Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-ym6q1sbfbr
Target 90039c975ddc2e891b50aae18bed6a65
SHA256 15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd
Tags
adware discovery persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd

Threat Level: Shows suspicious behavior

The file 90039c975ddc2e891b50aae18bed6a65 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 19:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 19:55

Reported

2024-02-04 19:57

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\anD C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\suRf C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1712 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2732 wrote to memory of 2112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5 6223a19e77e3b9b4f633e8863ee1cf40
SHA1 ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256 d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

MD5 99df1dab85dd4b568804cf7123ecef54
SHA1 199ab77160bb3030b6ff57517b5cf318b1831cc9
SHA256 9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890
SHA512 31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

MD5 9afeb7fa65aa31c6b871237d14a8fb94
SHA1 58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

MD5 410bb7e2c88f92de31b83a173e173e2d
SHA1 ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256 afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512 d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5 b7d14322bc6b822de16a153dc5e34040
SHA1 cafb8bc8aca7111fe839280f736738f3b70ab593
SHA256 5e049f178e4bd2f6e601fe49bdefff3de22c462e453ce5190b82d6ff1cc52faf
SHA512 4bff139773793b42d24f7cdef8f5ed56cf61ddd7343e9d43c57496ce377ce7eb44c6747d270468f533150016dda77e49702f3e4a1f5400af7ae24a7dd099130a

C:\ProgramData\surf and! keep\kBYeWZe3g.exe

MD5 820d41b154e6466dc756d30ad829fd51
SHA1 e8ce26a9cbd4a18ee6bf4ebae9a01637bd565538
SHA256 ddedb38251054e73cb662b2e1d17a6e4d8b9a4f384b6221be4151df5c3b3fcaa
SHA512 cca505d3a72a724b9bf89f4ae8eb54ad077bf9d64422b4f297bc8970a08876c311a9ca1ad11d8484d077375ab41a03241191294888566f8f591ed1fe39fae5c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 19:55

Reported

2024-02-04 19:57

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\anD C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\suRf C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.dll" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe

"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

MD5 99df1dab85dd4b568804cf7123ecef54
SHA1 199ab77160bb3030b6ff57517b5cf318b1831cc9
SHA256 9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890
SHA512 31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

MD5 279c06692e5e3c4f0f721ddc93bfd0a5
SHA1 41ddffae4264c0e8123fd3864ee44854894677fc
SHA256 ae7ac0becbac553ddb8469dc56770936ff97c3c3accb8d885ef50f836b003825
SHA512 64b11c5a8cbc497ce7aedd3c2b4767a0c64aa3cf1097fe85c0c512fb185382c527f1d62ce19d7466850035530aa6114fcab63750f21c5e5a789f5a3368ad34ea

C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll

MD5 57c41d10552557b925bdd0c523161c1a
SHA1 6cebab7b290181d0b61cb96c3aa5d625f0971bfb
SHA256 dcdcb0fca076fd8f5906cb27653ad635d5040026242c7ce17941a2f696d18b8c
SHA512 bc213630403e665349273953b1e18fe834f4dca6d79167fcba67c9dcca9756b724d2e0f0caae80e2a506759ce2c90f696309d9bfcddfffb9e31edf11a444e4f0

C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll

MD5 cbc445228891ba682bc932fc7142dacd
SHA1 2e6df4dc184540402ae81c1bc2fde9e78737cb0a
SHA256 daeff7218d1d22217795d62bad9619067d90f1eba7986b9d8fc3b71a36a79893
SHA512 78549bf59db25fb80ffba62f9f46832297760cd03fa2b1cadb554e882775a66855fbd53e443478890e7d13a1d793ba9af3798e8bf74259d9af1f34bd604ba806

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5 8b8b5b2eb26dff0659a209daf4611d43
SHA1 e0f885a12d718fd54112ff6ab7a950882c6538ca
SHA256 77816b68ade0e21f66e7050966d73f47a9cbf28c2e30d9f2b2ccf6fae1feb3b2
SHA512 c91fb2f261182af159f6cd0546dc2b121c3a21de7624d9a718628630d9fd8f425b32c80387d1edf187bb54596a603575ad411957c27555f1b8661169e1272c00

C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

MD5 15a6fc66fc3b9fb1f962b09a04fab823
SHA1 f41314269fa5497f651fe55a427134e12fee41cd
SHA256 f0ec3742e50532832876419f03f61ad308c66a65974c685656319bfabf2a4ebc
SHA512 503c6b01405358a4255a7744f917f144b89df72537eb4791e85f5cd07dd62b47bc7800a60a7867f452f34676a64a63380c34290b799bfc09ce74c7df774168f1

C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

MD5 a0dbdc390ac67b5670a35314bbca2958
SHA1 3d5c789618e6ebeea53f6299a4ff6ae86c1bd8d4
SHA256 6f16c3ab95ed07fdffe0fbdd7093ef6198da0013d9289fa1d2e2d8d15ca21cb3
SHA512 218b727e7992a9b6b0f04bf08ebb837c716e73085de04e42b6f9f393c05e97e542932dd7a3d68444018c1dafe626c4f2d1c14990b56d3d6e64f1ed1a9e909be2

C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

MD5 eedfb1623ee8ba8708969a5e4935bb23
SHA1 2f9259d69e67e07c74d88d4d81adceae8cdf2715
SHA256 bfc152d164f73c76e40103bafaba03918118679b69bb01c63f2441c1d8f941cf
SHA512 5c393c44bb4d4c253722e3563b839c120f94b6624ccd4878117e381e1730ee2d32a0523f3c7ad8d6531b44d325e2dedef9aedcf5449a07c5bf6925a3076b97bb

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

MD5 14ad7e54bf311780ca11f96a7af68fa0
SHA1 9f987cd3f39514d77ec74aaae90084e4861a5f3a
SHA256 25074e139bb605fa9d829cfd5654277792e478afdac19829807981a94f360a75
SHA512 48d89db6c72d425a92cb4e658d4808d4d9ea889d992c02ee1e78efc414d8c8318e88ea6c028b54c4b820427292e45a8e8477d939a6a7cdc0b3d22809ca00abf5

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

MD5 f091ad9720910b91eb012bdd6cd1afcf
SHA1 9b92fa6a8a34bd7ac43291d1ea5d08307471b77d
SHA256 8209f34a5747be2c17192264650940ed582298e80010f06f7e1be506a2e791d2
SHA512 9afaad5ad5cabfa93ce49342b6c6b4b1ce21e976d9486c2e7f69c056a19c256c0f1bd34e3518ad8d4ec0903cd53f37ea796fb09e096db45e840f57b45b706b8b