer32\(Default) | reg_value | C:\Program Files (x86)\KL\Update\1.3.36.71\psmachine_64.dll | ||||||
| MicroWorld-eScan | Gen:Variant.Nemesis.1586 |
| FireEye | Gen:Variant.Nemesis.1586 |
| ALYac | Gen:Variant.Nemesis.1586 |
| Zillya | Dropper.Dapato.Win32.81320 |
| Avast | Win32:Malware-gen |
| Kaspersky | UDS:Trojan-Dropper.Win32.Dapato.qscx |
| BitDefender | Gen:Variant.Nemesis.1586 |
| Paloalto | generic.ml |
| Emsisoft | Gen:Variant.Nemesis.1586 (B) |
| DrWeb | Trojan.Siggen13.47795 |
| McAfee-GW-Edition | Artemis!Trojan |
| MAX | malware (ai score=86) |
| AegisLab | Trojan.Win32.Nemesis.4!c |
| GData | Gen:Variant.Nemesis.1586 |
| McAfee | Artemis!6DA66D1368F5 |
| AVG | Win32:Malware-gen |
| CrowdStrike | win/malicious_confidence_60% (D) |