Malware Analysis Report

2025-08-05 17:03

Sample ID 240107-ybm5jacfgn
Target Kiwi X.rar
SHA256 a693fff41c4e738cfa6b7f0e9bcf51ae341b276b81189fa698f0c0ede4a8a54e
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a693fff41c4e738cfa6b7f0e9bcf51ae341b276b81189fa698f0c0ede4a8a54e

Threat Level: Likely malicious

The file Kiwi X.rar was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\KiwiAPI.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\KiwiAPI.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 udp
N/A 20.231.121.79:80 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.16.110.41:443 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.227.13:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
N/A 20.199.58.43:443 tcp
N/A 20.199.58.43:443 tcp
N/A 20.199.58.43:443 tcp
US 8.8.8.8:53 udp
N/A 104.91.71.134:80 tcp
N/A 104.91.71.134:80 tcp
N/A 104.91.71.134:80 tcp
N/A 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
N/A 96.17.179.56:80 tcp
US 204.79.197.200:443 tcp
N/A 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.178.80:80 tcp
N/A 104.91.71.134:80 tcp
N/A 104.91.71.134:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.178.80:80 tcp
N/A 104.91.71.134:80 tcp
N/A 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
N/A 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.91.71.140:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
N/A 13.107.21.200:443 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

0s

Max time network

130s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\Monaco.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{749CDB91-AD94-11EE-A80E-FA7D6BB1EAA3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\Monaco.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2F3E.tmp

MD5 ccfa6e58c7ee3b49209d37398c85b412
SHA1 788f579102cb93fd6732fb2604e72480f22735db
SHA256 412c82301757558027c5cb3ed1245a40d0a9063f583ecd2fdacf50f733c86b0d
SHA512 c0137f7d51c9c1ca30f3690d26989db7f2fba64acf05594609518a169f243bfb06e8cbf461db6269e8c8123c8dfadb3d4717777adf1f2490d4b19b334510a813

C:\Users\Admin\AppData\Local\Temp\Tar33D3.tmp

MD5 7f6ac87743b066ace85f254be96a78a9
SHA1 a5e6bba4196862b1c02ea3d64d85aaac6eee37dd
SHA256 9bf45ea7dae43d8bf21adee61d06fb74ce25b6808ae09d1eb289b4b4d732ba68
SHA512 e8f61443c76b859c41e991d4d86f9f6184849cce5b156f29d212d0beaf9bf6e3505bfc1c3402b32e73dd6bfa20cf7ba475979b93107c3536e7d52cc7e2f4254b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b279d7ea7e06a3dde6f7848a111ffc1
SHA1 41718a22af13c580cdaef3867c44cd4474c1b993
SHA256 1b27f2c74479d599a82b977b07a5fbdef31ff05c76f06ddb969181d0a3b9ac1d
SHA512 73951f5a34f8083c35578274f06d0dc2ff8905dd51747d7b02d2d551a7e534454b40dab693e995c963de76bbd01b0d29754324acbf2ba217533323abf9e17885

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe8100db292e97cf68f8bf6bbebbc581
SHA1 91289c748c3821cba5301f7f58498d07662aec5e
SHA256 55dc0c9be17d4f903675c4c6749e1b573bf0f21ae46110c453a028e2159546c3
SHA512 7ae41f50f9cb8b2f6c2bb8ce9d92c89f0e4afdddb7ec7022f6d55c96cd1b5f85226e72e253dbbeedb5a7bc0272e6a32f5f383d3021cd9a447f58fe775b2f4495

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e749d3781045e7ffb89678918641022d
SHA1 b84c39247e8c0dbd52d5488fd222bfa1a6e092a0
SHA256 6a9e0d9f7d4ebfad222367397b0e585fa7f916640bb8fc1687c22790d2d9a9d0
SHA512 c76a948bd450aed3d410200f867692028ef65f3dcf44ba04663cd1af3cdca39bb8383d094664f072ff3c3aba54350137417b7459f955bc6e3bbb28902799e952

