Malware Analysis Report

2025-04-03 11:33

Sample ID 241109-3aqaqatlcx
Target vbsedit_x64.exe
SHA256 7b785d9db870903795a5ed487ce58f5b7012e7483b0f5c40eae5fd928b664fab
Tags
discovery persistence privilege_escalation
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

7b785d9db870903795a5ed487ce58f5b7012e7483b0f5c40eae5fd928b664fab

Threat Level: Likely benign

The file vbsedit_x64.exe was found to be: Likely benign.

Malicious Activity Summary

discovery persistence privilege_escalation

Event Triggered Execution: Component Object Model Hijacking

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:18

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:18

Reported

2024-11-09 23:21

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.Toolkit.1\CLSID\ = "{59C73A9D-C7B7-49DD-B82E-F878995B784D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C0C3E1E2-9196-43DD-8FA9-1423641098C8}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Vbsedit\\x64\\Vbsedit64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5C63542D-2C66-4F1C-89A7-3FC47303DEC5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0 C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.hta\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{13D76CDB-6017-F557-2714-83C6A25026D9}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{84797F3D-EDF4-7C51-8C95-07305B026AA3} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.Application C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{7359FA3B-4B6E-40F7-AD01-E2E699ECDADB}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{8D26710A-0842-4712-A0AF-9EAC014A8546}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.html C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\ProgID\ = "Vbsedit.Toolkit.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{7EE45951-F1A5-4C01-BF08-03DE1315437E}\TypeLib C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WSFFile C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{5FA08DFA-1C38-4BCF-A347-568BF6B8CE6C}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{D166054D-36C5-4EFC-8F7F-DD5B559F4644}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A34621CE-7278-F07C-77D5-E01996D0EAF2} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{F24FBAF0-0F22-793E-BD0E-2CDFB697F2BB}\Implemented Categories\{4CD07BF8-78C4-E566-B466-C030F3105D47} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CSSFile\Shell\Edit with Vbsedit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Vbsedit\\x64\\Vbsedit.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_CLASSES\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43}\PROGRAMMABLE C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{95A2A54D-E6E1-4C87-8775-B5090CD0E275}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.js C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.IpToCountry\CurVer C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\ = "IDataset" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{95A2A54D-E6E1-4C87-8775-B5090CD0E275} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{90AEE60E-436E-84A9-93FB-5C15163D40BD} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C3C1A029-BE79-6D80-238C-7844A72B8213} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.hta\shell\open C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ = "IImageProcessor" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.ImageProcessor\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A34621CE-7278-F07C-77D5-E01996D0EAF2}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{6246C7EA-1376-47D1-93FA-6676A7F56FB2}\ = "IVbseditController" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{9FA115D9-DF38-4EBA-9592-5FB6D1CD7F2D}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\VbsEdit.JSON.1\ = "JSON Parser Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{9FDD3341-BE83-2559-AAD6-1CE59D7F4976}\Implemented Categories\{3387EFF7-9170-417E-5687-F3CB12603AD3} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\htafile\Shell\Edit with Vbsedit C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{0171BFF4-5892-7B47-E262-B3B4BD33B14D}\Implemented Categories\{E3608FF1-AF98-1C2F-671C-27EC54EF71DD} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A74CA7D9-273A-45C5-8974-80F377486346}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\TypeLib\{8B104FF0-B76A-4BD0-9152-702A9D492201}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{5CEA781D-6749-4D19-BB1E-CB42BE829854}\ = "IAxeItem" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe

"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /u /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll

MD5 520ac2fe8104b26ad7be69e96b7fbf42
SHA1 7706dfba1f3668cdb0cbdc445e753e5f36d13b36
SHA256 f2523e8d8fba53f57c4edaca40254bfa39e1d6f821add9903877ed53d047c26b
SHA512 ce2b77ce5461974f64b8f8a34d4d6d579bf6f7849b5f92ee6def015650bfd9aae707afd74756954c2cca7136527803d7be9ee7b6acee2fea5a36f84f6f44a21a

