Analysis Overview
SHA256
2d6b7dca455f7a75e073d55663935933db803f60f636bb7ee8ed00107cbc8bdd
Threat Level: Shows suspicious behavior
The file 2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:09
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
138s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.tlb | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.tlb | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.dat | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.dat | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\InprocServer32\ = "C:\\Program Files (x86)\\suorF and ukkEep\\M_F.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID\ = "SuRf aNd keep.2.3" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\CLSID\ = "{69D34D79-26C3-045C-7161-210F52630AAA}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Programmable | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\CLSID\ = "{69D34D79-26C3-045C-7161-210F52630AAA}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\CLSID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\suorF and ukkEep\\M_F.tlb" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "suorF and ukkEep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "SuRf aNd keep.2.3" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.SuRf | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\suorF and ukkEep\\M_F.dll" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{69D34D79-26C3-045C-7161-210F52630AAA}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "SuRf aNd keep.2.3" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA} = "1" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe"
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe
"C:\Users\Admin\AppData\Local\Temp/7cc70bb8/kBFB.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe
| MD5 | 9c354249e2b00af7362d8eecaee9b2b2 |
| SHA1 | 13ffdbab9f8df78798ee14ab2640f21eb7deaa67 |
| SHA256 | 69da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023 |
| SHA512 | 55713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119 |
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.dat
| MD5 | 6abc16ef6bee42099a292af1ac0d2447 |
| SHA1 | 836abf1aac609c49e6ff370425cbab4fd8687d78 |
| SHA256 | dfe632ae40c5b0115792a976c8c40ec43ec4ecb5aaff0b477113d9a45ade2398 |
| SHA512 | c438208939ae753b3e6c9e03f4c619b55798de44303362a7586295f6445d0a2de48000623a2242e96e8a20c1471c9cfc4c8ba2672fd27d06a8199cf110d96381 |
C:\Program Files (x86)\suorF and ukkEep\M_F.dll
| MD5 | ffe3f0c62f2fede9890b18d73724fd97 |
| SHA1 | 0dafa42039405f8d49a6790180194076bd57c833 |
| SHA256 | 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8 |
| SHA512 | 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc |
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\M_F.tlb
| MD5 | 8d10c52cfa044ccdcfff4e0b5775babd |
| SHA1 | 3b2c872ab3237d7b74377032ed7a5239c82df766 |
| SHA256 | af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156 |
| SHA512 | 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700 |
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\M_F.x64.dll
| MD5 | 0231aebb8155fd069d17eab6a679cc1e |
| SHA1 | 61cb4b5228e6253863391ef3346c2f9920dbc554 |
| SHA256 | fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672 |
| SHA512 | 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:09
Platform
win11-20250610-en
Max time kernel
103s
Max time network
108s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.tlb | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.tlb | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.dat | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.dat | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| File created | C:\Program Files (x86)\suorF and ukkEep\M_F.dll | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID\ = "SuRf aNd keep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\suorF and ukkEep\\M_F.dll" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\ = "suorF and ukkEep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID\ = "SuRf aNd keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{69D34D79-26C3-045C-7161-210F52630AAA}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ = "suorF and ukkEep" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID\ = "SuRf aNd keep.2.3" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3\CLSID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.SuRf | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.3 | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID\ = "SuRf aNd keep.2.3" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{69D34D79-26C3-045C-7161-210F52630AAA} = "1" | C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_193dadf85b1787e68da6499170e2c9b0_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe"
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe
"C:\Users\Admin\AppData\Local\Temp/7cc70bb8/kBFB.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll"
Network
Files
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.exe
| MD5 | 9c354249e2b00af7362d8eecaee9b2b2 |
| SHA1 | 13ffdbab9f8df78798ee14ab2640f21eb7deaa67 |
| SHA256 | 69da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023 |
| SHA512 | 55713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119 |
C:\Users\Admin\AppData\Local\Temp\7cc70bb8\kBFB.dat
| MD5 | 6abc16ef6bee42099a292af1ac0d2447 |
| SHA1 | 836abf1aac609c49e6ff370425cbab4fd8687d78 |
| SHA256 | dfe632ae40c5b0115792a976c8c40ec43ec4ecb5aaff0b477113d9a45ade2398 |
| SHA512 | c438208939ae753b3e6c9e03f4c619b55798de44303362a7586295f6445d0a2de48000623a2242e96e8a20c1471c9cfc4c8ba2672fd27d06a8199cf110d96381 |
C:\Program Files (x86)\suorF and ukkEep\M_F.dll
| MD5 | ffe3f0c62f2fede9890b18d73724fd97 |
| SHA1 | 0dafa42039405f8d49a6790180194076bd57c833 |
| SHA256 | 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8 |
| SHA512 | 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc |
C:\Program Files (x86)\suorF and ukkEep\M_F.tlb
| MD5 | 8d10c52cfa044ccdcfff4e0b5775babd |
| SHA1 | 3b2c872ab3237d7b74377032ed7a5239c82df766 |
| SHA256 | af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156 |
| SHA512 | 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700 |
C:\Program Files (x86)\suorF and ukkEep\M_F.x64.dll
| MD5 | 0231aebb8155fd069d17eab6a679cc1e |
| SHA1 | 61cb4b5228e6253863391ef3346c2f9920dbc554 |
| SHA256 | fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672 |
| SHA512 | 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434 |