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28a0354eb20eb0555783ddd2445cf1e8
SHA1 ac977ea965e22074fe22d48d2458e382cb80fb12
SHA256 a7f619943eb977758caf6462b5b92e8fb35b38c810926f516ee7b9868fc0fa08
SHA512 1b64b2429169d707e79fc7c2b9afd11c7a27c98f5e79660d9ea353da64b9787ba1f7d5e5f9ea5fdf2e1926a0113787cce0fdb48d2860572fed65d93f29daf3df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b808fa0ea3542efee6690c9dfbdea1d
SHA1 c884ec0f84f2df0a9d6c6a3b6f1f68c628bdd503
SHA256 4de2f0edb37d4b36f468922f61d1b67bb2dc2a66a5227f5cca37ab4540669211
SHA512 6475206520ae7882ccd76aad5af4a4512f567f6c44daaf0df4b3eab089cc838cc0a1973792d27afb4dcf3ed55d7e8fa8ef1c539a6fb138d9f1da8903615bf018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 904a70520c6236f0e3702f6de7edde30
SHA1 8e0dccbd4a4bceb444a659722b049b3c3cdc5a9b
SHA256 559491686e6b92de0d76a95f840c195404aa747392f0e2bef22e67789ee188c0
SHA512 60e799b862a21684d424239e8abe68777b350ad653838a1029163075601c7eb042f4add03dfd37261e09f2cb1843e74666797d4812a17362cc17bc338bcee7bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1ee14918a64138a03ad7f2b3dd4c52e
SHA1 9aee53da566e837a3e9fa8315597bc584aca4a44
SHA256 b3fc1f832d6ad117524cd448ee1624631d56a8f5778ffb897fdc4e9a08dcd9f0
SHA512 5093e2f48bb33073dfdd7b0e60a32db5f9fff9a4e4e2abc5054750c4f600bc01d30e83c8eaf1b89c21731eb3473a79555f3cc6d285daf91bb2d524c4ff2380d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48c08eb0458c75b18161d230557bc5c2
SHA1 0e50283e1bc0b5ab1cf53a3696750dcdb8608c47
SHA256 25b8fb0f16c7e9ad0ee11ef8c4875e869d01a11bb0b5febd9f2d653a5355ba0c
SHA512 275d2524a8524ef239f3090c097693bc87e061998984b3a26822d5ac46faa5727e364ac4f69365f9832f694c985fa6fa92e3e9dab87f571f8334c10e1671d4b2

Analysis: behavioral20

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

128s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\coffee\coffee.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\coffee\coffee.js"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
N/A 20.73.194.208:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 20.189.173.11:443 tcp
US 8.8.8.8:53 udp
US 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

122s

Max time network

155s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Core.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Core.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

193s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Wpf.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Wpf.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

121s

Max time network

145s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\DiscordRPC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\DiscordRPC.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\DiscordRPC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\DiscordRPC.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:46

Platform

win10v2004-20231215-en

Max time kernel

300s

Max time network

379s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 kiwiexploits.com udp
US 104.21.51.237:443 kiwiexploits.com tcp
US 8.8.8.8:53 237.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4620-0-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4620-1-0x0000000000F90000-0x0000000000FC2000-memory.dmp

memory/4620-2-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/4620-3-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

MD5 806998bb6f4fc3fe3f0beb390799f28b
SHA1 445beca37ebd66c54f7eec9c296c6e28b1a9fe89
SHA256 33dacaaf579d61d885605998835b3d9355d4d04d6b400ced1895a4583fa48787
SHA512 145ff2d9e335a76fb72fe0f56f7e557b96aef4c313ae7858bb7248c1a82a92bab2bc1274750e9964c5a2db62790d7a4562c54118268774e80da8b1082f7c46c7

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

MD5 60da4a8f33288a5993378bb5130f7bfc
SHA1 a4b36ffa98f89b8586fbf34312d5b9d60d472911
SHA256 1268474ad20cbf8acfa048b9fccac866f1f9ff018f5cfd069049619936c8313f
SHA512 1b4a889b60b522f6cc9010c4841383f8c2a8c18d0137c8ac406ac52f2a2b6580c8351a9512c8cd0f748b83b2052a5c73d791e4af9e753eb4a2925079627c6a6c

