Analysis Overview
SHA256
7b785d9db870903795a5ed487ce58f5b7012e7483b0f5c40eae5fd928b664fab
Threat Level: Likely benign
The file vbsedit_x64.exe was found to be: Likely benign.
Malicious Activity Summary
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:18
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:18
Reported
2024-11-09 23:21
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.Toolkit.1\CLSID\ = "{59C73A9D-C7B7-49DD-B82E-F878995B784D}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C0C3E1E2-9196-43DD-8FA9-1423641098C8}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Vbsedit\\x64\\Vbsedit64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5C63542D-2C66-4F1C-89A7-3FC47303DEC5}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0 | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.hta\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{13D76CDB-6017-F557-2714-83C6A25026D9}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{84797F3D-EDF4-7C51-8C95-07305B026AA3} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.Application | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{7359FA3B-4B6E-40F7-AD01-E2E699ECDADB}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{8D26710A-0842-4712-A0AF-9EAC014A8546}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.html | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\ProgID\ = "Vbsedit.Toolkit.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{7EE45951-F1A5-4C01-BF08-03DE1315437E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WSFFile | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{5FA08DFA-1C38-4BCF-A347-568BF6B8CE6C}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{D166054D-36C5-4EFC-8F7F-DD5B559F4644}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A34621CE-7278-F07C-77D5-E01996D0EAF2} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{F24FBAF0-0F22-793E-BD0E-2CDFB697F2BB}\Implemented Categories\{4CD07BF8-78C4-E566-B466-C030F3105D47} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CSSFile\Shell\Edit with Vbsedit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Vbsedit\\x64\\Vbsedit.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_CLASSES\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43}\PROGRAMMABLE | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{95A2A54D-E6E1-4C87-8775-B5090CD0E275}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.js | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.IpToCountry\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\ = "IDataset" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{95A2A54D-E6E1-4C87-8775-B5090CD0E275} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{90AEE60E-436E-84A9-93FB-5C15163D40BD} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C3C1A029-BE79-6D80-238C-7844A72B8213} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.hta\shell\open | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{294072FC-4087-496C-B25A-F07E846A3147}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ = "IImageProcessor" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Vbsedit.ImageProcessor\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A34621CE-7278-F07C-77D5-E01996D0EAF2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{6246C7EA-1376-47D1-93FA-6676A7F56FB2}\ = "IVbseditController" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{9FA115D9-DF38-4EBA-9592-5FB6D1CD7F2D}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{35E255BD-27F2-41AF-9061-4F35F7DA3F37}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\VbsEdit.JSON.1\ = "JSON Parser Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{5DF9F974-7893-40C5-9535-48786FC80017}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{9FDD3341-BE83-2559-AAD6-1CE59D7F4976}\Implemented Categories\{3387EFF7-9170-417E-5687-F3CB12603AD3} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\htafile\Shell\Edit with Vbsedit | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{0171BFF4-5892-7B47-E262-B3B4BD33B14D}\Implemented Categories\{E3608FF1-AF98-1C2F-671C-27EC54EF71DD} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{A74CA7D9-273A-45C5-8974-80F377486346}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\TypeLib\{8B104FF0-B76A-4BD0-9152-702A9D492201}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Interface\{5CEA781D-6749-4D19-BB1E-CB42BE829854}\ = "IAxeItem" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{59C73A9D-C7B7-49DD-B82E-F878995B784D}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2912 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | C:\Windows\system32\regsvr32.exe |