C:\Users\Admin\AppData\Local\Vbsedit\x64\vbsedit.exe

MD5 961de8e996b87e2f33f09215e3300a62
SHA1 4daf727857096c39e4b14819ecf0aa97bed5df0d
SHA256 c72cd1bd14a39980b7955f7901df0d12dc46957732c751f855c16c4c1bbce59b
SHA512 23ee68eb52c29fdf442df771f6e67e0ea2416debabe5325cec094d7b5cdd35d5792d384a559c059b686d6490fc654cebe68889e9cb880e353fdcc0f074d7942c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:18

Reported

2024-11-09 23:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{E4B499A2-485D-45E4-81F7-2CD2EBAA691D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{1EB5DB0B-B200-41E3-AD74-CBB9A66EA032}\ = "PivotChart Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{09A17DBF-0A9D-9329-9DE2-634D54DD7471}\Implemented Categories\{F2BEBC57-57B2-474A-769D-171F355F2BDB} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{BF4D885D-B8C2-47DF-AEED-01EB43D8BB7C}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{2241E88A-E978-F84D-C1C6-87569BE8C73B}\Implemented Categories\{9C409E9E-FB04-7F46-4FE3-337B79EED2D7} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0 C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{9FA115D9-DF38-4EBA-9592-5FB6D1CD7F2D}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{18DC0BF8-0ACB-A346-7556-31E9FDE98313}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\PROGRAMMABLE C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.Toolkit\CurVer\ = "Vbsedit.Toolkit.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{97A60915-303B-10E1-0638-BE4970F01A0D}\Implemented Categories\{F13AB0F6-AAB7-1EC1-0673-F15050928B56} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\ = "IImagePosition" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{D166054D-36C5-4EFC-8F7F-DD5B559F4644}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.js\shell\open C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\VbsEdit.JSON.1\ = "JSON Parser Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\VersionIndependentProgID\ = "Vbsedit.IpToCountry" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{16B3AF08-D0B5-7AEC-089C-B506015E6181} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B51822C1-FA61-694C-4F2A-EE6892B59CD3}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A8F01487-B08C-4A77-B8F5-B03FC9179A94}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{9F6E73C7-FE34-FD9C-4DA9-581F59A461EC}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\JSFile\Shell\Edit with Vbsedit C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.IpToCountry\ = "IpToCountry Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{E4B499A2-485D-45E4-81F7-2CD2EBAA691D}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.js C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7BCC6C89-7248-4E2D-845C-03B298BE6E68} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{A8F01487-B08C-4A77-B8F5-B03FC9179A94}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.wsf\shell C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5FA08DFA-1C38-4BCF-A347-568BF6B8CE6C}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{143A3B60-35BB-5B17-204D-EFEBC401B3CF}\Implemented Categories\{7ECEE231-AF37-59F7-2088-12F1B4B33407} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.ImageProcessor C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{A80D1A58-D88C-443F-6EAB-5ACCCB804F01}\Implemented Categories\{5A762B51-D0A3-F1E5-C077-391D0BBB3287} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.htm\shell\open\command C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\PROGRAMMABLE C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C3C1A029-BE79-6D80-238C-7844A72B8213} C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{7EE45951-F1A5-4C01-BF08-03DE1315437E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F08DB8FB-7EC4-07F0-7EB9-E93914758241}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.PivotTable\CurVer\ = "Vbsedit.PivotTable.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\VbsEdit.JSON\ = "JSON Parser Class" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Windows\system32\regsvr32.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe
PID 2452 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe

"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /u /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"

C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe

"C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe"