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

MD5 65d850ea6249b29482fdf6441464c727
SHA1 762c553b7f252a279f6a1a64c2375f2430905b34
SHA256 a9a9c21344ee06e8386ddf606783dbcf9eff60533135875f38866eb5ae742c0e
SHA512 3bbebf28d4ff730011e818af8721e663574d82ccc91b5941844c18806d55540c66b23f9621d20c8ee45db70f56b36faff97e59a928108224c4eedfb8e51898e8

memory/1136-17-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4620-16-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1136-18-0x0000000000FC0000-0x0000000001366000-memory.dmp

memory/1136-19-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

memory/1136-20-0x0000000005B50000-0x0000000005B51000-memory.dmp

memory/1136-21-0x0000000005C90000-0x0000000005CAA000-memory.dmp

memory/1136-22-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_r0xbolx2byytzmmw2u1fc3xa1yugsbjn\1.1.0.0\user.config

MD5 fc4bddde3292e03d5586f62d92189b1b
SHA1 ceeba68f267f5568b9b0766468724ff8b608d412
SHA256 dc981b12d99456f4676ee1352af94da5292cd618b416aeedc8d8ba5a492c3e1b
SHA512 94155fbd6e0f54fe282752d5cad19bf09c4835ce96a466a5a38bd7024ed1090d58ee672a0d5f09c918df2ee79c795c59ef79ca182213f78801cfc649760b3c73

memory/1136-36-0x00000000066A0000-0x0000000006750000-memory.dmp

C:\Users\Admin\AppData\Local\Kiwi_X_WPF\Kiwi_X.exe_Url_r0xbolx2byytzmmw2u1fc3xa1yugsbjn\1.1.0.0\user.config

MD5 d573b0eb98c6d04c74993871673fb128
SHA1 d1bef264405318467a8d82e6a9a2de816cf85459
SHA256 e38fe2de9ec915b66b5ba2f128fa3eea59d5b273abca60c999381f77d20779ad
SHA512 2d384a40a630cbc2d78e6fc1f832438d898f9e81c4650836dad32caadd871aa0d633b47446609610802e1c16925e476a944f5eeedcb8940ed677ce7ad849dcd9

memory/1136-37-0x0000000006750000-0x00000000067A4000-memory.dmp

memory/1136-38-0x0000000006620000-0x0000000006628000-memory.dmp

memory/1136-39-0x0000000006920000-0x000000000698A000-memory.dmp

memory/1136-40-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

memory/1136-41-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

memory/1136-42-0x0000000001A70000-0x0000000001A78000-memory.dmp

memory/1136-43-0x000000000A270000-0x000000000A2A8000-memory.dmp

memory/1136-44-0x0000000001AC0000-0x0000000001ACE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:40

Platform

win7-20231129-en

Max time kernel

48s

Max time network

17s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.WinForms.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.WinForms.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

122s

Max time network

145s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\cpp\cpp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\cpp\cpp.js"

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

160s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\fsharp\fsharp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\fsharp\fsharp.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
GB 96.17.179.47:80 tcp
GB 96.16.110.114:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.47:80 tcp
US 8.8.8.8:53 76.179.17.96.in-addr.arpa udp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 176.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