| PID 2912 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | C:\Windows\system32\regsvr32.exe |
| PID 2912 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | C:\Windows\system32\regsvr32.exe |
| PID 2912 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe
"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /u /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll
| MD5 | 520ac2fe8104b26ad7be69e96b7fbf42 |
| SHA1 | 7706dfba1f3668cdb0cbdc445e753e5f36d13b36 |
| SHA256 | f2523e8d8fba53f57c4edaca40254bfa39e1d6f821add9903877ed53d047c26b |
| SHA512 | ce2b77ce5461974f64b8f8a34d4d6d579bf6f7849b5f92ee6def015650bfd9aae707afd74756954c2cca7136527803d7be9ee7b6acee2fea5a36f84f6f44a21a |
C:\Users\Admin\AppData\Local\Vbsedit\x64\vbsedit.exe
| MD5 | 961de8e996b87e2f33f09215e3300a62 |
| SHA1 | 4daf727857096c39e4b14819ecf0aa97bed5df0d |
| SHA256 | c72cd1bd14a39980b7955f7901df0d12dc46957732c751f855c16c4c1bbce59b |
| SHA512 | 23ee68eb52c29fdf442df771f6e67e0ea2416debabe5325cec094d7b5cdd35d5792d384a559c059b686d6490fc654cebe68889e9cb880e353fdcc0f074d7942c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:18
Reported
2024-11-09 23:21
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{E4B499A2-485D-45E4-81F7-2CD2EBAA691D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{1EB5DB0B-B200-41E3-AD74-CBB9A66EA032}\ = "PivotChart Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{09A17DBF-0A9D-9329-9DE2-634D54DD7471}\Implemented Categories\{F2BEBC57-57B2-474A-769D-171F355F2BDB} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{BF4D885D-B8C2-47DF-AEED-01EB43D8BB7C}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{2241E88A-E978-F84D-C1C6-87569BE8C73B}\Implemented Categories\{9C409E9E-FB04-7F46-4FE3-337B79EED2D7} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0 | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{9FA115D9-DF38-4EBA-9592-5FB6D1CD7F2D}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{18DC0BF8-0ACB-A346-7556-31E9FDE98313}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\PROGRAMMABLE | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.Toolkit\CurVer\ = "Vbsedit.Toolkit.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{97A60915-303B-10E1-0638-BE4970F01A0D}\Implemented Categories\{F13AB0F6-AAB7-1EC1-0673-F15050928B56} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\ = "IImagePosition" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{D166054D-36C5-4EFC-8F7F-DD5B559F4644}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.js\shell\open | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\VbsEdit.JSON.1\ = "JSON Parser Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B7E94900-D293-4E52-BF0C-546AE5175557}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{8A68B583-177F-4B89-BB5F-A9CA6D0E9198}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\VersionIndependentProgID\ = "Vbsedit.IpToCountry" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{438A9411-04DE-4E4D-A877-5503FAFBD670}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{78D7B726-C8AC-4126-A376-5124BA4BA0B1}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{7F3187F8-8CED-4FA4-B683-FAEEA44A9F59}\TypeLib\ = "{8B104FF0-B76A-4BD0-9152-702A9D492201}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{E6B50E8E-6936-49F4-88F3-9EA94EEC4A2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{16B3AF08-D0B5-7AEC-089C-B506015E6181} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B51822C1-FA61-694C-4F2A-EE6892B59CD3}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A8F01487-B08C-4A77-B8F5-B03FC9179A94}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{9F6E73C7-FE34-FD9C-4DA9-581F59A461EC}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\JSFile\Shell\Edit with Vbsedit | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.IpToCountry\ = "IpToCountry Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B8C460E5-F20D-44C7-95FC-5C7EF2C73D43} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C1D5EBBB-6F6E-46F1-A994-E81DEDAE4C39}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{E4B499A2-485D-45E4-81F7-2CD2EBAA691D}\TypeLib\ = "{84C84845-8CC2-4B44-ADAF-5C58ABD39802}" | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.js | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7BCC6C89-7248-4E2D-845C-03B298BE6E68} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{A8F01487-B08C-4A77-B8F5-B03FC9179A94}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{1B689D6D-0BAC-45AF-8841-3F04B666FD09}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.wsf\shell | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{B6373EBD-8A98-401D-AA34-EAF6A12B841B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{5FA08DFA-1C38-4BCF-A347-568BF6B8CE6C}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{A3D741FB-BC71-430E-8BD7-F686E1FE95DC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{143A3B60-35BB-5B17-204D-EFEBC401B3CF}\Implemented Categories\{7ECEE231-AF37-59F7-2088-12F1B4B33407} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.ImageProcessor | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{442F2C66-651E-4A1A-9196-966BD5D21AFD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{A80D1A58-D88C-443F-6EAB-5ACCCB804F01}\Implemented Categories\{5A762B51-D0A3-F1E5-C077-391D0BBB3287} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.htm\shell\open\command | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F555F60C-0037-488E-B5FF-5BC2BF467ABC}\PROGRAMMABLE | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{C3C1A029-BE79-6D80-238C-7844A72B8213} | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{7EE45951-F1A5-4C01-BF08-03DE1315437E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{F08DB8FB-7EC4-07F0-7EB9-E93914758241}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\TypeLib\{84C84845-8CC2-4B44-ADAF-5C58ABD39802}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Vbsedit.PivotTable\CurVer\ = "Vbsedit.PivotTable.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\VbsEdit.JSON\ = "JSON Parser Class" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe
"C:\Users\Admin\AppData\Local\Temp\vbsedit_x64.exe"
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /u /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /n /i:user "C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll"
C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe
"C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit.exe"
Network
Files
C:\Users\Admin\AppData\Local\Vbsedit\x64\Vbsedit64.dll
| MD5 | 520ac2fe8104b26ad7be69e96b7fbf42 |
| SHA1 | 7706dfba1f3668cdb0cbdc445e753e5f36d13b36 |
| SHA256 | f2523e8d8fba53f57c4edaca40254bfa39e1d6f821add9903877ed53d047c26b |
| SHA512 | ce2b77ce5461974f64b8f8a34d4d6d579bf6f7849b5f92ee6def015650bfd9aae707afd74756954c2cca7136527803d7be9ee7b6acee2fea5a36f84f6f44a21a |
\Users\Admin\AppData\Local\Vbsedit\x64\vbsedit.exe
| MD5 | 961de8e996b87e2f33f09215e3300a62 |
| SHA1 | 4daf727857096c39e4b14819ecf0aa97bed5df0d |
| SHA256 | c72cd1bd14a39980b7955f7901df0d12dc46957732c751f855c16c4c1bbce59b |
| SHA512 | 23ee68eb52c29fdf442df771f6e67e0ea2416debabe5325cec094d7b5cdd35d5792d384a559c059b686d6490fc654cebe68889e9cb880e353fdcc0f074d7942c |
C:\Users\Admin\AppData\Local\Adersoft\VbsEdit\snippets.dat
| MD5 | 7b9a54bf11f4527c1e26bd6e6653dd1c |
| SHA1 | afc20f869e992b7b944c7d20a1d4674d58be6991 |
| SHA256 | 14bed240f7a849f093ae06917a74acb3b2171e52171568fa21951a9274d6203c |
| SHA512 | 3706214713de053679b66f87233a730e4298cf086b75d02986ca0c5b112095175a8c1c11d25ba299ee9c8c62a3513bc7dd0872f3c957cef7c2038c5bec28dd97 |
C:\Users\Admin\AppData\Local\Vbsedit\x64\jscript.intellisense
| MD5 | 0291d21cc3ce5c5a467bdf0335ec42db |
| SHA1 | b665487c0243d3447d17eb014dc3dbd689ad8ca0 |
| SHA256 | 489c0fc53124a0943fbb14a93659d30c43d57cdac7aeb2edd9de5fb48de3d16f |
| SHA512 | d25b390638b2246a54cffc0f07d1891d620b7536638d3253c1d766141dcfa4e16c18a1668bb6b6a5554e20464a3a4eaafc83484cdbd12cc4b30594c7c08e98a5 |
C:\Users\Admin\AppData\Local\Vbsedit\x64\vbscript.intellisense
| MD5 | 5ed63deea7eacd60d8687aad382430b9 |
| SHA1 | 58941ddb25a39a1a2fc1491b8358ce0b8f743601 |
| SHA256 | 79eb3bd540a19ae56f1587f408d2d4e093b1fec91df28ed8c0a9344b2f628520 |
| SHA512 | 9d11c9cb07989b2c8aaaf07bf46d500e7dbc8d8af11b703c1254407fdd39b19088027dae093f5738ff0da27b36e24e6b1b12d7a7070c3d72d6d3059b8bb6f6ae |
C:\Users\Admin\AppData\Local\Vbsedit\x64\wsh.intellisense
| MD5 | 572d9547d5183819ad68104d1bf5e4a0 |
| SHA1 | f1ec6bfa651f0ea69ffdfe976ff3b607762a648e |
| SHA256 | a67212a4284d8a366e42b9464b0e012f9e19b0d404e53ae9f11f48621eda2631 |
| SHA512 | 95a53d3447c753ed057f1ab4a372b475a012d7b68c1cb98091297bac04ba2cf1dbf0135edad584711546882fb0871e2df49a443ae286361321d9fbe6180da68e |
C:\Users\Admin\AppData\Local\Temp\CabFA68.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFA6B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Vbsedit\x64\samples_resource.data
| MD5 | 317c99ca3543e99d5fb40f074bff2eeb |
| SHA1 | 8b341b056e0cbc7c99e668d64fc85ff55a4c05fa |
| SHA256 | c87e774cac6ba3a01d7972ad352e0ca3b3bd1d5f91d6bf4717a1d7e4f331bcf8 |
| SHA512 | f53adccde862cff2fde6fb8348ee5f313168abb367079cd9bac14bb4eaf0a0995802e124ba4377a69c827acadba6712542c052f6b38091cfb6438b15ed961dcc |