Network

Files

C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll

MD5 520ac2fe8104b26ad7be69e96b7fbf42
SHA1 7706dfba1f3668cdb0cbdc445e753e5f36d13b36
SHA256 f2523e8d8fba53f57c4edaca40254bfa39e1d6f821add9903877ed53d047c26b
SHA512 ce2b77ce5461974f64b8f8a34d4d6d579bf6f7849b5f92ee6def015650bfd9aae707afd74756954c2cca7136527803d7be9ee7b6acee2fea5a36f84f6f44a21a

\Users\Admin\AppData\Local\Vbsedit\x64\vbsedit.exe

MD5 961de8e996b87e2f33f09215e3300a62
SHA1 4daf727857096c39e4b14819ecf0aa97bed5df0d
SHA256 c72cd1bd14a39980b7955f7901df0d12dc46957732c751f855c16c4c1bbce59b
SHA512 23ee68eb52c29fdf442df771f6e67e0ea2416debabe5325cec094d7b5cdd35d5792d384a559c059b686d6490fc654cebe68889e9cb880e353fdcc0f074d7942c

C:\Users\Admin\AppData\Local\Adersoft\VbsEdit\snippets.dat

MD5 7b9a54bf11f4527c1e26bd6e6653dd1c
SHA1 afc20f869e992b7b944c7d20a1d4674d58be6991
SHA256 14bed240f7a849f093ae06917a74acb3b2171e52171568fa21951a9274d6203c
SHA512 3706214713de053679b66f87233a730e4298cf086b75d02986ca0c5b112095175a8c1c11d25ba299ee9c8c62a3513bc7dd0872f3c957cef7c2038c5bec28dd97

C:\Users\Admin\AppData\Local\Vbsedit\x64\jscript.intellisense

MD5 0291d21cc3ce5c5a467bdf0335ec42db
SHA1 b665487c0243d3447d17eb014dc3dbd689ad8ca0
SHA256 489c0fc53124a0943fbb14a93659d30c43d57cdac7aeb2edd9de5fb48de3d16f
SHA512 d25b390638b2246a54cffc0f07d1891d620b7536638d3253c1d766141dcfa4e16c18a1668bb6b6a5554e20464a3a4eaafc83484cdbd12cc4b30594c7c08e98a5

C:\Users\Admin\AppData\Local\Vbsedit\x64\vbscript.intellisense

MD5 5ed63deea7eacd60d8687aad382430b9
SHA1 58941ddb25a39a1a2fc1491b8358ce0b8f743601
SHA256 79eb3bd540a19ae56f1587f408d2d4e093b1fec91df28ed8c0a9344b2f628520
SHA512 9d11c9cb07989b2c8aaaf07bf46d500e7dbc8d8af11b703c1254407fdd39b19088027dae093f5738ff0da27b36e24e6b1b12d7a7070c3d72d6d3059b8bb6f6ae

C:\Users\Admin\AppData\Local\Vbsedit\x64\wsh.intellisense

MD5 572d9547d5183819ad68104d1bf5e4a0
SHA1 f1ec6bfa651f0ea69ffdfe976ff3b607762a648e
SHA256 a67212a4284d8a366e42b9464b0e012f9e19b0d404e53ae9f11f48621eda2631
SHA512 95a53d3447c753ed057f1ab4a372b475a012d7b68c1cb98091297bac04ba2cf1dbf0135edad584711546882fb0871e2df49a443ae286361321d9fbe6180da68e

C:\Users\Admin\AppData\Local\Temp\CabFA68.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFA6B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Vbsedit\x64\samples_resource.data

MD5 317c99ca3543e99d5fb40f074bff2eeb
SHA1 8b341b056e0cbc7c99e668d64fc85ff55a4c05fa
SHA256 c87e774cac6ba3a01d7972ad352e0ca3b3bd1d5f91d6bf4717a1d7e4f331bcf8
SHA512 f53adccde862cff2fde6fb8348ee5f313168abb367079cd9bac14bb4eaf0a0995802e124ba4377a69c827acadba6712542c052f6b38091cfb6438b15ed961dcc