124s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40943479a141da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000273c4525699204b786f7301a5ef1624d7eea2f6230cc15d26353fa04656dce75000000000e8000000002000020000000a9a07f248c1c0dc5a841f8354dccf680fcff8424b17d9ac23c74eb7ceadeff90200000001baeb3704fe1faac63bb0e4858a98de1872ec10d2d234c850652cd4d5e0696b44000000064599c6f1309f62a3729d96a1c914b2459d1fc47a16f6bc8532e941c1cbf7cc820ba152bee03dc4f02fad3b78780c8559c880abdd6c4d0b593d205bf2b6f693a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000000c687c311437b6d802c5e844cda53b190f32a561c790910954faeac353ebb21c000000000e800000000200002000000023e5895660fe379adcedbf4198b51ce58c96b0b602f63c64b32a971153457000900000004f58c6c4f247a14391febee89045e93e5535bd19308a44d1a57c905b7cbe50a1dd274b1cf7b19939507e2884d7ba6e2cb548105bae3bdea0b30075578d25734ed831e5a7a3c3fade11da48b9e4ef4f4fb91a6f9aafe9d059ce92dc9dd58ac87378c28209475003d6f255cf5982c2df88292f512d21000cc2ffc11a7285865d90bc7c304331ce9569b42ec35c5caff4024000000063931970dd30d6013fa1eabbe84d1cb4329d8645fad6815903323b4a321d4007d19e45739e3af91c97c479cd095170e2077ef90aec6c55a4564a413c2721685d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96FA1181-AD94-11EE-9240-46FAA8558A22} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410818293" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe
PID 1964 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe
PID 1964 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe
PID 1964 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe
PID 2844 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2844 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2844 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2844 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2008 wrote to memory of 364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2008 wrote to memory of 364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2008 wrote to memory of 364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X Bootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

"C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Kiwi X.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 kiwiexploits.com udp
US 172.67.191.177:443 kiwiexploits.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1964-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/1964-0-0x0000000000D90000-0x0000000000DC2000-memory.dmp

memory/1964-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/1964-3-0x0000000004CF0000-0x0000000004D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEE47.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarEEA8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

MD5 de88ad0947de836437a79726eaa6a853
SHA1 8963c3b9e0d302c1b0d269e524fc5f5c8e183c82
SHA256 eab4fb4671d64139add76aa75d3cb40ea4baeb3d13755c0eff7622accf3b1de2
SHA512 21872320a6f6ba5fe8cf97e70277bc7d401935ea4b603a7d1b3829587badb5ae44aed80bdcab48c527d2aec09e4a3d0e77cf584244887f4df5ccf356454ba2ab

C:\Users\Admin\AppData\Local\Temp\Kiwi X\Kiwi X.exe

MD5 a79388c86107f67c2e6f808919c68641
SHA1 14bfb87ebb9bf909bbea47976633cb4974eecf99
SHA256 7f2007e39a606f02c16b98324def593adda8d8429577ed23ce23aa9963d3a525
SHA512 1651f722e0a01d5c829c0125a976d1955189d1eeaeebfb9f872e40d8b4bcbbc8c2cce2ee2348dbf3f3b36d2a3f5144d6f63b9be0b0fe53d1ffaeee4ee19eb127

memory/1964-44-0x00000000740E0000-0x00000000747CE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f72df1c57a4eba14782bacdd46e5715
SHA1 635ba706442422fb5bec3bec186743f901b2d02a
SHA256 061f9b0540ca25ad0e2ae7b5a3e8f407fe620cbf480271442b4323a95b635ac5
SHA512 7f4367c6861e66a6ca24380913a86bef0147ec73f9bdf0360b9a600cd3eed3563524cea9114ebc93bac8733261e30bdcd7d7ee7a20433e1fccfa1fdafb24eabc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 256981e9a44033048a0348ec5476f458
SHA1 09a54769d2c607b1da4c3d45b1d4a23fc4c28c71
SHA256 6db7f3ef44d4a1aeaffb190e86817196a54881523978fa4ddd1efb7dbc43b234
SHA512 e887686140466b65df093c41922853b50145c42fdea5209fe9d24cfc97bef672ac1af289d6379e6520314b312808280de4c742f0809eb93ce352b5e4c0134e7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe5a6e3db1df9ea643367da66fb751c7
SHA1 e363ac3e2a79bdbce7952fd5080430f2d5b536d6
SHA256 78f3bdaa6857d0e46ac35f4b1cdba13a8b9f6953ee0893645e9aa68a3e88d9ab
SHA512 29281ba4900e7bf7a620fd6a43a90a2ba0e0d76d4d38ebecccb06f4928408c8e666891e34a1b74b8f283065def198a5a92ab8a4f6e241c9cccf8f4d757df99a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 715e821906678eaf33a3fe86c12aa81f
SHA1 b1f3bf1cb7b5b05e53f42703e20d37dad5765052
SHA256 771020fc1eeee03666ae59da55dcb35632f132f3080e8827d144c52e2d8eb089
SHA512 8eea6bfc1291ee8beeff2c922d66bee3d49af830249a7ff064ef228c116fcb39cebce4e0f3c5229f8fac269a8b9504ce34babd6f0313e6c6193a017697676f67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0031dea252cb8f71342e53e458fa4314
SHA1 ac9d60e9e43424dcd1fe8b82f008ce07dc1ac809
SHA256 6de6bcc7b115daa2cf27524e9efb47cee40de917de522fb52bdcab4317cbe8af
SHA512 b37ffd470bd384572e6daececac73a5e44e5e7e67f6034daedc45426b32efeb1201baa294aa06486e07b67821ff87faa3dcc9dc4502009eae363be4658250fa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5699a952cf22a79c99511d19ed435cd6
SHA1 fac6987cef35329c1215c1041d60b06afaaf8fe2
SHA256 bd7d3d954c5e2a51ab884d224273c9cbad61dcd83c771a49051a39a39fb9ba23
SHA512 256bc846e1cb90cd16e50c61cd91126dfbba8e80fc038450b9bf7d70b6294e8f07fa060c011ee95c6e3d672d8b21d333a02907f053362b7c98435fe5902dc5b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1b7bf84c736c437b1885c783f258725
SHA1 a43f03c9ac260f677017d84d26409b94febcd31d
SHA256 7c6585a4bc59a765fb38b2b1faa317ccc56571d7bd7c99cf2fa77ee18d7342b2
SHA512 c0e122f7438711d6c9784c57de0051ac9ea4f07b41d4559c12fa9290b2d02a6ef50d64bf86c5eff3ce974f64409079b943db0be9019e9adfa98c33f467f255bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8926b4193cfda38c0e3b28ada853688e
SHA1 6e3597ada7c401a81c5016d01b79cd93cd55eaa6
SHA256 d7c9f34c84263a327b20d33fd21aca7337efc345d1efeee4292844e7417d4459
SHA512 edb908580f7c026d102450af07e940f3465e59d0dd188febfdbc0aa1b23a74b13a8ca9ca8fcc02fb16198165e90a105d627f981ff84d82fed560e598d26c4786

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4c4c01dc82ef7d361e6f443fa556777
SHA1 3e704d1588dae6f3df1a80a4043812dd54be996c
SHA256 f7880ff664b31cfd3287caeff47061b8ee568348be32e2be1731cecad5c078bc
SHA512 80627e38fa2761777ec41c1f0257e11a06fb0be34cf2434f52f8d139d9e6bfaf0983d1707ceafe418021470ebea709b81292396b016e07eb1180621b2388292b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e21e43b888ca6e74220006277c40a6bd
SHA1 2c38a9007ffc6532d437e924de215191491d8728
SHA256 4bbe47eb21e2128733ad2ef5330ac46e745110b853dc3fe0f7b0fd9ca0e0766b
SHA512 ee236faeb824d1c6f9d8bd54a761e2ba289bb0e2d905591c2eec753350c158f9a27bba82177cf31bbd473b913b0ba5f545751b53fad38e54ad4425daa6f053e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89781c994cec4820187827d8b5d15bb9
SHA1 874b946dec02d576e814d09a183777d82e2e4f42
SHA256 cff778a7956721354a42e7e241fb7ecabc23ee4bfcd8fe3fe4888e26b86b7a2b
SHA512 d43653b249fc4408188c2f5b7841012e6973f7ac28f7ea10a6ed57cd8c2cef5350ff2c3d6a569c813fa19c9fea256f77e543d18a0ccdf6d7751ef1666d5256b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05425709135c27d90a2c650d18e33424
SHA1 6f9cee60877910b80277513794e0baf3721db474
SHA256 836403735d249fa6b422cc39cd60e691dd33d4c0794af9839a66684510285bc6
SHA512 f47d782ea6e0aa31a2be4e43426bc6d2697f079848420a0a349f2c78273e4c7eac8b1ba97e9e76eed31da086854ef2a6472bc835a19d6ae95f8a975a212f0c5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73431ab9a8e183ac8d25a6391d858f66
SHA1 48c046ee3e9a97516c928ab6dcea30f7c040f174
SHA256 66400c3c98936017c42bb263c5c96d9b0d4fc4a769c2abe0c4983673e939bc10
SHA512 8160c13170ab9605be78d558c327f3ee59fa6ab58da4bd3f15003bcfba8de8851d4a8be7cc1ea8a6ae784297d5952474264f2b6904c16ae5f1d1e2688caa3996

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac849740094477dfc8fc2cf4cd293a55
SHA1 a2197eb1b2fe316eb46eed9e90c7894bbd536ed7
SHA256 eb71422d28b2892344acdb123fe8b8c5c8b210535ab87c1a3f81725578805d0e
SHA512 cb94651069aea957ea574ea06ee6a487df6528e9788958cc6a27daa811b963fe6e60df660e74b172a6bb26ed5df52cbb14364b8d361a0797cd032cb18cd93afb

Analysis: behavioral25

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

117s

Max time network

126s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csp\csp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csp\csp.js"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

195s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csp\csp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csp\csp.js"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\KiwiAPI.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\KiwiAPI.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

152s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\Monaco.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C34E435-AD94-11EE-AA35-EA04B8DEDBF3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\Monaco.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3640 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 92.123.128.190:443 www.bing.com tcp
US 92.123.128.190:443 www.bing.com tcp
US 8.8.8.8:53 190.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
IE 52.111.236.22:443 tcp
GB 96.17.179.56:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
GB 96.17.179.56:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\bat\bat.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\bat\bat.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 188.179.17.96.in-addr.arpa udp
GB 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
GB 96.17.179.50:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.179.50:80 tcp
GB 96.17.179.50:80 tcp
GB 96.17.179.50:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.179.17.96.in-addr.arpa udp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:44

Platform

win7-20231215-en

Max time kernel

240s

Max time network

280s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\coffee\coffee.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\coffee\coffee.js"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

38s

Max time network

27s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csharp\csharp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csharp\csharp.js"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\dockerfile\dockerfile.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\dockerfile\dockerfile.js"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

67s

Max time network

75s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.WinForms.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.WinForms.dll",#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231129-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\bat\bat.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\bat\bat.js"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\css\css.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\css\css.js"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Wpf.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Wpf.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\base\worker\workerMain.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\base\worker\workerMain.js"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

157s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\base\worker\workerMain.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\base\worker\workerMain.js"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 77.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 159.179.17.96.in-addr.arpa udp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
GB 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.43:443 tcp
GB 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
GB 96.17.179.76:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.194:80 tcp
GB 104.91.71.140:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
GB 104.91.71.140:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
GB 96.17.179.55:80 tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

101s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\css\css.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\css\css.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
N/A 96.17.179.56:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.223.36.55:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 20.231.121.79:80 tcp
GB 96.16.110.114:80 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.48:443 tcp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.186:80 tcp
US 8.8.8.8:53 186.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
GB 96.17.179.59:80 tcp
GB 104.91.71.140:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.65:80 tcp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
GB 96.17.179.59:80 tcp
US 8.8.8.8:53 udp
GB 104.91.71.140:80 tcp
GB 104.91.71.140:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp
GB 96.17.179.47:80 tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

53s

Max time network

34s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\dockerfile\dockerfile.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\dockerfile\dockerfile.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
N/A 204.79.197.203:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
N/A 104.91.71.140:80 tcp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.242.39.171:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:45

Platform

win7-20231215-en

Max time kernel

278s

Max time network

322s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\fsharp\fsharp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\fsharp\fsharp.js"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:41

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

110s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Core.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Microsoft.Web.WebView2.Core.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 52.168.117.171:443 tcp
US 8.8.8.8:53 udp
US 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win10v2004-20231215-en

Max time kernel

183s

Max time network

194s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\cpp\cpp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\cpp\cpp.js"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 44.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 46.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 185.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:42

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

167s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csharp\csharp.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Kiwi X\Monaco\vs\basic-languages\csharp\csharp.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A